• by Ray Schultz , February 9, 2018

Almost 90% of the top e-retailers in the U.S. and Europe are failing to use Domain-based Message Authentication, Reporting and Conformance (DMARC) to protect customer data, according to a study by 250ok, a specialist in email analytics. Most are also not deploying SPF -- email validation technology that detects spoofing attempts. 

250ok studied the top 1,000 U.S. online retailers and 500 EU e-retailers, comprising 3,033 root domains, and discovered that 87.6% of the root domains run by the leading e-retailers are putting their customer data at risk.

The study found that only 11.2% have both a properly formatted SPF record and a desired base-level DMARC record of p=none or greater.

This leaves almost 90% ‘”unnecessarily vulnerable to brand spoofing and phishing attacks on consumers,” the study says.  

In addition, 84.2% have no DMARC policy in place, The strictest DMARC policy, also known as the reject policy, was published for only 1.3% of all the companies.

The study notes that "achieving a reject policy is the October 2018 requirement for US federal agencies based on a direc ve from the US Department of Homeland Security, and is the same policy retailers should achieve for all of their domains. 

Among U.S. firms, only 11.2% have both a properly formatted SPF record and a desired base-level DMARC record of p=none or greater. And a mere 11.4% of European firms have both.

Digging down, 84.1% of U.S. e-retailers have no DMARC policy — similar to their counterparts in Europe.

Only 11.4% of the European firms have both an SPF record.

The study notes that 11.3 percent of U.S. study subjects and 12.2% of the European domains meet 250ok’s recommended minimum protocol for the email channel.

In general, 250ok recommends that e-retailers:

• Publish SPF records for all domains 

• Ensure SPF records are valid and without errors

• Publish a DMARC policy for all domains

Meanwhile, some observers are wondering about the “hype” surrounding DMARC. “

“The timing of the fanfare surrounding DMARC is certainly ironic, as it was just this past December that Haddouche discovered Mailsploit, a collection of “bugs” in email clients that enables spoofing messages that cannot be detected by servers, thereby easily bypassing DMARC protections and checks,” GCN magazine writes.   

But 250ok sees an urgent need to use DMARC 

“By failing to publish basic authentication records like SPF and a DMARC record for all of the domains they operate, retailers are blind to the potential abuse of their brands’ domain names,” states Matthew Vernhout, director of privacy at 250ok. “It leaves both the brand and the consumer unnecessarily exposed to phishing attacks that damage brand trust.”