TL;DR: DMARC monitoring, SPF alignment, and DKIM signing are the baseline controls needed before a domain can qualify for VMC, according to DigiCert. The practical issue is not the certificate itself but whether mail governance can survive the move from visibility to quarantine and reject without breaking legitimate senders.
NHIMG editorial — based on content published by DigiCert: How to Set Up DMARC to Qualify Your Domain for VMC
Questions worth separating out
Q: How should security teams roll out DMARC without breaking legitimate email?
A: Start in monitoring mode, collect reports, and build a complete inventory of authorised senders before changing policy.
Q: Why does DMARC matter for identity governance and not only phishing defence?
A: DMARC governs which mail sources are allowed to represent a domain, so it is a trust and identity control as much as an anti-phishing measure.
Q: What do teams get wrong when they treat SPF and DKIM as enough?
A: SPF and DKIM are necessary signals, but DMARC is what turns those signals into a domain policy decision.
Practitioner guidance
- Inventory every authorised sender Build a complete list of systems, vendors, and business units that send mail from each domain before changing policy from monitoring to enforcement.
- Validate SPF alignment Check that the visible From domain and the authenticated sending path align, especially where third-party mail services or delegated systems are involved.
- Run DMARC in monitoring mode first Use reporting to identify legitimate traffic that would fail enforcement, then correct records and sending patterns before raising policy strength.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step DNS record examples for SPF, DKIM, and DMARC setup across domains.
- Practical guidance on moving from p=none to quarantine and then to reject without disrupting mail.
- Examples of DMARC report handling and how to identify legitimate senders that need to be added.
- The VMC qualification sequence that follows once domain authentication is stable.
👉 Read DigiCert's guide to setting up DMARC for VMC qualification →
DMARC to VMC: are your email controls ready for enforcement?
Explore further
DMARC is a domain identity control, not just an email security setting. The practical purpose is to decide whether a domain can be trusted as a sending identity, and that matters because spoofing is fundamentally an identity problem. When SPF, DKIM, and DMARC are treated as separate technical chores instead of one trust chain, organisations leave gaps that attackers can exploit through impersonation. Practitioners should view the domain as an identity boundary, not a mail transport detail.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why control confidence and control reality often diverge.
A question worth separating out:
Q: Who should own DMARC enforcement in a large organisation?
A: DMARC enforcement should be owned jointly by security, email infrastructure, and the teams that operate third-party senders, because the control affects trust, delivery, and brand impersonation at the same time. Governance breaks down when one group owns the record but not the sending ecosystem.
👉 Read our full editorial: DMARC enforcement is the gate to VMC-qualified domain protection