TL;DR: DMARC monitoring, SPF alignment, and DKIM signing are the baseline controls needed before a domain can qualify for VMC, according to DigiCert. The practical issue is not the certificate itself but whether mail governance can survive the move from visibility to quarantine and reject without breaking legitimate senders.
At a glance
What this is: This is a guide to setting up DMARC, SPF, DKIM, and enforcement so a domain can qualify for VMC and reduce spoofing and phishing risk.
Why it matters: It matters because email authentication is part of identity governance for human accounts, vendor domains, and machine-generated mail, and weak domain controls still create broad impersonation exposure.
👉 Read DigiCert's guide to setting up DMARC for VMC qualification
Context
DMARC is an email authentication and reporting protocol that helps organisations control who can send mail from their domain. For identity teams, the governance issue is simple: if the domain policy is loose, spoofed messages can look legitimate even when the underlying sender is not authorised.
This kind of control sits at the intersection of human identity protection and domain trust. The operational challenge is not just publishing records, but building enough visibility to distinguish legitimate senders from unauthorized ones before enforcement tightens. For teams that need a broader frame on identity governance, the NIST Cybersecurity Framework 2.0 is a useful reference point for protect, detect, and recover functions.
Key questions
Q: How should security teams roll out DMARC without breaking legitimate email?
A: Start in monitoring mode, collect reports, and build a complete inventory of authorised senders before changing policy. Then move to quarantine, watch for legitimate mail streams that were missed, and only use reject when alignment is stable across internal and third-party senders.
Q: Why does DMARC matter for identity governance and not only phishing defence?
A: DMARC governs which mail sources are allowed to represent a domain, so it is a trust and identity control as much as an anti-phishing measure. It helps organisations prove that a sending identity is authorised, which reduces impersonation risk across human and system-generated mail.
Q: What do teams get wrong when they treat SPF and DKIM as enough?
A: SPF and DKIM are necessary signals, but DMARC is what turns those signals into a domain policy decision. Without DMARC, authenticated mail can still be inconsistent from a governance perspective, and receivers have less guidance on how to handle unauthorised messages.
Q: Who should own DMARC enforcement in a large organisation?
A: DMARC enforcement should be owned jointly by security, email infrastructure, and the teams that operate third-party senders, because the control affects trust, delivery, and brand impersonation at the same time. Governance breaks down when one group owns the record but not the sending ecosystem.
Technical breakdown
SPF, DKIM, and DMARC work as a layered trust model
SPF authorises which IP addresses can send mail for a domain, DKIM cryptographically signs messages so receivers can verify they were not altered in transit, and DMARC ties those signals to a policy decision. DMARC only works well when SPF or DKIM aligns with the visible From domain, because that alignment is what turns technical validation into enforceable domain trust. Monitoring mode gives teams the visibility to see legitimate sources before the policy starts rejecting mail.
Practical implication: inventory all legitimate mail sources before moving DMARC beyond monitoring, or enforcement will disrupt real business mail.
Why DMARC enforcement changes the risk model for branded email
A domain under monitoring can still be abused for spoofing, because the protocol is observing mail rather than blocking it. Quarantine and reject change that posture by telling receivers how to treat unauthorised messages, which is why enforcement is the point at which spoofing resistance becomes operational. The shift is gradual because organisations often discover mail streams they did not initially account for, especially from third parties or regional systems.
Practical implication: treat quarantine as the control validation phase and reject as the final policy state, not as interchangeable settings.
VMC depends on domain trust being provable, not assumed
Verified Mark Certificates sit on top of DMARC compliance, so the certificate is only meaningful when the underlying authentication regime is already disciplined. VMC does not create trust by itself, it proves that the organisation has made domain impersonation harder through a managed email identity posture. That makes this more than a branding exercise. It is a control maturity signal that depends on governance, not just DNS configuration.
Practical implication: use VMC readiness as a checkpoint for email identity governance, not as a substitute for it.
NHI Mgmt Group analysis
DMARC is a domain identity control, not just an email security setting. The practical purpose is to decide whether a domain can be trusted as a sending identity, and that matters because spoofing is fundamentally an identity problem. When SPF, DKIM, and DMARC are treated as separate technical chores instead of one trust chain, organisations leave gaps that attackers can exploit through impersonation. Practitioners should view the domain as an identity boundary, not a mail transport detail.
Monitoring before enforcement is the governance step most organisations skip too late. The article correctly points out that legitimate senders often surface only after DMARC reports begin flowing. That is the operational proof that email identity is usually more distributed than teams believe, especially when third parties send on behalf of the domain. The implication is that rollout discipline matters more than record syntax.
VMC only adds value after the domain trust model is already stable. A verified mark does not fix weak sender governance, orphaned mail sources, or inconsistent alignment. It simply makes the consequences of poor domain control more visible because branded mail becomes a higher-trust target. For identity teams, the lesson is to treat certificate qualification as an outcome of governance maturity, not a shortcut around it.
Identity assurance for email must extend across human and third-party senders. Domains today are often used by internal systems, customer platforms, marketing services, and support tooling. That means a single policy mistake can affect user trust, phishing resistance, and operational mail delivery at the same time. The practitioner takeaway is to govern the sender population first, then harden the policy.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why control confidence and control reality often diverge.
- For the governance angle, read Ultimate Guide to NHIs , What are Non-Human Identities for how credentials and tokens fit into identity control.
What this signals
DMARC rollout is a reminder that identity governance fails most often at the boundary between technical control and operational ownership. If the same organisation cannot enumerate authorised senders, then policy strength is secondary to sender inventory discipline.
Domain trust debt: the gap between a domain's claimed sending identity and the set of systems actually able to send on its behalf. Teams that do not close that gap before enforcement usually discover it through broken mail, not through policy design.
As email ecosystems expand, practitioners should expect more delegated sending paths and more pressure to prove sender legitimacy across internal tools and third parties. That makes domain authentication part of broader identity lifecycle thinking, not a one-time DNS task.
For practitioners
- Inventory every authorised sender Build a complete list of systems, vendors, and business units that send mail from each domain before changing policy from monitoring to enforcement.
- Validate SPF alignment Check that the visible From domain and the authenticated sending path align, especially where third-party mail services or delegated systems are involved.
- Run DMARC in monitoring mode first Use reporting to identify legitimate traffic that would fail enforcement, then correct records and sending patterns before raising policy strength.
- Move to quarantine before reject Increase enforcement gradually, using quarantine to test impact and reject only after the authorised sender set is stable and complete.
Key takeaways
- DMARC turns email authentication into an enforceable domain trust decision, which is why it belongs in identity governance discussions.
- Monitoring is not a soft option. It is the evidence-gathering phase that prevents quarantine and reject from breaking legitimate mail flows.
- VMC readiness depends on sender inventory, SPF and DKIM alignment, and controlled enforcement, not on the certificate alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-5 | DMARC enforces authenticated sender trust for email domains. |
| NIST SP 800-63 | Email domain trust supports assurance in federated communication flows. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Continuous verification aligns with phased DMARC enforcement and monitoring. |
Map domain sender policy to PR.AC-5 and require authenticated, aligned mail sources before enforcement.
Key terms
- DMARC: DMARC is an email authentication protocol that tells receiving systems how to handle messages that claim to come from a domain. It combines policy, alignment, and reporting so organisations can detect spoofing, monitor legitimate senders, and move toward enforced domain trust.
- SPF: Sender Policy Framework is a DNS-based control that lists which IP addresses are allowed to send mail for a domain. It helps receivers check whether a message came from an authorised sender, but it becomes more useful when paired with DMARC policy and reporting.
- DKIM: DomainKeys Identified Mail is a cryptographic signing method for email. It lets receivers verify that a message was sent by an authorised domain and was not changed in transit, which strengthens domain identity confidence when the key management is disciplined.
- VMC: Verified Mark Certificates are certificates used to display a verified brand mark in supported email clients. They depend on strong DMARC compliance, so the certificate acts as a signal of domain governance maturity rather than a substitute for sender control.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by DigiCert: How to Set Up DMARC to Qualify Your Domain for VMC. Read the original.
Published by the NHIMG editorial team on 2026-02-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
