Secure remote email access still depends on identity controls

At a glance

What this is: A DigiCert blog post outlining five controls for securing remote email access, with the key point that trusted email depends on identity validation as much as transport security.

Why it matters: It matters because IAM, NHI, and human identity teams all have a role in proving who may send, read, and inherit email access when work happens remotely.

👉 Read DigiCert's guidance on five tips for secure remote email access

Context

Remote email security is an identity problem as much as a transport problem. If recipients cannot trust who sent a message, confidentiality, integrity, and brand trust all weaken at the same time. This is especially relevant for human IAM because email remains the default channel for authentication, approvals, and exception handling, but it also affects NHI governance when systems send automated mail on behalf of an organisation.

The article argues that secure remote access to email requires a combination of S/MIME, DMARC, VPN use, and disciplined account management. That mix reflects a broader governance gap: organisations often secure delivery paths without fully governing sender identity, delegated access, and stale accounts. For teams managing identity lifecycles, the lesson is that email trust has to be designed, not assumed.

Key questions

Q: How should organisations secure email access for remote workers?

A: Use layered controls rather than relying on a single protection. Apply S/MIME for message authenticity and confidentiality, enforce DMARC for domain protection, authenticate remote sessions with certificates where possible, and offboard former users quickly. The goal is to prove sender identity, reduce spoofing, and stop stale accounts from becoming trust failures.

Q: Why do spoofed emails remain such a serious identity risk?

A: Spoofed email works because recipients often trust the sender before they inspect the message. When organisations do not enforce sender validation, attackers can impersonate brands, deliver malware, or solicit credentials. The risk is not only technical compromise, but also loss of confidence in ordinary business communication.

Q: What do security teams get wrong about email encryption?

A: They often treat encryption as if it alone proves trust. Encryption protects content in transit, but it does not automatically confirm that the sender is legitimate or that the domain is authorised. Email programmes need sender authentication, certificate governance, and lifecycle controls alongside encryption.

Q: Who is accountable when a compromised mailbox is used for fraud?

A: Accountability is shared across identity operations, email administrators, and the business owner of the mailbox. If the account was not offboarded, not protected with the right authentication, or not monitored for anomalous use, the gap is a governance failure as much as a security one.

Technical breakdown

S/MIME and message identity

S/MIME adds digital signatures and encryption to email, which means recipients can verify the sender and confirm the message was not altered in transit. The important technical point is that S/MIME binds message authenticity to a certificate-backed identity, not just a mailbox address. That matters for remote work because a user reading mail from home cannot rely on local context or network location to judge trust. In practice, S/MIME gives email a verifiable identity layer that ordinary transport encryption does not provide.

Practical implication: issue and manage user certificates through a controlled lifecycle, rather than treating email encryption as a one-time configuration.

DMARC, authorised senders, and domain spoofing

DMARC tells receiving systems whether a message claiming to come from your domain is actually aligned with approved senders. It works by requiring organisations to inventory legitimate mail sources and then choose enforcement states such as quarantine or reject. The technical nuance is that DMARC does not stop all abuse by itself, but it sharply reduces domain impersonation when SPF and DKIM alignment are in place. That is why third-party senders complicate governance: each new sender widens the policy boundary that must be maintained.

Practical implication: maintain an authoritative sender inventory and move away from policy=none as soon as alignment testing is complete.

VPN access and certificate-based authentication

A VPN encrypts traffic between the endpoint and a trusted network gateway, reducing interception risk when users connect from unknown or home locations. The article also notes that certificates can strengthen VPN authentication, which is important because transport protection alone does not prove user identity. In a remote-work model, email security depends on both the path and the principal. If an attacker gains a session on an unmanaged device, encrypted transit does not prevent misuse of the account itself.

Practical implication: pair VPN access with strong device and certificate authentication, not password-only access.

Threat narrative

Attacker objective: The attacker wants recipients to trust a message that should not be trusted, so they can steal credentials, spread malware, or damage brand credibility.

1. Entry begins with spoofed email or forged sender identity that convinces the recipient the message is legitimate.
2. Escalation follows when the recipient opens a malicious attachment or link, or when a trusted domain is abused to deliver fraudulent content.
3. Impact is achieved through malware delivery, credential theft, brand abuse, or loss of confidential email trust.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Email trust is an identity control problem, not just a mail transport problem. S/MIME and DMARC both exist because recipients need assurance about who is sending, not only whether data is encrypted in flight. That means email security belongs in IAM governance, certificate lifecycle management, and sender authorisation policy. Practitioners should treat mailbox trust as part of identity assurance, not as a standalone messaging setting.

Domain impersonation exposes a sender governance gap that many programmes still leave open. DMARC only works when organisations know every authorised mail source, including third-party senders and outsourced services. The failure mode is not simply spoofing, but incomplete control over who is allowed to speak for the domain. Teams should view sender inventory as a governed identity asset.

Mailbox offboarding: former employee accounts that remain active create a persistent trust and forwarding risk. The article’s offboarding advice points to a broader lifecycle issue: email identities often outlive the people attached to them. When accounts are left open, message forwarding, impersonation, and internal misuse become much easier. The practitioner conclusion is simple: email access must be revoked with the same discipline as any other identity path.

Remote work makes certificate-backed assurance more valuable because location is no longer a trust signal. The article correctly shifts attention away from network presence and toward verifiable identity. That is a useful pattern for both human IAM and machine-generated mail. The governance lesson is that trust must be portable across locations, or remote access becomes a blind spot.

Secure email programmes should be measured by sender control, not by policy declaration alone. A DMARC record set to none is documentation, not enforcement. Organisations that stop at configuration without progressing to quarantine or reject have not reduced spoofing risk materially. Practitioners should treat enforcement state, sender inventory completeness, and offboarding hygiene as the real indicators of maturity.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
• For practitioners, the next step is to map sender and delegated-access trust with the Ultimate Guide to NHIs.

What this signals

Mailbox trust is drifting toward the same governance problem seen in NHI programmes: once multiple senders, delegated services, and remote users can all speak for the same domain, control quality depends on lifecycle discipline rather than policy text. The practical shift is toward authoritative sender inventory, certificate governance, and offboarding verification that can survive remote work and outsourced email flows.

The larger signal is that email security is becoming a cross-domain identity programme issue. Human inboxes, service-generated mail, and certificate-backed trust all need the same kind of lifecycle control that identity teams already apply to other access paths. That makes remote email a useful test case for whether an organisation can govern trust consistently across human and non-human identities.

For practitioners

• Deploy S/MIME for high-trust mail flows Use certificate-backed signing and encryption for communications that carry approvals, sensitive data, or external commitments. Make certificate issuance and revocation part of the identity lifecycle, and ensure users know when they are expected to trust signed mail versus ordinary transport-encrypted mail.
• Move DMARC from monitoring to enforcement Inventory every legitimate sender, including marketing platforms and other third-party services, then progress from policy=none to quarantine or reject once alignment is verified. Keep the sender list under change control so new mail sources do not silently weaken the control.
• Tighten remote access with certificate-based VPN authentication Require stronger authentication for remote email access than passwords alone, especially for staff using home or unmanaged locations. Certificates help prove the device or user context behind the session and reduce reliance on network location as a trust signal.
• Remove former users from mail paths immediately Close departed employees’ mailboxes, revoke forwarding rules, and confirm that no shared inboxes still route through an ex-user account. This closes a common identity persistence problem that attackers can exploit after offboarding has been delayed.

Key takeaways

• Remote email security fails when organisations treat sender trust as a messaging issue instead of an identity governance issue.
• Spoofing, unmanaged third-party senders, and stale mail accounts are the main practical weaknesses that weaken trust.
• The control priority is clear: enforce sender validation, manage certificates, and offboard mail identities with the same discipline used elsewhere in IAM.

Key terms

• S/MIME: A certificate-based email protection standard that signs and encrypts messages so recipients can verify who sent them and whether the content changed. It adds identity assurance to email, which matters when users work remotely and cannot rely on local context to judge authenticity.
• DMARC: An email authentication policy that tells receiving systems whether messages claiming to come from your domain are authorised. It depends on knowing approved senders and enforcing policy outcomes such as quarantine or reject when messages fail alignment checks.
• Email offboarding: The process of closing or transferring email access when a user leaves or changes role. For identity governance, it includes mailbox closure, forwarding removal, and revocation of delegated access so a departed identity cannot continue to speak for the organisation.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: Five Tips for Secure Remote Email Access. Read the original.