Entrust root distrust and VMCs: are email trust signals breaking?

TL;DR: Apple’s expansion of distrust beyond TLS into timestamping, S/MIME, and Verified Mark Certificates shows how certificate trust decisions can erase email trust signals and make legitimate messages look fraudulent, according to DigiCert. The issue is not just certificate validity, but the fragility of brand verification, trust lifecycle management, and inbox authentication controls.

NHIMG editorial — based on content published by DigiCert: How Apple’s Entrust Root Distrust Impacts Brand and Email Trust

By the numbers:

• Nearly three-quarters of the data breaches that happened in 2024 involved a non-malicious person clicking on a dangerous link.

Questions worth separating out

Q: How should organisations handle email trust when a certificate root is distrusted?

A: They should inventory every mail-related certificate chain, identify which business functions depend on the trust anchor, and replace affected certificates before users lose visible authentication cues.

Q: Why do distrusted roots create more risk than a simple certificate expiry issue?

A: A distrusted root can break multiple trust services at once, including S/MIME, timestamping, and inbox branding.

Q: What should security teams get wrong about Verified Mark Certificates?

A: They often treat VMCs as a branding add-on, when they are really a dependency on a working trust chain across inbox providers.

Practitioner guidance

• Map every dependency on distrusted roots Build an inventory of VMC, S/MIME, timestamping, and TLS certificates that chain to the affected root, then assign an owner to each business use case and replacement path.
• Prioritise email trust continuity Validate which branded mail flows depend on inbox logos or signatures for user trust, then stage replacement certificates before those trust cues disappear from production mail.
• Tie certificate review to lifecycle governance Add root trust monitoring, renewal review, and offboarding checks to the same lifecycle process used for other high-risk digital identities and secrets.

What's in the full article

DigiCert's full blog post covers the operational detail this post intentionally leaves for the source:

• The specific certificate types affected by Apple’s distrust decision, including VMC, S/MIME, and timestamping.
• The practical impact on logo display in supported inboxes and what that means for brand-visible trust signals.
• DigiCert’s own certificate management and crypto-agility framing for organisations that need to replace affected trust paths.
• The FAQ detail on common mark certificates versus verified mark certificates, which matters for implementation decisions.

👉 Read DigiCert's analysis of Apple's Entrust root distrust and email trust →

Entrust root distrust and VMCs: are email trust signals breaking?

Explore further

View Full Forum →  |  NHI Foundation Course →