Retailers in 2020 are leaning heavily on e-commerce, thanks to the pandemic, and during the holiday season that means they are redoubling their email efforts. There is a problem, however: Most retailers have not devoted the same level of effort to securing email as they have to optimizing its effectiveness.

The result, in one crucial sphere of email security, is a surprising, industry-wide vulnerability.

Our key finding: Only 22 of the top 100 retailers are protected by DMARC with an enforcement policy that will block unauthorized use of the domain. The remaining 78 are vulnerable to being spoofed by fake emails, sent from anywhere in the world, to any recipient, using the retailer’s exact domain in the “From” field — without any authorization.