e-Retailers are failing to protect their domains

Recently 250ok released a study, that I wrote, on the adoption of DMARC in the online retail space, titled “DMARC Adoptions Among e-Retailers“, that reviewed the minimum standards of authentication that a domain owner should be able to adopt without any significant investment in server or network configuration. This report focused on the implementation of Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC). Both are authentication solutions that require an understanding of your network configuration and a DNS record to implement, no additional servers to buy or software to install.

There are several noteworthy items in the report but here are a few that I think really stand out:

  • Set and forget policies on SPF – We found several domains with records that went beyond the maximum of 10 DNS look-ups, one as high as 97 look-ups due to include:domain policies that were improperly configured. As people continue to outsource services they should look to use subdomains instead of their root domain as this can cause excessive look-ups in your SPF records and impact your root domains authentication. Review your SPF records regularly to make sure you remove old vendors from the records and that don’t exceed the maximum number of look-ups.
  • Brands are not protecting all their domains – Many brands utilize a small number of the domains that they own for actual communications across many different web properties however they fail to authenticate all of their domains the same, even domains not sending mail will benefit from a “no mail” record.
  • Using services blindly – Many records I looked at for DMARC are configured, but reports are not being sent anywhere. The most powerful part of DMARC is the daily feedback on your domains and knowing what emails are being sent on your behalf, especially if you didn’t send them.

Take a few minutes are read the report, I promise it wont take long, as you might find that your business is also breaking some of these rules when it comes to DMARC and SPF configurations.

Tools to review:

  • SPF Analyzer – Identify your current records and are they working properly?
  • DMARC Wizard – Build a simply DMARC policy and start to understand how your domain is being used, and possibly abused.
  • DMARC Reporting – If you need a tool to help interpret the DMARC reports you receive.
* Note: I work at 250ok, and and posting this without and expectation or financial incentives… I’m just really proud of the report.

Author: Matt V - @emailkarma

Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (Canada) (CIPP/C) with nearly two decades of experience in email marketing. Matthew is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee. Matthew was recognized as the 2019 eec thought-leader of the year.

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.