Why Choose Valimail

The Original DMARC Leader

From the earliest days of DMARC development, we've had a leading role in setting industry standards that drive security, scale, and adoption.


Uses a DNS TXT record to provide a list of authorized sending IP addresses for a given domain.


Uses Public Key Infrastructure (PKI) to add a digital signature to email messages in the message header. Message receiver validates DKIM signature with a public key stored in the DNS at d=domain in the hidden header.


Uses SPF and DKIM to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. Provides additional protection against spoofing/phishing and helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM.


Authenticated Received Chain: Allow mailing lists or forwarding services to sign an email’s original authentication. Brand Indicators for Message Identification: Allow for brand-controlled email logos.









SPF Timeline

DNS TXT records provide an authorized sending IP address list to a given domain.

Public Key Infrastructure (PKI) adds a digital signature to email messages.

DKIM Timeline
DMARC Timeline

SPF and DKIM authenticate mail senders, ensuring destination email trust.

Brand Indicators for Message Identification (BIMI) provides brand-controlled email logos.

BIMI Timeline

Recently, DMARC adoption is growing, while DMARC enforcement is declining.

*It’s critical to get to enforcement. DMARC enforcement has dropped from 15% to 12% in the past few years -- a critical gap in email security for the ecosystem.

Why DMARC Enforcement is Binary

The DMARC policy is spelled out with the “p” parameter, for which there are three options:

P=None is not protection

No enforcement. Mail that fails authentication is delivered normally, including fraudulent messages using your domain. This setting is intended as a “test” mode, so domain owners can troubleshoot authentication settings without the risk of legitimate messages getting blocked.

In p=none mode, domain owners can use the reports sent by mail gateways to examine what messages are being blocked and which IP addresses are sending those messages. Turning DMARC reports into actionable insights is a challenge because of the complexity on the ground.

Armed with this information, the domain owner can make changes to their SPF and/or DKIM settings, and potentially to the domain(s) used by the messages. It’s critical to ensure that legitimate emails get through and are authenticated — a top issues for many companies.


Messages that fail authentication should be quarantined. Usually this means that the messages are delivered to a user’s spam folder.


Messages that fail authentication should be discarded, not delivered at all. Some receivers honor this request, while others just mark failing messages as spam.

DMARC enforcement benefits critical stakeholders across your organization.

Evaluating the Options
Build, Consult or Automate


Build Option



2-3 FTEs

(est. $300-450K annual)

Requires extensive maintenance, difficult to reach p=reject, manual DNS changes


Enforcement Success Rate


Consult Option



1-2 FTEs

(est. $150-300K annual)

Never-ending maintenance. Manual DNS changes


Enforcement Success Rate


Valimail Option



0.2 FTEs

Enforcement within 1 quarter, at 1/10th of the cost of a build with Valimail automation


Enforcement Success Rate

Valimail's Authenticated Approach to DMARC Enforcement with Valimail

State of Ohio Seal