Domino's Pizza implements DMARC as part of a wider set of security works

Domino’s Pizza Enterprises has implemented domain-based message authentication, reporting and conformance (DMARC) in a bid to protect customers “from fake Domino’s phishing attacks”.

The quick service restaurant (QSR) operator said its security team had reviewed “all key email domains used by the business and third-party partners to determine how email was being handled” back in early 2020.

“The team then implemented special ‘DMARC’ records that clearly identified who could send emails on our behalf,” Domino’s said in a sustainability report, released today. [pdf]

“This was then monitored, before progressing to ensure only external systems with approval from Domino’s could send emails on our behalf.”

The pizza maker said the DMARC implementation was completed in March 2021, “protecting and verifying more than 51 email domains and more than 144 million emails a month.”

“The project protects not only our customers and the public, but also the Domino’s brand, and increases the likelihood genuine Domino’s emails will be delivered,” the company said.

“It’s important that when a customer receives an email purportedly from Domino’s that it’s actually sent by our teams, not by someone pretending to be Domino’s - a significant issue in the online retail world.”

The DMARC project was one initiative in a broader set of security works performed by Domino’s over the past year, some of which remain ongoing.

In the financial year just gone, Domino’s said it conducted “data mapping exercises” across the group to improve security and governance protections for sensitive data.

The company also made sure that administrative accounts and “those that have access to large volumes of data” had multi-factor authentication enabled.

In addition, it started a business continuity planning and disaster recovery program of work aimed at “identifying those systems, services and data that are critical to the operation of our business and work, adding a program of risk mitigation for any risks that may be present.”

On top of protecting outbound emails, Domino’s said “more than 10 million online ordering customer accounts were protected this year from account takeover attacks”.

It also said it processed 60 million security ‘insights’ every day, “generated from more than 26 different systems and services that we log and monitor.”

It added that machine learning is used to triage these event notifications to aid its security operations team.