fTLD’s Security Requirements Working Group recently recommended, and fTLD approved, a modification to dispense the requirement for MX records aliasing to out-of-zone domains (i.e., not .INSURANCE) to be DNSSEC signed. Given the Email Authentication requirement for .INSURANCE, the security associated with DMARC, SPF and DKIM provide an adequate set of controls.