What it is
Email authentication is three DNS records, SPF, DKIM, and DMARC, that prove a message claiming to come from your domain really did. SPF lists the servers allowed to send for you, DKIM signs each message so it cannot be tampered with in transit, and DMARC ties them together and tells inboxes what to do when a message fails the check: ignore it, quarantine it, or reject it.
How common it is
Fewer than two in five audited stores (38%) have DMARC doing its job. SPF is common, but the audit checks the whole chain over DNS, and DMARC is where most stores stop. The record often exists set to a policy of “none,” which watches and blocks nothing, so a store can send good email and still fail because the protection is set to monitor rather than enforce.
Why it costs you
Without DMARC at enforcement, anyone can send email that appears to come from your store. Attackers use that to send fake order confirmations and password resets to your own customers, who trust the message because it shows your address. The same gap drags down your real mail: providers that cannot verify your domain are quicker to drop your receipts into spam. So you lose twice, once to the customer phished in your name, and once to the buyer who never sees the message you sent.
Check it in 30 seconds
Put your domain into a free lookup like MXToolbox and find the DMARC record. If there is none, or the policy reads p=none, the protection is off or only watching. The fix lives in your DNS settings, not your store, so your host or email provider usually makes the change.
Read next: Ecommerce Security: The Losses You Don’t See
Run the free audit to see whether someone could send email as your store today.