By NHI Mgmt Group Editorial TeamPublished 2026-06-29Domain: Cyber SecuritySource: GlobalSign

TL;DR: Email remains the starting point for most cyberattacks, with phishing, spoofed senders, malicious attachments and deceptive URLs still driving data loss and fraud, according to GlobalSign’s Trust.ID Talk episode with Stefan Cink. The operational lesson is clear: email security fails when teams treat SPF, DKIM, DMARC and attachment handling as optional layers rather than baseline controls.


At a glance

What this is: This is an analysis of why email security still breaks at the most basic control layer, with authentication, attachment handling and layered inspection presented as the decisive safeguards.

Why it matters: It matters to IAM and security teams because email remains a primary identity trust channel, and spoofing, phishing and attachment abuse often bypass the governance assumptions behind human identity, NHI and access workflows.

By the numbers:

👉 Read GlobalSign’s analysis of email authentication, phishing and attachment controls


Context

Email security fails when organisations assume that filtering, sender checks and user awareness alone can stop phishing. The real problem is governance: attackers exploit small gaps between delivery, authentication and attachment inspection, then turn those gaps into trusted-looking messages that reach users before controls converge.

That gap matters beyond email operations because email often carries identity recovery links, invoice approvals, document signing requests and access notifications. When spoofed mail is accepted as legitimate, the attack path can cross from communication compromise into IAM, fraud, NHI credential exposure and downstream business process abuse.


Key questions

Q: How should security teams implement email authentication without breaking delivery?

A: Start by publishing SPF, DKIM and DMARC for all sending domains, then move policy gradually from monitoring to quarantine and reject. Test each domain path separately, because marketing, transactional and security mail often use different systems. The goal is to prevent spoofing while preserving legitimate delivery for business-critical mail flows.

Q: Why do spoofed emails still succeed when authentication controls exist?

A: Spoofed email still works when organisations treat authentication as a checkbox rather than an enforcement mechanism. Attackers also exploit compromised accounts, lookalike domains and weak user verification habits. Controls reduce risk, but only if they are enforced, monitored and paired with identity-aware process checks for approvals and account recovery.

Q: What do organisations get wrong about attachment security in email?

A: Many teams focus on blocking obvious malicious files but leave too many high-risk formats available by default. That creates unnecessary exposure because the attachment policy becomes an allow-everything model with exceptions. The safer approach is to allow only business-essential file types and convert risky content before it reaches the inbox.

Q: Who is accountable when email spoofing leads to fraud or identity compromise?

A: Accountability usually sits across security, messaging, identity and business-operations teams because email is both a transport channel and an identity trust layer. If a spoofed message can trigger payments, password resets or vendor changes, the organisation has a governance problem, not just a mail filtering problem. Frameworks such as NIST CSF and ISO 27001 support that shared control model.


Technical breakdown

Why SPF, DKIM and DMARC still matter for email trust

SPF checks whether the sending IP is authorised for a domain, DKIM signs message content so alterations can be detected, and DMARC tells receiving systems how to handle failures. Together, they create a basic trust layer, but they do not stop every attack because they authenticate domains, not human intent. Phishing still works when users trust a legitimate-looking message that slips through via lookalike domains, compromised accounts or weak enforcement. That is why mailbox security should treat sender verification as necessary but insufficient, not as a complete control plane.

Practical implication: enforce SPF, DKIM and DMARC with rejection policies, not monitoring-only settings.

Attachment filtering and safe conversion reduce execution risk

Email attachments are dangerous because they can carry macros, embedded objects, and links that trigger additional payload delivery after the message is opened. A safer design is to minimise accepted file types and convert high-risk documents into a neutral format such as PDF before delivery, so the user can review the content without immediately executing it. This approach does not eliminate malware risk, but it narrows the execution surface and gives downstream scanning time to complete. It is a control design issue, not just a policy issue, because the default allow-list determines exposure.

Practical implication: shrink allowed attachment types and use content conversion for high-risk inbound files.

API-based inspection adds speed, but not replacement-grade assurance

Modern email gateways increasingly use APIs for rapid certificate retrieval and near-real-time threat checks, especially where cloud services and managed certificate delivery are involved. That improves responsiveness, but it also creates dependence on external service consistency and integration quality. APIs can accelerate detection and streamline trust services, yet they should complement, not replace, domain authentication, encryption and gateway policy. The architectural lesson is that email security works best as a layered system where each control does one job well and no single mechanism is treated as definitive.

Practical implication: pair API-driven inspection with hard authentication and gateway policy controls.


NHI Mgmt Group analysis

Email remains a trust-layer problem, not just a filtering problem. The article is right to frame phishing as a persistent entry path, because the attacker wins when a message is accepted as operationally legitimate. In governance terms, the failure is not simply poor detection, but weak sender trust enforcement across the full message path. That is why email controls must be treated as identity-adjacent security controls, not as a separate helpdesk issue. Practitioners should manage email as part of the broader identity and fraud boundary.

Attachment logic should be inverted around business necessity, not convenience. The strongest part of the analysis is the call to allow only what the business genuinely needs. This shifts the control model from reactive blocking to explicit permissioning, which is the right pattern for a channel that routinely delivers executable content and sensitive workflows. In identity terms, attachment handling is a privilege decision about what content is allowed to reach the user. Practitioners should apply deny-by-default principles to inbound file handling.

Phishing-resistant email controls are a governance baseline, not an advanced option. The article shows that SPF, DKIM and DMARC are now part of the minimum credible control set, especially where spoofing and brand impersonation are common. That aligns with the broader security direction in which trust must be verifiable, not inferred. For identity teams, the key point is that email integrity affects authentication journeys, approval flows and account recovery, which means broken mail controls can cascade into IAM compromise. Practitioners should treat email trust as a security prerequisite.

Delivery reliability and security are now coupled. The article correctly notes that major providers are pushing stronger authentication because unauthenticated mail is both a spam and a security problem. That changes the operational conversation: controls such as DMARC are no longer only about brand protection, they also influence whether legitimate business communication arrives at all. For security leaders, that means the email programme must be measured for both assurance and reach. Practitioners should align authentication policy with business-critical mail flows.

What this signals

Verification debt: email programmes accumulate risk when authentication is visible but not enforced. For teams running identity, fraud and access workflows through email, the next step is to treat sender authenticity as a prerequisite for workflow trust, not a separate messaging concern.

The practical signal for practitioners is that mailbox controls and identity controls are converging. If spoofed mail can trigger resets, approvals or document flows, then email hardening belongs in the same governance conversation as access policy, recovery design and privileged workflow control. That is where control owners need to align.

Organisations should expect stronger authentication expectations from major mailbox providers to keep tightening baseline delivery requirements. That means the useful metric is no longer whether email is technically configured, but whether critical business mail remains both authenticated and reliably delivered under real-world enforcement.


For practitioners

  • Enforce DMARC rejection policies Move SPF, DKIM and DMARC from visibility-only to quarantine or reject enforcement, starting with high-value domains that are commonly spoofed in approvals, invoices and password reset flows.
  • Restrict attachment types by business need Define a minimal inbound attachment allow-list and block unnecessary file types by default, especially formats that support macros, active content or embedded links.
  • Add safe conversion for high-risk files Convert risky inbound documents to PDF or another neutral format before user delivery so content can be reviewed while deeper inspection runs in the background.
  • Tie email trust to identity workflows Review which identity and business processes depend on email, including password resets, account recovery, document approval and vendor onboarding, then harden those mail paths first.

Key takeaways

  • Phishing remains the dominant email threat because attackers exploit trust gaps, not just technical weaknesses.
  • Authentication, attachment policy and layered inspection need to operate together, or the inbox stays a viable entry point.
  • For identity teams, email security is part of the access and recovery control plane, not a standalone messaging issue.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Email authentication supports verified access to business communication channels.
NIST SP 800-53 Rev 5IA-5Authenticator management aligns with sender verification and controlled credential use.
CIS Controls v8CIS-5 , Account ManagementAttachment and spoofing abuse often intersects with account abuse and recovery workflows.
ISO/IEC 27001:2022A.5.15Access control policy supports explicit trust decisions for mail and identity workflows.
GDPRArt.32Email spoofing can expose personal data through insecure communications and recovery flows.

Treat authenticated mail paths as part of your access-control baseline and enforce policy on critical domains.


Key terms

  • Email Authentication: Email authentication is the set of checks used to verify that a message really originated from an authorised domain or sending system. SPF, DKIM and DMARC are the most common controls, and together they reduce spoofing, impersonation and delivery abuse when properly enforced.
  • DMARC Enforcement: DMARC enforcement is the decision to quarantine or reject messages that fail sender alignment checks. It turns a reporting mechanism into an operational control, helping organisations stop forged mail instead of merely observing it after delivery.
  • Attachment Allow-List: An attachment allow-list is a policy that permits only approved file types into the mail environment. It reduces execution risk by blocking unnecessary formats by default, which is more effective than trying to blacklist every malicious attachment type individually.
  • Email Trust Layer: The email trust layer is the combination of authentication, integrity and delivery controls that determine whether a message should be accepted as legitimate. In practice, it sits at the boundary between messaging security, identity assurance and fraud prevention.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • Practical explanation of SPF, DKIM and DMARC deployment decisions for domain owners and mail administrators
  • More detail on attachment conversion and allow-list strategies for reducing malicious file exposure
  • Discussion of how API-based checks support real-time detection and certificate delivery in email workflows
  • Context on email encryption choices for organisations balancing user experience and compliance

👉 GlobalSign’s full article covers SPF, DKIM, DMARC, attachment handling and email encryption in more operational detail.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management and workload identity for practitioners building stronger identity controls. It gives security teams a structured way to connect identity governance with the broader controls their programmes depend on.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org