TL;DR: Phishing accounts for 91% of cyberattacks, and SPF, DKIM, DMARC, attachment controls, and gateway-based encryption are now baseline requirements for reducing spoofing, malware delivery, and compliance exposure, according to GlobalSign’s podcast discussion. The governance lesson is that email trust must be treated as layered identity and control assurance, not a single filter decision.
At a glance
What this is: GlobalSign’s podcast discussion frames email security as a layered trust problem, with phishing, spoofing, malicious attachments, and baseline authentication controls as the central risks.
Why it matters: For IAM and security teams, the article is a reminder that email remains a primary trust boundary where identity assurance, message integrity, and attachment governance all intersect.
By the numbers:
- 91% of all cyberattacks begin with a phishing email.
👉 Read GlobalSign's article on SPF, DKIM, DMARC, and phishing resilience
Context
Email remains one of the most heavily abused trust channels in enterprise security because it combines identity, content, and delivery in a single control plane. When attackers can spoof a sender, deliver a malicious attachment, or hide a fraudulent link inside a message that looks legitimate, they are bypassing both human judgement and technical controls at the same time.
That creates a genuine identity governance issue, not just a messaging problem. SPF, DKIM, DMARC, and certificate-backed encryption sit at the boundary between human identity, domain identity, and workload identity, which is why email controls should be treated as part of broader trust and access governance rather than a narrow mail gateway function.
Key questions
Q: How should security teams implement SPF, DKIM, and DMARC across a large enterprise?
A: Start by mapping every legitimate mail sender, including third-party platforms and application services, then publish aligned SPF, DKIM, and DMARC records for the domain. Move from monitoring to enforcement only after you have confirmed that all legitimate mail flows pass authentication, otherwise you will create false positives and mail delivery failures.
Q: Why do phishing emails still succeed even when organisations have security gateways?
A: Security gateways reduce risk, but they do not remove trust exploitation or user action from the attack path. Phishing succeeds when sender identity looks credible, the message arrives before detection completes, or the content is designed to trigger a fast human response such as opening an attachment or approving a payment.
Q: What do security teams get wrong about email attachment filtering?
A: They often treat attachment filtering as a binary block list instead of a content-risk control. A better model is to allow only the file types the business genuinely needs, then inspect, sandbox, or convert everything else before it reaches the user.
Q: Who is accountable when spoofed email leads to fraud or data loss?
A: Accountability sits across security, messaging, and business owners because the failure usually spans domain configuration, user trust, and process design. The practical test is whether the organisation can show that sender authentication, message policy, and approval workflows were all enforced before the incident.
Technical breakdown
Why email authentication still fails in practice
Email authentication works by proving that a message came from an authorised sending source and was not altered in transit. SPF validates sending IPs, DKIM signs message content, and DMARC tells recipients how to handle failures. In theory that creates a chain of trust. In practice, many organisations leave gaps in policy enforcement, monitoring, or alignment between mail providers and domain settings, so spoofed messages still land in inboxes. The security problem is not the protocol set itself but inconsistent implementation and weak operational ownership.
Practical implication: verify that SPF, DKIM, and DMARC are aligned across all sending services, not just the primary mail platform.
How attachment and gateway controls reduce phishing impact
Attachment filtering is most effective when it treats risky file types as untrusted until they are inspected or transformed. The article’s example of converting Word attachments to PDF before delivery is a classic sandboxing and content-disarm pattern. This reduces the chance that embedded macros or active content reach users before detection has completed. The technical point is that the gateway becomes a control buffer, buying time for detection and containment without depending on the user to recognise the threat.
Practical implication: apply default-deny rules to high-risk attachment types and use transformation or inspection for files that must be delivered.
Why gateway encryption and certificate automation matter
Gateway-based encryption centralises certificate management and makes message protection more operationally realistic than per-device certificate deployment in many enterprises. That matters because certificate sprawl, BYOD, and inconsistent client configuration often become the real blockers to secure email. When certificate issuance and delivery are automated, the organisation can keep encryption on by default without adding much user friction. The architectural takeaway is that secure email succeeds when trust, signing, and encryption are built into the mail flow rather than left to individual endpoints.
Practical implication: centralise certificate lifecycle management for email and use automation to avoid creating a maintenance burden on users or IT teams.
Threat narrative
Attacker objective: The attacker aims to obtain credentials, deliver malware, or induce fraudulent transactions by abusing trusted email channels.
- Entry begins with a convincing phishing email that exploits sender trust, often using spoofed domains, malicious links, or weaponised attachments.
- Escalation occurs when a recipient opens the payload or follows the link, giving the attacker a route into credentials, malware execution, or fraudulent payment workflows.
- Impact follows through data theft, account compromise, or financial fraud, often amplified by the credibility of a message that appears to come from a legitimate business domain.
NHI Mgmt Group analysis
Email authentication is now identity governance, not just mail security. SPF, DKIM, and DMARC are often discussed as transport controls, but the article shows they are really controls over domain trust and sender legitimacy. That matters because spoofing attacks abuse the same trust assumptions that IAM tries to harden elsewhere. Practitioners should treat domain authentication as part of identity assurance across the communication stack.
Attachment control is a privilege decision in disguise. The suggestion to convert or restrict file types reflects a broader least-privilege principle for content. If a message does not need active content to do its job, it should not be allowed to carry it. This is the same governance logic that underpins zero standing privilege in identity programmes, applied to email payloads.
Gateway-based encryption is the practical answer to certificate sprawl. The article is right to point out that client-managed encryption often fails in BYOD and distributed environments because it shifts operational complexity to endpoints. Centralised certificate lifecycle management is more realistic, especially where regulated communications or personal data are involved. The control lesson is that usability and trust cannot be separated.
Baseline requirements only work when they become enforced policy. The article notes that standards are available but too often treated as recommendations. That is the central governance failure in email security: organisations know the baseline, but do not operationalise it across all senders, gateways, and exception paths. Practitioners should close the gap between policy publication and technical enforcement.
Trustworthiness in email depends on continuous verification across domain, content, and delivery paths. No single control solves phishing because the attack works at multiple layers at once. That makes email a useful model for broader identity security design: assurance must be layered, measurable, and continuously checked rather than assumed once at onboarding.
What this signals
Email controls are increasingly part of the wider identity assurance surface, especially where phishing is used to capture credentials or impersonate trusted senders. The practical shift for programmes is to treat mail authentication, attachment policy, and fraud response as joined-up governance rather than separate control islands.
A useful concept here is sender trust debt: the longer an organisation delays enforcement of SPF, DKIM, DMARC, and attachment restrictions, the more it normalises unsafe delivery paths. That debt compounds because attackers do not need to defeat every layer, only the weakest combination of domain trust, user expectation, and process urgency.
For identity and security leaders, the signal is clear: email security should be measured as a control system, not a product category. Link message authenticity to IAM, payment approval, and incident response metrics so spoofing risk is visible before it becomes a fraud event.
For practitioners
- Enforce SPF, DKIM and DMARC across every sender Inventory all systems that send mail on behalf of the domain, including SaaS platforms, marketing tools, and transactional services. Align the records, set an enforcement policy, and monitor failures so spoofing attempts are rejected rather than merely observed.
- Restrict risky attachments by default Block or transform high-risk file types unless there is a documented business requirement. Use gateway inspection, sandboxing, or conversion to safer formats for messages that must be delivered to users.
- Centralise certificate and encryption management Use gateway-based certificate handling for S/MIME or similar email encryption patterns where possible, especially in BYOD or distributed environments. This reduces endpoint variation and keeps encryption operationally sustainable.
- Treat phishing resilience as identity assurance Link mail security policy to IAM, PAM, and fraud controls so spoofed messages are analysed as trust failures, not just spam events. Include executive impersonation, payment fraud, and credential capture in playbooks.
Key takeaways
- Phishing remains effective because it exploits trust across identity, message integrity, and user behaviour at the same time.
- SPF, DKIM, DMARC, attachment controls, and gateway encryption are baseline governance controls, not optional enhancements.
- The operational goal is to make spoofing, malicious payload delivery, and impersonation harder across the entire mail flow.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Email sender verification supports authenticated access and trust decisions. |
| NIST SP 800-53 Rev 5 | IA-2 | Email trust depends on identity verification before messages are accepted. |
| CIS Controls v8 | CIS-9 , Email and Web Browser Protections | The article focuses on phishing, malicious links, and attachment abuse. |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy is relevant to enforcing sender and attachment rules. |
| GDPR | Art.32 | Encryption and integrity matter where email carries personal data. |
Document and enforce email trust rules under A.5.15 and align exceptions to business need.
Key terms
- Email Authentication: Email authentication is the set of controls that prove a message came from an authorised sender and has not been tampered with in transit. SPF, DKIM, and DMARC are the common components, and they work together to reduce spoofing and impersonation risk.
- Domain Spoofing: Domain spoofing is the practice of making a message appear to originate from a legitimate organisation or user when it does not. It exploits recipient trust and weak mail configuration, turning a familiar brand or executive name into a delivery mechanism for fraud or malware.
- Gateway-Based Encryption: Gateway-based encryption protects email centrally at the mail flow boundary rather than on each endpoint. It simplifies certificate management, reduces user friction, and is often more practical than client-managed encryption in distributed or BYOD environments.
- Attachment Disarm And Reconstruction: Attachment disarm and reconstruction is a defensive pattern that strips or neutralises risky active content before delivering a file to users. It is used when organisations need to preserve business communication but do not want macros, embedded code, or hidden payloads reaching inboxes.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- Specific implementation guidance for SPF, DKIM, and DMARC across sending systems and mail gateways
- Practical examples of attachment filtering and file conversion patterns for common business email workflows
- Gateway-based encryption and certificate handling details for organisations with BYOD or distributed endpoints
- The article's discussion of how major mailbox providers are changing email delivery expectations
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity controls to broader security and trust programmes.
Published by the NHIMG editorial team on 2026-06-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org