• by Ray Schultz , Columnist, Yesterday

Retail brands, which are highly vulnerable to spoofing and phishing because of their wide use of order confirmations and other transactional emails, are not always using the tools that can help them reduce the threat. 

Take DMARC (Domain-based Message Authentication, Reporting & Conformance). While 95% of retail domains have a DMARC record in place, nearly 30% still use a “p=none” policy, signaling that no enforcement action should be taken on suspicious email, Valimail reports in a new study titled Winning (and Keeping) Shopper Trust — the Retail Email Threat You Can’t See.

Worse, 6% have no reporting at all, so they simply do not know how their brand is being abused. 

And it’s not a small problem. Valimail alone says it blocked 123 million suspicious emails in the past year. 

And if the new sender authentication rules are fully enforced by Gmail, Yahoo! and Outlook, 3 million retail emails per day would be blocked, the study contends.

On the positive side, there was a 40% increase in the number of retailers using BIMI (Brand Images for Message Identification).

This, of course, is  the inbox standard that allows trust senders to show their logos, boosting trust and email engagement. Valimail, a member of the AuthIndicators Working Group that developed BIMI.

"Retailers are navigating some of the most complex email infrastructures of any industry — from third party logistics updates to loyalty programs to marketing automation," says Al Iverson, Industry Research and Community Engagement Lead at Valimail. "That complexity creates opportunity for attackers. If your domain can be impersonated, your brand can be hijacked."