• by Ray Schultz , December 17, 2020

Leading retailers are wide open to domain theft phishing attacks, according to Top Retailers Remain Vulnerable To Email Brand Spoofing, a study released Thursday by Valimail. 

Only 22% of the top 100 retailers listed by the National Retail Federation are protected by DMARC (Domain-based Message Authentication, Reporting and Conformance), the standard email protection tool.

Another 52% have valid DMARC but are not enforcing it, 22% have no DMARC, while 4% have invalid DMARC. 

There are consequences — of the retailers breached in 2018-19, 63% had DMARC but were not protected and 26% had no DMARC records. Only 11% of those with DMARC enforcement were breached. 

On a more positive note, 87% have valid SPF (Sender Policy Framework), whereas the remainder have invalid SPF or none. 

The most protected category is Health, Wellness and Fitness, with 33%. Second is Retail eCommerce, with 27%.

Note: These subcategories have so few firms in them that they may not be statistically projectable. However, Retail, which represents 42% of the top 100, has a 17% protection rate. 

Food & Beverages retailers have a 14% rate of protection, and restaurants have only 2%.

Firms that had 58.4 billion in revenue in 2019 are most likely to have DMARC with enforcement.

Companies with $28.7 billion in revenue for last year have DMARC without enforcement. And those with $13.7 billion have no DMARC records.