badsender logo

Update | DMARC usage in the TOP 100 E-Commerce companies

26/04/2022

Domain name protection is currently a major issue for any actor sending emails to its users. The implementation of DMARC allows you to have visibility on the outgoing traffic of your domains thanks to the authentication reports provided by some messaging services. I propose you here to analyze the DMARC registrations of the TOP 100 E-Commerce companies. Of course, the analyzed data are not the most recent but they will show an evolution on the management of domain names and in particular their security.

Small reminder of the method of our DMARC analysis

As with the study we updated last December on theState of the art of DMARC use in CAC40 companies!we have collected:

  • DMARC registration,
  • the policy of rejection,
  • the DMARC monitoring solution(s) used,
  • SPF & DKIM alignment policies (I've set aside SPF records for a future article) of the TOP 100 E-Commerce companies.

I have based myself on the ranking provided during ECN / Similarweb study from the second half of 2019. The objective here is to see the evolution of DMARC between the records I had recovered and analyzed in July 2020 and those of April 2022. The domains used for marketing purposes will not be studied here.

Below is the list of companies and their fields that were analyzed: List of the TOP 100 E-Commerce S2 2019.

What is the use of DMARC among these E-Commerce companies?

Analyzing the data from July 2020 and April 2022, we see that the rate of DMARC usage has increased significantly. 22 companies have reached a milestone by publishing a DMARC record on their main domain!

DMARC usage rate by the TOP 100 E-Commerce companies

Among the 25 companies that have not yet deployed a DMARC registration on the main domain are: PRIVATE SALES, DARTY, SNCF CONNECT, CARREFOUR, RUE DU COMMERCE...

You will find them in red in the following list: List of the TOP 100 E-Commerce S2 2019.

What are the DMARC policies deployed in the Top 100 E-commerce?

Again, if we compare the figures for July 2020 and April 2022, we notice that many companies have tightened their DMARC policy from none to reject. Moreover, this DMARC policy reject has seen an increase of 20% in almost 2 years... Hats off!

DMARC policies deployed by the TOP 100 E-Commerce companies

There has been a great awareness on the part of these companies to improve the security of their domain name.

Let's honor the following companies that have deployed a DMARC policy reject : LEROY MERLIN, RAKUTEN, AIR FRANCE, GOOD PRICE, LDLC, RYANAIR, AROMA ZONE.

You will find the list of companies that have deployed a DMARC policy reject in green below: List of the TOP 100 E-Commerce S2 2019

What monitoring solutions are used?

Several major points come up when comparing data between July 2020 and April 2022 on monitoring solutions:

  • 50% of the addresses declared in the RUA tags are internal to the company. This represents a significant increase of almost 39%! It remains to be seen if these reports are really analyzed and not just put aside...
  • Proofpoint is losing ground but remains the most used solution with 14% (as for CAC 40 companies). This is certainly due to its use as an anti-spam filter for companies (I have seen this in analyses due to BtoB domain blocking).
  • Several solutions specialized in DMARC report analysis are emerging: DMARC ANALYSER, EASY DMARC, DMARCIAN, POSTMARK DMARC, POSTMASTERY, MEROX, DMARC ADIVOR, EVEREST. However, these remain a very small minority.
  • 9 companies seem to use more than 2 solutions (2 distinct addresses declared in the RUA tag).
  • 4 companies did not declare a RUA tag (cf. here we declare the address that will receive DMARC reports). This implies that they have no information on the e-mail flows passing through their domain!
DMARC monitoring solutions used by the TOP 100 E-Commerce companies

As a reminder, the DMARC reports sent by some messengers allow to obtain an authentication report of all the e-mail flows of a domain and its sub-domains. The objectives are twofold. Namely: to detect misconfigured legitimate flows (and therefore to be corrected) vs. to detect non-legitimate flows (and therefore to be processed).

To learn more about DMARC, feel free to consult the articles I published on the subject:

The good vs. the not so good student!

The objective here is to highlight the company that does things best and the one that is in great need of improvement... Beware however, this is not fixed in time, the least good student of today may be the good student of tomorrow (let's hope so) and vice versa (let's not hope so)!

(+) Aroma Zone : a DMARC reject policy and a strict SPF & DKIM alignment policy! In addition, SPF registration is strict! {cf. The Golden Palm}

(-) SNCF Connect : no DMARC records and no SPF records found on their domain. {cf. The Donkey's Maid}

Note : To define the right student, I based on the deployed DMARC policy, SPF & DKIM alignments and if needed SPF registration.

In conclusion of this DMARC analysis of the top 100 E-commerce

Finally, I remain rather pleasantly surprised by my analysis because In less than 2 years, the implementation of DMARC has progressed very strongly. Attitudes have also changed. The shift to a DMARC policy reject is the proof. I'll be curious to see what it will look like in several months! See you by the end of the year for a new update!

Badsender accompanies you in your DMARC deployment

The DMARC deployment is not to be done "lightly". It is more than just adding a new DNS record. Badsender accompanies its customers in securing their email flows via DMARC :

  1. Implementation of a DMARC monitoring solution: configuration of domain names, creation of filters and dashboards in the monitoring tool, creation of automated alerts, ...
  2. Audit of email flows: authentication verification of the different flows, validation of the domain name alignment, detection of illegitimate flows, ...
  3. Compliance of the different email sources: increase in the competence of the teams, validation of modifications carried out, ...
  4. Gradual transition to a policy=reject : once an acceptable level of compliance is reached, gradual transition to a rejection policy.
  5. Configuration of BIMI

The philosophy of Badsender is to bring you the tools, but especially the skills so that your teams can become autonomous on the subject of DMARC. After an active phase of DMARC deployment, we remain available if needed as dedicated support.

Don't hesitate to share, like, comment... In short, make some noise !!!!!

Need a deliverability audit ? Or a monitoring ? We can also offer you :

Badsender also animates training on the subject of email deliverability !

Leave a Reply

Your email address will not be published.