ValiMail: Automating Email Authentication

Alexander García-Tobar, Co-founder & CEO
When email was originally developed in the early 1980’s, protocols were architected without adequate security features, allowing emails to be spoofed and sent fraudulently by hackers. Alexander García-Tobar, CEO and Co-founder of ValiMail, refers to this as email’s “original sin.” Today, email is the number one attack vector for modern phishing attacks. But there’s a solution: email authentication based on the DMARC standard. DMARC—Domain-based Message Authentication, Reporting & Conformance, is a global standard that can solve for email’s original sin, but there are several complexities that make it a time-consuming and difficult undertaking for most businesses to implement. This is where ValiMail comes in. With its automated email authentication service, the firm has effectively replaced a labor-intensive manual approach with a robust cloud service that automates the process. ValiMail has helped several customers achieve DMARC enforcement with minimal customer effort, including HBO, Uber, Yelp, CNN, and City National Bank. “ValiMail ensures that clients get to DMARC enforcement and stay there despite rapidly-changing email ecosystems,” says García-Tobar.

Since ValiMail is sold as a SaaS, the adoption of DMARC is simple for IT staff, and clients enjoy global reliability and scalability. ValiMail’s system authenticates every email in milliseconds to end impersonation attacks, control shadow email services, and secure the enterprise email ecosystem. Another bonus: email authentication positively impacts deliverability as well, something every marketing department values. Many third-party SaaS apps don’t come under the purview of IT when teams and workgroups purchase them, yet IT is expected to enforce governance and compliance. ValiMail identifies three classes of senders: legitimate sanctioned services, legitimate un-sanctioned services (shadow email), and malicious senders (phish). This gives IT the power to work with the business to bring all IT investments into compliance. García-Tobar emphasizes that at no time does ValiMail’s system ever see any PII (Personally Identifiable Information).

To get started, customers make a one-time modification to their DNS to delegate a DMARC record to ValiMail.

ValiMail’s email authentication service ends impersonation attacks, protects corporate email brand reputation, and gives CIOs and CISOs control over shadow email services

This kicks off the monitoring phase, during which “ValiMail identifies all third-party senders utilizing the domain name to send emails. This allows us to identify suspicious senders that are impersonating the brand, as well as SaaS apps that use the domain name to send email,” says García-Tobar. A report based on domain traffic is prepared and presented, giving CIOs and CISOs visibility and total control over their email ecosystem. Senders classified as ‘authorized’ can continue using the domain name as an email sender while suspicious senders and unauthorized SaaS apps can be shut out.

García-Tobar recounts the example of working with one of the largest crowd-sourced transportation services in the world. When the customer discovered a significant number of phishers impersonating their email domain, it was clear to them that DMARC authentication was the best solution to the problem. The company, however, spent more than a year trying to implement DMARC and was unable to get to enforcement. After adopting ValiMail, the customer got to enforcement within 90 days, after a brief monitoring period. ValiMail’s email authentication service cut phishing volume by over 99 percent and eliminated the spear-phishing attacks completely. García-Tobar notes that ValiMail not only secures incoming email traffic but outgoing email traffic as well. ValiMail’s email authentication service works at the domain level and acts to inoculate both sender and receiver—once the domain is protected then impersonation attacks can be eliminated.


San Francisco, CA

Alexander García-Tobar, Co-founder & CEO

A cloud-based email authentication platform that provides simple and cost-efficient enforcement of the DMARC standard