TL;DR: DNS underpins email routing, sender verification, and anti-spoofing controls through MX, SPF, DKIM, and DMARC, while misconfiguration remains a primary reason legitimate mail lands in spam or fails delivery, according to DigiCert. For identity teams, the lesson is that email trust depends on governance of DNS-backed authentication, not just mailbox administration.
NHIMG editorial — based on content published by DigiCert: DNS and Email: The Overlooked Factor in Deliverability and Brand Reputation
By the numbers:
- The growing importance of DMARC is clear, with one report showing that adoption among top domains grew by 75% between 2023 and 2025.
- 36% of all data breaches in the United, l data breaches in the United States.
Questions worth separating out
Q: How should security teams manage DNS records for email deliverability?
A: Treat email DNS as a governed control set.
Q: Why do SPF, DKIM, and DMARC need to be aligned?
A: Alignment lets a receiving server connect the visible From domain to an authenticated sending identity.
Q: What breaks when reverse DNS is missing for a mail server?
A: Missing or mismatched reverse DNS weakens the credibility of the sending host.
Practitioner guidance
- Inventory every authorised sending source Map all mail streams, including CRM, marketing, support, payroll, and alerting systems, to the domains they use and the DNS records that authorise them.
- Phase DMARC from visibility to enforcement Start with reporting only, review aggregate and forensic reports, then move to quarantine and reject once legitimate sources are fully aligned.
- Review reverse DNS and hostname alignment Check that PTR, A, and MX records describe the same sending infrastructure identity.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step DNS record examples for MX, SPF, DKIM, DMARC, and reverse DNS alignment
- Troubleshooting guidance for inbox placement, spam filtering, and authentication failure scenarios
- Practical notes on DNS propagation delays and how they affect record changes
- Examples of DMARC reporting workflows used to identify unauthorised sending sources
👉 Read DigiCert's analysis of DNS and email deliverability controls →
DNS and email authentication: is your deliverability setup resilient?
Explore further
Email authentication is identity governance for the domain layer. SPF, DKIM, and DMARC are not just anti-spoofing controls. They are the mechanism by which a domain proves who may speak for it, which makes them relevant to both human-facing email and machine-generated communications. In NHI terms, they protect the trust boundary around the domain as an identity object, not just a delivery endpoint. Practitioners should treat DNS-backed authentication as part of the identity control stack.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.
A question worth separating out:
Q: Who should own DMARC enforcement in an organisation?
A: DMARC enforcement should be jointly owned by security and the teams operating domain-based mail services. Security should define the policy and monitoring expectations, while platform or messaging teams validate legitimate senders and fix alignment issues. That split keeps deliverability, fraud prevention, and change control tied to one operating model.
👉 Read our full editorial: DNS email authentication is the trust layer behind deliverability