Sender identity verification: are your email controls keeping up?

TL;DR: Email impersonation continues to drive business email compromise and phishing losses because many organisations still verify message content more often than sender authority, according to DigiCert and the FBI. Treating sender identity as a deterministic control closes a core digital trust gap that content filters alone cannot solve.

NHIMG editorial — based on content published by DigiCert: What Sender Identity Means for Digital Trust in 2026 Email Security

By the numbers:

• Business email compromise attacks accounted for over $2.7 billion in reported losses in 2024 alone.

Questions worth separating out

Q: How should security teams implement sender identity verification for business email?

A: Start by inventorying every domain and sender that can transmit on behalf of the organisation, then configure SPF, DKIM, and DMARC for each one.

Q: Why do email impersonation attacks keep bypassing content filters?

A: Content filters inspect what a message says, but impersonation often succeeds because the sender looks legitimate even when the message body is clean.

Q: What breaks when DMARC stays at monitoring mode?

A: When DMARC remains at p=none, the organisation gains visibility but not protection.

Practitioner guidance

• Audit every sending domain and subdomain Inventory active, parked, and legacy domains, then identify every system that can send mail on behalf of each one.
• Enforce SPF, DKIM, and DMARC together Configure SPF and DKIM for each authorised sender, then move DMARC from monitoring to quarantine and reject only after legitimate sources are validated.
• Treat third-party senders as governed identities Maintain an approved sender register for CRM, payroll, support, and communications platforms, with explicit ownership and offboarding for each integration.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step SPF, DKIM, and DMARC configuration guidance for different sending environments
• Practical notes on moving from DMARC monitoring to quarantine and reject without breaking legitimate mail
• BIMI implementation details for organisations that want branded, authenticated email
• Mailbox provider requirement context for bulk senders and deliverability planning

👉 Read DigiCert's analysis of sender identity and digital trust in email →

Sender identity verification: are your email controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →