Dmarc as a Service

Research: Only 22 of the top 100 retailers are protected by DMARC

Most retailers have not devoted the same level of effort to securing email as they have to optimizing its effectiveness, Valimail’s latest research report has found. The result is a surprising, industry-wide vulnerability.

The keystone standard for authenticating the identity of email senders, Domain-based Message Authentication, Reporting, and Conformance (DMARC), is accepted by the vast majority of global email inbox providers, including Google, Verizon Media, Microsoft, and more. DMARC is now in use at over 1 million domains worldwide, and it is currently protecting 21% of the Fortune 500 and 73% of federal domains.

Yet in the retail world, adoption and effective configuration of DMARC is still moving slowly. Of the top 100 retailers (as designated by the National Retail Federation), only 22 are protected by DMARC with an enforcement policy that will block unauthorized use of the domain. The remaining 78% are vulnerable to being spoofed by fake emails, sent from anywhere in the world, to any recipient, using the retailer’s exact domain in the “From” field — without any authorization.

This is a serious gap for an industry so reliant on email, particularly this year. Retailers in 2020 are leaning heavily on e-commerce, thanks to the pandemic, and during the holiday season that means they are redoubling their email efforts. No wonder: Email is one of the most effective marketing channels, year after year, with proven ROI and low overhead costs.

What this authentication gap means is that for 78% of the world’s top retailers, you can’t be absolutely sure that their emails really do come from them. Is that message from Or is it a spoof? Most likely it’s legitimate, but even carefully trained cybersecurity professionals have a hard time telling the difference between real emails and well-crafted fakes.

Unfortunately, this is a problem because email is implicated in 92% of all breaches, while 89% of all email attacks make use of some kind of impersonation. And it only takes one fake to compromise your account, your computer, or your entire network. If the wrong person opens a fake email and clicks on a bad link or opens a malicious file, it could be game over for your data security — and meanwhile, the brand of the company who appeared to send that email to you is going to be damaged.

Preventing breaches and brand damage like this is what DMARC authentication is all about. By ensuring that only you and senders you authorize can send messages from your domains, you lock down those domains against impersonation and brand spoofing, cutting off one of the most common and effective forms of phishing.

Find out more by downloading the research report, which includes details on the DMARC and SPF status of the top 100 retailers, as well as an analysis of how well DMARC is being used by retailers who have recently suffered cybersecurity breaches.