Poor DMARC Adoption in Retail Industry Placing Customers at Risk

A recent study conducted by the email analytics firm 250ok has revealed DMARC adoption in retail is particularly poor and the lack of email validation is placing consumers at risk.

SPF – or Sender Policy Framework to give it its full name – is an email validation system that helps businesses to detect attempts to spoof their domains. Domain spoofing is a common tactic used by cybercriminals to fool email recipients into thinking an email is genuine. Emails are sent from fake email addresses using the business’s official domain abusing trust in the brand.

If an SPF record is set up, the server that receives an email from the domain checks the SPF record to make sure the email comes from an IP address approved to send messages from that domain. If the IP address is not valid, the message is rejected.

DMARC is based on SPF and is similarly used to authenticate the senders of emails to ensure spoofed messages are rejected or at least placed in the junk folder. In addition to specifying the IP addresses authorized to send emails from a domain, DMARC also specifies the cryptographic keys that are used. A failure on either count will stop messages from being received. DMARC also generates reports of domain spoofing which are sent back to the business providing visibility into fraudulent use of their domains.

By adopting these systems, businesses can protect consumers from phishing and spoofing attacks. Recently, the Department of Homeland Security in the United States issued a directive requiring all government agencies to adopt DMARC in response to an increase in the spoofing of government domains and poor DMARC adoption rates.

The research conducted by 250ok reveals that retailers have similarly been slow to adopt either DMARC. Out of the 3,300 domains used by the top 1,000 US and 500 EU retailers, 90% of domains were not protected with DMARC.

Most retailers were using some form of email authentication, but it was not always applied to all domains in use. 250ok reports that only 11.3% of the top US retailers and 12.2% of the top EU retailers were meeting its minimum standards for email security, which means publishing SPF records and a DMARC policy for all domains and ensuring SPF records are valid and do not contain errors.

The Anti-Phishing Working Group reports that on average, 433 brands are impersonated every month in phishing campaigns and brand impersonation attacks are rising. Last year, 413 brands were impersonated, on average, each month.

The lack of DMARC adoption in retail is not only a problem for consumers. It is also a problem for retailers. The lack of SPF and DMARC email authentication places brand trust at risk. Also, widespread abuse of domains by scammers results in genuine email messages being blocked, as 250ok DMARC customer Furniture Row explained.

“Prior to implementing a DMARC policy, we found ourselves blocked by several of the large mailbox providers and often didn’t know why,” said James Einspahr, Digital Creative Director at Furniture Row. “With DMARC in place, we found that our domains were being spoofed by a number of bad actors around the globe. Eliminating those malicious messages not being sent by us quickly resulted in better deliverability across the board.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news