TL;DR: Google, Yahoo, and Microsoft are tightening bulk sender requirements around SPF, DKIM, DMARC, unsubscribe handling, and DNS hygiene to reduce spoofing and spam, according to DigiCert. The deeper issue is that sender identity now depends on verifiable machine trust, not just domain ownership.
NHIMG editorial — based on content published by DigiCert: 4 best practices for bulk email senders
Questions worth separating out
Q: How should security teams govern bulk email sender identities?
A: Security teams should treat bulk email senders as governed non-human identities.
Q: Why do SPF, DKIM, and DMARC need to be managed together?
A: They solve different parts of the same trust problem.
Q: What breaks when DNS records for email are not controlled tightly?
A: Email trust breaks because authentication depends on DNS being accurate and stable.
Practitioner guidance
- Inventory all outbound sending identities Map every marketing, transactional, and shared-service mail stream to the domain, infrastructure, and owner responsible for it.
- Enforce SPF, DKIM, and DMARC together Do not rely on a single protocol.
- Treat DNS as part of identity governance Audit DNS records regularly, restrict who can modify them, and add alerting for unauthorised changes.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanations of SPF, DKIM, and DMARC setup for bulk senders
- Guidance on moving DMARC from monitoring to enforcement without breaking legitimate mail
- Advice on how to use a Verified Mark Certificate after authentication is already in place
- The article's breakdown of DNS hygiene and why mailbox providers care about it
👉 Read DigiCert's guidance on bulk sender authentication and email trust controls →
Bulk email sender authentication: what IAM teams should notice?
Explore further
Bulk email sender compliance is really machine identity governance. The controls discussed in the source article map to a non-human identity problem, not just a messaging problem. SPF, DKIM, DMARC, and DNS integrity decide whether a sending domain can prove legitimacy at runtime. For identity teams, the implication is that outbound mail now belongs in the same governance conversation as service accounts and workload identities.
A few things that frame the scale:
- Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant behaviour gap that directly affects how reliably identity controls hold up in production.
A question worth separating out:
Q: Who should own unsubscribe and suppression list governance?
A: The same team that owns the sending identity should own unsubscribe and suppression list governance. If opt-outs are handled inconsistently across systems, spam complaints rise and mailbox providers treat the domain as lower trust. Clean offboarding for recipients is part of maintaining the sender’s identity lifecycle.
👉 Read our full editorial: Bulk email sender authentication is becoming an identity issue