DMARC Adoption among European Retailers

The Google-Yahoo DMARC mandate this year affected a lot of businesses, including retail. Ongoing digital transformation means retailers are increasingly more reliant on online revenue. During the pandemic, between 20% to 30% of retail purchasing shifted globally from brick and mortar transactions to online.

Reaching consumers where they are shopping means retailers must have prominent inbox placement and reliable email delivery. With the 2025 PCI DMARC requirement that impacts retailers, we decided it would be a good time to take a closer look at how retailers are protecting themselves and their customers.

Retail is particularly vulnerable to exploits such as phishing for a few key reasons:

• Dependency on supply chains and third-party services (such as invoicing, website hosting, online shopping cart modules, advertising services, etc.) expand the surface for business email and supply chain compromise.
  
  
• Retail gift cards are attractive targets for criminals as they offer convenience, portability and anonymity.
  
  
• Staffing challenges of seasonal peaks that rely on temporary workers and higher-than-average turnover contribute to an inexperienced workforce that may not be properly trained to identify cybersecurity scams.
  
  
• The rise of loyalty and reward programs mean that retailers house an increasingly larger amount of Personally Identifiable Information (PII), and bad actors have taken notice.

Phishing and credential harvesting remain a priority all year long as a primary intrusion vector across most cybercriminal operations. Members report a steady prevalence in phishing attempts with lure themes involving popular product promotions targeting consumers for PII harvesting.

RH-ISAC 2024 Holiday Season Cyber Threat Trends report

European Retail Phishing Scams

Phishing campaigns often target large retail companies, specifically in an effort to trick customers into divulging payment details. Implementing DMARC with an enforcement policy safeguards retail brands by preventing attackers from sending emails that appear to come from their domains and protects customers from impersonation attempts.

Common cyber attacks in the retail world include fake order confirmation emails, phishing for account credentials, gift card scams, fake promotions, and invoice fraud—all of which can be mitigated by DMARC.

Earlier in 2024, the European retailer Pepco (which operates retail stores under the Pepco, Poundland and Dealz brands) suffered a loss of €15.5 million in a Business Email Compromise (BEC) phishing scam when criminals spoofed legitimate employee emails to deceive the finance staff into transferring funds. DMARC is a key preventative measure to defend against BEC exploits.

DMARC Status of the Top 500 European Retailers

We polled the email domains of the top 500 retailers in Europe (by estimated revenue) to get a look at how DMARC adoption has progressed.

First off, the good news: it’s great to see the highest percentage rate belonging to p=reject, the ultimate goal of DMARC deployment where illegitimate emails are dropped before reaching the inbox. Add domains covered by a p=quarantine policy, which sends bad email to the spam folder, and 41% of these retailers have a DMARC policy at enforcement levels.

According to the European Commission’s Internet Standards Deployment Monitoring website, the DMARC Strict Policy Support Rate for EU-based domains is currently at a cumulative average of 35% with differences among individual countries. So it appears that the retail vertical (at least the larger retailers) is ahead of the curve at 41%.

However, the bad news is that over half, the remaining 59%, lacked a DMARC record, had a malformed DMARC record (either syntax errors or not following prescribed best practices), or published a p=none policy—all of which equate to no protection from phishing and domain impersonation through DMARC and its authentication foundation of SPF and DKIM.

SPF Issues

When looking more closely at the adoption of the supportive technology of SPF, we discovered that 13% of SPF records were malformed or not following prescribed best practices, which means their domains aren’t being fully protected. The most common issue was the improper use of SPF Syntax, followed by records exceeding the limit of 10 lookups, leading to the Too Many Lookups error. We provide guidance for fixing these without using work-arounds like SPF flattening that can compromise your security stance.

Another 11% of domain owners side-stepped SPF completely by not implementing it and solely relying on DKIM. It is worth noting that nearly a quarter of companies on this list either aren’t using SPF or are implementing it incorrectly.

DMARC Status of the Top 100 Retailers in France

We decided to dig a bit deeper and take a more granular look at the results. We chose the top 100 retailers in France (again by estimated revenue) as they share the largest EU presence in the European top 500, along with Germany.

France’s national cybersecurity agency (Agence nationale de la sécurité des systèmes d’information or ANSSI) encourages the implementation of certain protocols having for the role of verifying the authenticity and integrity of emails, including DMARC, SPF and DKIM.

However, the French retail sector has only 32% of their top 100 domains with policies at an enforcement level and 68% having exposure by either having no DMARC record or issues with their current one. This is 9% less than what we see with the European top 500, which is at 41% and 59% respectively.

DMARC Status of the Top 100 Retailers in Germany

We chose the top 100 retailers in Germany, the other large EU presence in the European top 500.

Sender authentication is most effective when SPF is combined with DKIM and DMARC. DKIM ensures that the message has not been altered and that it truly comes from the stated sender. When combined with DMARC, the recipient’s server is provided with clear instructions on how to handle unauthenticated emails. These protocols are not new, but they need to be adopted more widely if we are to significantly improve the security of email communications.

Claudia Plattner, President of the German Federal Office for Information Security (BSI)

Doing a bit better than their French neighbors, we find that 40% of the top 100 German retailers are benefiting from having a properly formatted DMARC record at enforcement, while 60% do not.

DMARC Status of the Top 100 Retailers in UK

We’re also interested in the UK, which we included in the European top 500. Nearly 90% of UK businesses that experienced cybercrime reported phishing incidents—the most common cyberattack affecting UK businesses.

Brexit left some concerned that the UK’s cybersecurity ecosystem would be negatively affected by reduced operational effectiveness, exclusion from EU decision-making, and a potential skills shortage.

Many of these concerns didn’t come to fruition, as cooperation between national intelligence agencies hasn’t been directly affected, and the UK still wields significant influence through its extensive network of international partnerships.

The UK National Cyber Security Centre also created Mail Check, a free platform for assessing email security compliance. Mail Check supports public sector organisations in implementing SPF, DKIM, DMARC and TLS.

And we see that echoed in the results, with 58% of the top 100 British retailers having a DMARC policy at enforcement, surpassing the averages of both the top 500 European retailers (41%) and the European Commission’s Internet Standards Deployment Monitoring average (35%).

DMARC Status of the Top 100 Retailers in Ireland

We’re taking a closer look at Ireland, since it is the headquarters of dmarcian’s European business unit, and we are active in supporting the local cybersecurity community through outreach, collaboration and advocacy.

Ireland is ranked as the most phished country globally, with nearly two-thirds of Irish adults experiencing phishing attempts.

And as the numbers show, we have our work cut out for us, at least with the Irish retail sector. With 19% at an enforcement policy (with 81% not benefiting from DMARC), it is much lower than the other regions we’ve researched.

However, that isn’t to say that Ireland is lagging behind in DMARC adoption, which we researched earlier this year. In fact, the European Commission’s Internet Standards Deployment Monitoring shows that 36% of Irish domains have a policy of enforcement, just above the average for the EU.

DMARC Policy Enforcement Comparison

In this comparison you can see that of the categories we investigated, three of the five hover within six or fewer percentage points of the Europe (ALL) average. On either end of the spectrum, only 19% of Ireland’s top 100 retailer domains are protected, and 58% of the UK’s top 100 retailer domains are safe from exact-domain phishing.

What’s clear for all categories is that while DMARC adoption is still developing, it is progressing. As we’re seeing with Google and Yahoo, email sender requirements play a large role in expanding DMARC adoption, as do government initiatives and regulatory associations. As DMARC continues to become a necessity instead of a nice-to-have, dmarcian is committed to education and advocacy to help retailers protect their customers and strengthen their brand reputation in the evolving e-commerce marketplace.

European retailers remain prime targets for email phishing attacks, given the wealth of sensitive customer data they manage, from payment details to personal information. By adopting robust measures like DMARC, they can not only safeguard consumer trust but also mitigate significant financial losses.”

Dermot Harnett, Director of dmarcian Europe Headquarters

We’re here to help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian and our partners have helped retailers reach DMARC enforcement to keep their customers and brand safe. We’re people helping people secure their domains from phishing and manage their email security for the long haul.

---

Want to continue the conversation? Head over to the dmarcian Forum.