Notifications
Clear all
Topic starter
25/06/2026 2:58 pm
TL;DR: Phishing remains the dominant email trust problem, with the APWG reporting the highest level of phishing activity on record and the FBI citing US$43 billion in business email compromise losses between 2016 and 2021, according to DigiCert and the FBI. The security question is no longer whether users can spot phishing, but whether certificate lifecycle, signing, and encryption controls make sender identity machine-verifiable.
NHIMG editorial — based on content published by DigiCert: Securing Email: Digital Trust in Communications
By the numbers:
- The Anti-Phishing Working Group reported four times the number of phishing attacks since early 2020.
Questions worth separating out
Q: How should security teams reduce phishing risk without relying only on user training?
A: Security teams should combine sender authentication, message integrity, and certificate lifecycle management so trust is machine-verifiable.
Q: Why does certificate lifecycle management matter for email security?
A: Because certificates are only useful when they are issued, renewed, escrowed, and revoked correctly across the full identity lifecycle.
Q: What do organisations get wrong about DMARC and Verified Mark Certificates?
A: They often treat them as branding or anti-spam features instead of identity signals.
Practitioner guidance
- Automate S/MIME lifecycle management Integrate certificate issuance, renewal, and revocation with directory services so trust does not depend on end-user action.
- Separate signing and encryption use cases Use distinct certificates for message signing and message encryption where operationally required.
- Enforce DMARC with visible brand validation Adopt DMARC policy enforcement and pair it with Verified Mark Certificates where branding and trust signalling matter.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step S/MIME provisioning and certificate management guidance for enterprise email environments
- Practical use of key escrow and recovery for encrypted mail across multiple devices
- How DMARC and Verified Mark Certificates work together to strengthen sender trust
- Examples of how DNS monitoring can support suspicious-mail detection and response
👉 Read DigiCert's analysis of digital trust controls for secure email →
Email phishing and certificate trust: what IAM teams miss?
Explore further
25/06/2026 4:14 pm
Digital trust in email is an identity governance problem, not a mail gateway feature. The article shows that phishing succeeds when recipients are forced to judge trust visually and under time pressure. S/MIME, DMARC, and certificate lifecycle controls shift that burden from people to policy and cryptography. For practitioners, the message is clear: email trust belongs inside identity and access governance.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A further 47% have only partial visibility, which means most programmes are still operating with incomplete identity telemetry.
A question worth separating out:
Q: Who should own secure email trust controls in an organisation?
A: Ownership should sit across IAM, PKI, and security operations rather than only in messaging administration. Email trust affects identity assurance, fraud prevention, and certificate governance, so the right model is shared accountability with clear lifecycle ownership for issuance, policy, revocation, and incident response.
👉 Read our full editorial: Digital trust for email security is a certificate lifecycle problem
