DMARC to VMC: are your email controls ready for enforcement?

TL;DR: DMARC monitoring, SPF alignment, and DKIM signing are the baseline controls needed before a domain can qualify for VMC, according to DigiCert. The practical issue is not the certificate itself but whether mail governance can survive the move from visibility to quarantine and reject without breaking legitimate senders.

NHIMG editorial — based on content published by DigiCert: How to Set Up DMARC to Qualify Your Domain for VMC

Questions worth separating out

Q: How should security teams roll out DMARC without breaking legitimate email?

A: Start in monitoring mode, collect reports, and build a complete inventory of authorised senders before changing policy.

Q: Why does DMARC matter for identity governance and not only phishing defence?

A: DMARC governs which mail sources are allowed to represent a domain, so it is a trust and identity control as much as an anti-phishing measure.

Q: What do teams get wrong when they treat SPF and DKIM as enough?

A: SPF and DKIM are necessary signals, but DMARC is what turns those signals into a domain policy decision.

Practitioner guidance

• Inventory every authorised sender Build a complete list of systems, vendors, and business units that send mail from each domain before changing policy from monitoring to enforcement.
• Validate SPF alignment Check that the visible From domain and the authenticated sending path align, especially where third-party mail services or delegated systems are involved.
• Run DMARC in monitoring mode first Use reporting to identify legitimate traffic that would fail enforcement, then correct records and sending patterns before raising policy strength.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step DNS record examples for SPF, DKIM, and DMARC setup across domains.
• Practical guidance on moving from p=none to quarantine and then to reject without disrupting mail.
• Examples of DMARC report handling and how to identify legitimate senders that need to be added.
• The VMC qualification sequence that follows once domain authentication is stable.

👉 Read DigiCert's guide to setting up DMARC for VMC qualification →

DMARC to VMC: are your email controls ready for enforcement?

Explore further

View Full Forum →  |  NHI Foundation Course →