DMARC, PKI and TLS: where email trust still breaks down

TL;DR: Email remains outside most Zero Trust models unless DMARC, SPF, and DKIM are enforced alongside PKI and TLS, because the “From” field is otherwise still trusted by default, according to DigiCert. The real failure is an implicit trust assumption that lets phishing and impersonation bypass identity verification before delivery.

NHIMG editorial — based on content published by DigiCert: Zero Trust email: How DMARC works with PKI and TLS

By the numbers:

• 69% of organisations now have more machine identities than human ones.
• 57% of organisations lack a complete inventory of their machine identities.

Questions worth separating out

Q: How should organisations implement DMARC without breaking legitimate mail flow?

A: Start by inventorying every system that sends email for the organisation, then publish SPF and DKIM for each legitimate source.

Q: Why do email impersonation attacks still work in Zero Trust programmes?

A: They still work because many programmes verify users and devices but leave the email channel dependent on implicit trust.

Q: What do security teams get wrong about SPF and DKIM?

A: They often treat SPF and DKIM as complete controls when they are really evidence inputs.

Practitioner guidance

• Inventory every sending domain and service Build a complete list of domains, subdomains, and SaaS platforms that send mail on behalf of the organisation, including parked and legacy domains.
• Move DMARC from visibility to enforcement Start with p=none only long enough to learn the sender landscape, then move to quarantine and reject once all legitimate sources are covered by SPF and DKIM.
• Review email authentication in identity governance cycles Include SPF, DKIM, and DMARC status in periodic access and domain reviews alongside other trust controls.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Detailed explanation of how SPF, DKIM, and DMARC align in sending and receiving workflows.
• Step-by-step guidance on moving from p=none to quarantine and reject without disrupting legitimate mail.
• Practical checks for TLS posture, certificate validity, and certificate transparency in web traffic.
• Mailbox-provider requirements for bulk senders that affect delivery outcomes in practice.

👉 Read DigiCert's analysis of Zero Trust email, DMARC, PKI and TLS →

DMARC, PKI and TLS: where email trust still breaks down?

Explore further

View Full Forum →  |  NHI Foundation Course →