Which retail brands can be spoofed in email?

Retail brands are the second-most-impersonated category after finance, driven by 'your order was placed', 'your delivery failed', and 'your refund is processing' scams. Grocery chains and big-box stores have generally caught up; mid-tier brands and international retailers lag.

Spoofable

4 (20%)

No DMARC, or DMARC at p=none. Anyone can send from these domains.

Partial protection

1 (5%)

DMARC at p=quarantine, or p=reject with pct<100. Spoofed mail may slip through.

Not practically spoofable

15 (75%)

DMARC p=reject pct=100 + SPF -all or DKIM. Spoofed mail rejected at SMTP.

Brand	Domain	Verdict
Aldi	aldi.com	Spoofable	See the math →
Carrefour	carrefour.com	Spoofable	See the math →
Lidl	lidl.com	Spoofable	See the math →
Trader Joe's	traderjoes.com	Spoofable	See the math →
Wayfair	wayfair.com	Maybe	See the math →
Best Buy	bestbuy.com	Protected	See the math →
Costco	costco.com	Protected	See the math →
Etsy	etsy.com	Protected	See the math →
Home Depot	homedepot.com	Protected	See the math →
IKEA	ikea.com	Protected	See the math →
Lowe's	lowes.com	Protected	See the math →
Macy's	macys.com	Protected	See the math →
Nordstrom	nordstrom.com	Protected	See the math →
Sainsbury's	sainsburys.co.uk	Protected	See the math →
Sephora	sephora.com	Protected	See the math →
Shopify	shopify.com	Protected	See the math →
Target	target.com	Protected	See the math →
Tesco	tesco.com	Protected	See the math →
Walmart	walmart.com	Protected	See the math →
eBay	ebay.com	Protected	See the math →

Other categories

What does "spoofable" actually mean?

A domain is spoofable when a third party can send mail FROM addresses at that domain (e.g. [email protected]) and have it land in inboxes. The mechanism that prevents this is DMARC enforcement combined with SPF and DKIM. Without all three, receivers have no policy to apply against unauthorised senders.

Want the same check on your own domain? Run the free Spoofability check.

This category last scored: Tue, 12 May 2026 05:12:30 GMT.