DigiCert, a leading global provider of digital trust, backed by Clearlake Capital Group, L.P. (together with its affiliates, “Clearlake”), Crosspoint Capital Partners L.P. (“Crosspoint”), and TA Associates Management L.P. (“TA”), today announced the acquisition of Valimail, a market leader in zero trust email authentication delivered as a service. With more than 92,000 clients worldwide, up 70% this past year, Valimail is recognized as a leader in protecting organizations from phishing, spoofing, and domain-based threats.
The acquisition advances DigiCert’s strategy of delivering end-to-end digital trust. Valimail adds leadership in zero trust email authentication to the DigiCert ONE platform that already brings together public CA, private PKI, certificate lifecycle management, and DNS to give customers a unified view of digital trust.
Valimail is a pioneer in Domain-based Message Authentication, Reporting, and Conformance (DMARC). Today, the company protects global brands, enterprises, and government agencies, and holds the industry’s most robust portfolio of DMARC-related patents. Valimail is also the only DMARC provider with FedRAMP authorization, underscoring its leadership in highly regulated environments.
DigiCert is also a leading global provider of Mark Certificates (MCs) and Verified Mark Certificates (VMCs), which enable organizations to display verified brand logos in customer inboxes. When combined with DMARC, VMCs power BIMI (Brand Indicators for Message Identification), allowing users to instantly recognize trusted emails. This not only helps prevent phishing but also reinforces brand identity with visual trust indicators such as the blue check mark alongside the sender’s name. By bringing together DMARC enforcement, VMCs, and DigiCert’s leadership in digital trust, organizations can deliver a safer and more trustworthy email experience for their customers.
Sidley Austin LLP served as legal advisor to DigiCert. Piper Sandler served as the exclusive financial advisor to Valimail while Fenwick & West LLP served as legal advisor.
As phishing scams become more sophisticated and harder to detect, a new analysis from Valimail, the leading provider of email authentication and anti-impersonation solutions, reveals that retail brands are among the top targets. They are increasingly attacked not only for fraud, but for brand impersonation campaigns that erode consumer trust and open the door to disinformation.
In the past year alone, Valimail blocked over 123 million suspicious emails, highlighting the scale of attempted brand abuse aimed at customers’ inboxes. These are no longer the clunky, obvious attacks of the past. They’re clean and well-crafted, designed to replicate the tone, design and cadence of trusted retail brands. The goal is often to get customers to click, share credentials or even unknowingly spread misinformation.
While many retailers have taken steps to implement email authentication protocols the report shows that significant gaps remain:
Even though 95% of retail domains have a DMARC record in place, many aren’t enforcing it. Nearly 30% still use a policy that effectively does nothing.
6% don’t receive any reporting at all, leaving them blind to how their domains are being used or misused.
If new sender authentication requirements from Gmail, Yahoo! and Outlook were fully enforced today, 3 million retail emails would be blocked for failing compliance.
Despite these gaps, the report notes a 40% year over year increase in BMI adoption in the retail sector – a sign that more brands are looking to protect both security and visual trust in the inbox.
Valimail’s findings underscore a key shift: email security is no longer just about fraud prevention – it’s brand protection. In an era when AI can mimic tone, logos and layouts with alarming accuracy, authentication tools like DMARC and BMI are among the few tools that give brands control over who can send on their behalf.
Valimail offers free resources for organizations to check the protection status of their email domains through the Valimail Domain Checker, allows companies to explore and provides DMARC reporting visibility through its Monitor solution.
The full “2025 Winning (and Keeping) Shopper Trust – The Retail Email Threat You Can’t See” report can be accessed here.
Google recently rolled out an update to its DMARC reporting that provides unprecedented visibility into why emails might be getting throttled or blocked. This is a huge step forward for senders, who previously had to rely on guesswork to troubleshoot deliverability issues. Now, they have an early warning system that provides specific error codes, allowing them to fix problems before their emails are blocked.
This game-changing update was inspired by a conversation between Google and Valimail. Valimail believes it’s a critical new topic for anyone focused on email security (and has integrated this new data into Valimail Monitor.)
Scott Ziegler, Valimail’s Head of Product, shared thoughts about it here. It’s totally worth your time to read.
Valimail today released its “2025 Disinformation and Malicious Email Report,” revealing that email continues to be the most exploited attack vector for cybercriminals and disinformation campaigns, with artificial intelligence dramatically increasing the sophistication of these threats.
In an era marked widespread disinformation, trust in digital communications is eroding. Malicious actors are increasingly exploiting email to impersonate brands, launch phishing campaigns, and spread false information—often using sophisticated methods made simpler by emerging technologies. This environment calls for a layered approach to email protection.
Email authentication is the foundational, cost-effective defense that can significantly curb many of these malicious attempts at their source, providing future-proof protection that can scale. Additionally, DMARC uniquely protects outbound email to partners and clients thereby offering brand and compliance protection.
The report reveals considerable variation in email authentication implementations across industries:
Online Retail leads with 94% of surveyed domains having implemented basic email authentication measures
Financial Services shows strong adoption (80%) but one-third of domains lack enforcement policies that actually prevent spoofing
Higher Education faces significant challenges with nearly two-thirds of domains unable to prevent impersonation attacks
Healthcare lags behind with just over one third having implemented the bare minimum, non-protective DMARC policy of p=none
Information Technology shows concerning gaps with nearly a third of surveyed domains lacking the ability to prevent the use of their domain name in spoofed email messages
Several alarming trends are highlighted within the report, including:
Rising threat sophistication: AI-generated emails more than ever now convincingly mimic legitimate communications, dramatically increasing the success rate of phishing and spoofing attacks.
Cross-industry vulnerability: Every sector from financial services to healthcare, government, and education faces significant email-based threats, with varying levels of preparedness.
Protection gap: While more than 7.2 million domains have implemented some form of email authentication, approximately half remain insufficiently protected against domain spoofing.
Despite these growing threats, the report shows that Domain-based Message Authentication, Reporting, and Conformance (DMARC) continues to be a highly effective approach that can authoritatively prevent the most pernicious spoofing attacks when properly implemented.
Industry, government, and regulatory bodies worldwide are increasingly mandating DMARC compliance for industries handling sensitive data, such as finance and healthcare. Major email providers like Google, Yahoo and Microsoft require email senders to implement DMARC, improving deliverability and reputation for compliant organizations. Failing to comply with DMARC mandates can result in penalties, reduced deliverability, and reputational damage.
Valimail offers free resources for organizations to check their email security status through the Valimail DMARC Checker and provides DMARC reporting visibility through its Monitor solution.
The full “2025 Disinformation and Malicious Email Report” can be accessed here.
Valimail today announced the launch of its BIMI Simulator, a comprehensive suite of tools designed to empower brands to visualize and optimize their email presence through Brand Indicators for Message Identification (BIMI). This first-of-its-kind platform allows users to see what their email could look like with BIMI, understand the potential brand impression opportunity by implementing BIMI, and be inspired by what other companies and competitors are doing with their logos.
Valimail has been at the forefront of BIMI since 2018 as part of the AuthIndicators Working Group, the founding group of BIMI, and has been instrumental in the development of industry standards enabling brands to deliver their logos alongside email messages to billions of inboxes worldwide, increasing customer engagement with those messages and boosting brand trust. More recently, Valimail was a key partner in introducing a new capability to enhance BIMI with Common Mark Certificate (CMC), which provides greater flexibility and more affordable pathways for brands of all sizes that either do not have the right product trademark or do not have a trademark at all, looking to enhance their email marketing efforts while ensuring the security of their email communications.
According to Wombatmail, BIMI adoption has seen a growth of 28.4% between January 2024 and January 2025, measured by the number of domains with BIMI logo records published in the top ten million domains. BIMI drives significant marketing advantages, including increased brand visibility, higher user engagement, and a consistent brand experience. In addition a recent Yahoo Mail study found that BIMI implementation can increase email engagement up to 10%. Furthermore, BIMI provides a cost-effective channel for brand visibility, offering low-cost brand impressions compared to traditional advertising methods.
With major email providers like Google, Apple, and Yahoo! supporting BIMI verification standards, Valimail’s BIMI Simulator empowers brands to make the case for implementing BIMI, by visualizing its impact to improve brand awareness and protect against impersonation. This provides a comprehensive view and practical application of BIMI, available in a downloadable report, which includes:
BIMI Simulator: A tool that allows teams to simulate and visualize how the company’s logo will be displayed to recipients of BIMI-compliant email providers.
BIMI Audience Insights Report: A tool that allows businesses to visualize the breakdown of outbound mail that the organization sent to mailboxes that support BIMI in the past 30 days.
BIMI Inspiration: A comprehensive catalog of public BIMI records and logos of leading brands using BIMI, fostering inspiration and competitive insights.
One critical component of BIMI implementation is achieving Domain-based Message Authentication, Reporting, and Conformance (DMARC) at enforcement, an email security protocol that helps companies protect against email spoofing by verifying email senders and protecting domain owners from unauthorized use. By adding BIMI to DMARC, companies transform email authentication from a technical requirement into a visible brand asset, driving organizations to prioritize and achieve DMARC enforcement to unlock the full potential of BIMI.
All BIMI Simulator features are complimentary enhancements available to current Valimail customers using Monitor, Enforce, and Amplify. Valimail will showcase these new features in an upcoming webinar on Wednesday, March 26; register to join here.
You might recall that I have been implementing DMARC across all the domains that I own in order to increase email deliverability and to cut down, if not eliminate email spoofing via my domains. One thing that I did say at the time was that I was spending every morning looking at DMARC reports to get visibility into what was going on in relation to my domains. I specifically said this:
Now, let’s talk about the reports that I mentioned earlier. They show up in your inbox in xml format that isn’t human readable. To solve that problem, I use the MX Tools DMARC Report analyzer which makes these reports human readable. That way I have visibility into what’s going on from an email perspective. And I set aside a few minutes every day to read these reports. I admit that it’s bit time consuming. But it ensures that I don’t find out about my bad news from CNN so to speak.
Here’s the problem with that method. I am simply looking at one day at a time and one domain at a time. So I am missing out on anything that is trending for example. As in some threat actor who is spending multiple days trying to spoof my email addresses. That’s when Valimail hooked me up with Valimail Monitor. What this web based product does is that it allows users to monitor who is sending email from your domains and identify unauthorized senders. All from a single dashboard. That in turn gives you visibility as to where your good news (nobody is trying to spoof you for example) or bad news (someone is trying to spoof you, or someone inside your company is using a service that you haven’t authorized) is going to come from.
Let’s go into the weeds on this:
One of the first things that I do is to go into the dashboard and scroll through the different sections of the dashboard. DMARC status is one of the first things that usually gets my attention as that’s where I would get the first indication if anyone is spoofing me, or if I have a deliverability issue. In this case, it’s the former as seven email failed the DMARC check. That usually sends me off to the domains screen to see what is going on:
I have redacted my personal domain for privacy reasons. But it seems to be the source of the issue. Since I am a guy who likes to go down the rabbit hole on these things, let’s see why this is the case. So I am going to click the word “view” under the “Senders” column to see what’s going on.
Once I hit this screen, it becomes clear to me what’s going on. My hosting provider uses MailChannels as a proxy for all outbound mail to ensure that a bad actor who hosts with them doesn’t do anything that would cause their hosting infrastructure to be banned by other mail servers. So 100% of my email should go through there. But it’s not. It seems that some “Unidentified IPs” are trying to send mail using my personal domain.
And by clicking on “View” under the “Countries” column, it shows that what appears to be a Vietnamese based threat actor is trying to spoof my domain.
What I did from there is to increase the date range to one month to see what I found. Now Canada isn’t an issue as my email server is hosted in Montreal, and everything is clearly flowing through just fine. But I see that besides having a threat actor in Vietnam, a threat actor that appears to be in the US is also a problem as everything from that country is failing DMARC. Thus they’re trying to spoof me as well.
Now at the time that I went down this rabbit hole, I couldn’t see the exact IP addresses of the servers that were trying to spoof me. But I reached out to Valimail and they were able to get that straightened so that going forward, I can see the exact IP addresses of anything that is claiming to be sending email on my behalf. Some of them were hosted by Microsoft so I reached out to them via their abuse email address to address those threat actors. The other threat actor I have addressed by setting my domains to reject anything that fails a DMARC check.
Sidebar: Since I have done this, I have noted that phishing emails related to my domains have skyrocketed. Which illustrates that if a threat actor can’t get you using one technique, they’ll try something else.
While I continue to monitor the situation, I feel that I am in a better position to make sure that nobody is using my domains when they shouldn’t be as I have complete visibility of what is going on, and I can take action on anything that is suspect. Here’s the key part that you should pay attention to: This level of protection is free. Thus there’s really no reason why you shouldn’t use it.
Now if you need more than Valimail Monitor offers, they can help you with that. Valimail Align is the next level up from Monitor. It adds automated configuration of DKIM and SPF to allow you to get to a compliance level that satisfies Google, Yahoo, and others. It’s a great way to easily ensure that you’re in a good place when it comes to DMARC compliance.
Valimail Enforce is the top tier of what Valimail offers. It allows you to automate DMARC tasks and ensure that absolutely nothing slips through the net so to speak. For example, I set up Enforce which required me to make a number of DNS changes which are outlined here, and then I set up a MailChimp account to send emails using my business domain without telling Enforce about it. Then I waited to see what would happen next. What I found was that Enforce was able to discover the existence of MailChimp and that it was sending emails on my behalf. I was then able to add it as an authorized sender within Enforce and Enforce handed all the DNS changes in the background for me with no need to act as my own IT department to make changes to my DNS setup. It was literally a few clicks to get that done. And this is the key point. Enforce allows you to monitor every aspect of your mail setup so that you can make changes as needed, or discover email products like MailChimp for example that might be used in your organization without your knowledge. Thus if I were to put on my consultant hat on for a second, I would recommend that enterprises should head straight to Enforce as I can see that there would be a close to immediate payback in terms of security, reputation management, and cost.
Here’s the bottom line. Valimail has suite of products that I feel that any company who sends email, which is pretty much every company, should be using to ensure that their email gets to the their intended destinations, and to ensure that said companies reputation remains intact. On top of that, they will save a few bucks along the way. That’s a win on multiple fronts, which means that if you’re the guy who’s responsible for mail, DNS, and perhaps even your security stack, you need to have a look at what Valimail has to offer as in my view, this suite of products can help you in so many ways.
I have a pair of domains that I use for my business. There’s theitnerd.ca which is what I use for email and my website. And there’s itnerd.blog which strictly hosts my blog. That’s on top of the domain that my wife and I use for our personal email. I have been concerned for a while about someone spoofing me and my company and causing repetitional harm to my business or personal life as a result. Which is why I have been wanting to implement DMARC to stop that from happening. Now I’ve been kicking that can down the road until two things happened. The first is that I got a spoofing attack recently from someone who was pretending to have hacked my email in order to extort money from me. In fact, I have written about this sort of scam email here. But since I write about this stuff all the time, it along with the 80 copies of said email got deleted almost instantly as I recognized what it was and took the correct action as a result. But that episode showed that I could be spoofed by a threat actor. Which was of course a bad thing. The second thing was this report from Valimail about a North Korean spoofing attack where the North Koreans were taking advantage of people in my situation. That really got me to move on implementing DMARC because business email compromise as well as phishing are huge problems at the moment. And I don’t want to be part of the problem.
Now before I tell you what I did to address this, I want to explain what DMARC is and why anyone who has a domain that sends and receives email should care:
Domain-based Message Authentication Reporting & Conformance or DMARC is an email security protocol. DMARC verifies email senders are who they say that they are. And you as the sender can set things up to have receivers of emails do one of three things with any email that comes in that fails DMARC verification:
If an email fails DMARC verification, then do nothing other than report that it failed.
If an email fails DMARC verification, then quarantine it.
If an email fails DMARC verification, then reject it.
If you really want to go into the weeds on DMARC, click here to do so. The point of DMARC is to make sure that spoofed email never makes it to the inbox. Because any email that is spoofed is a hit to your online reputation. Or it leaves you open to things like the CEO email Scam or other forms of business email compromise. But the most important reason to implement DMARC is that by not doing so, it will make it harder to send people and companies legitimate emails to them. On top of all of that, Google and Yahoo are requiring DMARC to be implemented on the domains that send them email. And that’s likely to become a common thing with other organizations in the coming months and years. Meaning that if you own a domain, DMARC is a today problem for you.
Now in most cases, you may already have a DMARC policy set up in your domain name server (DNS) records as I did. But chances are that it will likely do next to nothing for you. I will use my domain as an example of this so that you can see what I mean. Here’s the DMARC records that I started out with:
The important thing to note is the “p=none” part. The “p” stands for policy. And while simply having it set to “none” meets the minimum requirements of DMARC that Google and Yahoo stipulate, it does next to nothing to stop the issues that I highlighted above. This is where I started my journey. And it was a bit bumpy from start to finish.
I started with my hosting provider to see if they could assist me. But their tech support people had no clue how to implement DMARC in a way to protect my domain from spoofing and the like. That forced me to do a fair amount of research on my own to figure out what I needed to do. Which often led to contradictory information that I had to sort through. After a few days of doing research and figuring out what was valid information and what was bogus information, I came up with this DMARC policy (click to enlarge):
You’ll notice that this is a whole lot more expansive. Here’s what’s changed:
I now have p=quarantine along with sp=quarantine. What that means that it is directing the receiver of any email claiming to come from my domain or any sub domain that I have to quarantine any email that fails the DMARC check. Now if I were really strict, I would go for the reject option. But my logic at the time, which I will admit that I am currently rethinking for reasons that I will get to in a minute is that at suspect emails won’t make it to the inbox. Thus quarantine is fine.
You’ll also notice an “rua” and “ruf” entry with a redacted email address. These are tags that are designed for reporting what’s going on in terms of email being received by other domains. Google for example. Here’s the detail on those two tags:
The “rua” tag is for aggregate data reports. The best way to explain that is that these are reports that say “this server connected to me saying that it was you and it passed or failed a DMARC check” at a very high level.
The “ruf” tag is for message-specific forensic information that is to be reported to you. As in a specific email had an issue and the receiving server is reporting on it in detail. I will admit that I am rethinking using this for reasons that I will get to in a minute.
As for the redacted email addresses, that’s the email addresses where the reports will be sent to.
Now, let’s talk about the reports that I mentioned earlier. They show up in your inbox in xml format that isn’t human readable. To solve that problem, I use the MX Tools DMARC Report analyzer which makes these reports human readable. That way I have visibility into what’s going on from an email perspective. And I set aside a few minutes every day to read these reports. I admit that it’s bit time consuming. But it ensures that I don’t find out about my bad news from CNN so to speak.
As an aside, the above is not meant to be a how to guide. I’m offering this up to help to illustrate the process of implementing DMARC. If you’re planning on doing this, you should seek professional assistance from an expert on the subject if you are not sure how to proceed.
Clearly, this is a lot of work. And I had to do versions of this for not only both my business domains, but my personal one as well. And I wished at the time that there was some sort of best practise guide or something similar that would have made it easier for me to do this. Then it dawned on me that I can’t be the only person who has this challenge. Thus I decided to reach out to DMARC experts Valimail as I had been writing about them for some time on this very topic. At the same time I could run my DMARC setup by them as they are the experts in DMARC and see what I could improve on as I admit that I kind of YOLO‘ed this. The result of that request was that Valimail or more accurately Seth Blank the CTO of Valimail was kind enough set aside some time for me to flesh out what DMARC is and why you should care, along with having a quick look at my setup.
Now I’ve already covered the what DMARC is and why you should care part above. But during our discussion, I asked him what the best practise in terms of a DMARC policy is as I could not find a straight answer on that. His answer is that in short, your DMARC policy should be set to reject any email that doesn’t come from your domain. However quarantine works as well because emails will not be hitting the inbox as well. And if emails are not hitting the inbox and being routed to being put into quarantine, people are more likely to take a more critical look at what’s in there. Or to put it another way, the receivers of your email are less likely to get compromised by a threat actor. Now using the quarantine policy is one of the things that I am rethinking at the moment as I am now toying with the idea with switching to the reject policy. That I am going to take a wait and see approach on my personal and company domains based on what’s in the reports that get sent to me. Though, on my itnerd.blog domain, I made the switch to the reject policy as I don’t send or receive email from that domain at all. Thus if anyone gets an email that ends in “@itnerd.blog”, it’s guaranteed to be a spoofed email. Making the reject policy the right choice. The other thing that Mr. Blank pointed out is that I have a “ruf” tag in my DMARC setup. The potential problem with that tag is that I am going to get reports about specific emails that have issues, and they may have information in those reports that potentially violates the GDPR. Also, the reports that this tag enables goes deep into the weeds. And chances are that going deep into the weeds will not be required 99% of the time. So I’ll be removing this tag later today.
The one thing that Mr. Blank emphasized to me was that besides brand protection and stopping things like spoofing and business email compromise is the fact that implementing DMARC properly can increase the deliverability of emails to your recipients. Mr. Blank cited the HMRC in the UK and its battle with fraudsters. Prior to implementing DMARC, fraud using the HRMC domain was out of control. And legitimate HMRC emails were not making it to the inbox. But after implementing DMARC, this happened:
HMRC was able to reduce spoofing by half a billion emails, which is fantastic. But we also improved delivery rates of genuine emails from 18% to 98%, all through the implementation of Dmarc. Nothing extra – the very same thing that reduced the spoofing also increased the delivery of genuine emails.
Now nobody should expect that stunning result by implementing DMARC, but as Mr. Blank put it, implementing DMARC reduces the noise. And forces threat actors to change their tactics as a domain with DMARC that is properly implemented is simply not as vulnerable to spoofing or business email compromise. At the same time, your legitimate emails are much more likely to hit the inbox. Meaning your communications are more likely to be seen and more likely to be effective. Thus implementing DMARC is unquestionably a worthwhile exercise.
Here’s the bottom line. If you own a .com, .ca, .biz or some other domain, you should be looking at setting up DMARC. It’s going to make sure that your emails are more likely to reach their intended recipients. And it’s going to ensure that your online reputation remains intact. Both of which are very good things.
I’d like to thank Seth Blank of Valimail for his time in terms of researching this story and his guidance in terms of getting my DMARC setup right.
Valimail, in collaboration with email giants Google and Yahoo, hosted a roundtable to discuss newly implemented bulk sender requirements aimed at enhancing email authentication and security. With the surge in threats like spam and phishing, the conversation, featuring Google’s Neil Kumaran and Yahoo’s Marcel Becker, centered on the urgent need for more stringent email authentication to protect users and improve deliverability of legitimate emails. The new rules focus on large senders initially, due to their higher risk of impersonation and potential impact, and emphasize the use of standards like SPF, DKIM, and DMARC to verify sender identities, thereby reducing the risk of impersonation and spam. The initiative reflects a collective effort to bolster email security and deliverability, with Valimail offering tools and guidance to aid senders of all sizes in achieving compliance and enhancing the email ecosystem’s overall safety.
Valimail, a leading provider of email authentication and anti-impersonation solutions, today announced the availability of Valimail Enforce in the Microsoft Azure Marketplace, an online store providing applications and services for use on Azure. Microsoft customers can now take advantage of the productive and trusted Azure cloud platform to gain access to Valimail Enforce capabilities, with streamlined deployment and management.
Valimail Enforce is a better, proven way to accelerate the journey to DMARC enforcement. Valimail delivers world-class automation tools to get you to continuous enforcement – meaning no manual SPF and DKIM configuration. Users are able to protect their domains at scale and improve email deliverability with Valimail’s best-of-breed solution that offers advanced sending service intelligence, unlimited SPF lookups, and contextual analytics – all in one simple application that anyone can use. With Valimail Enforce, users gain:
Access to a premier DMARC partner for Microsoft
One-click authorization for up to 100% of services within your ecosystem.
Access to unlimited SPF lookups so you never risk blocking good email.
Confidence in continuous DMARC protection with auto-configuration and updates.
The Azure Marketplace is an online market for buying and selling cloud solutions certified to run on Azure. The Azure Marketplace helps connect companies seeking innovative, cloud-based solutions with partners who have developed solutions that are ready to use.
Recent tax scams, as highlighted by the IRS and the FBI, continue to pose significant threats to taxpayers, exploiting various schemes to commit fraud and identity theft. The IRS’s “Dirty Dozen” list for 2023 underscores the variety of scams taxpayers and tax professionals should be wary of, not only during the tax season but throughout the year.
Among these scams, the misuse of the Employee Retention Credit (ERC) has been notably aggressive, with scammers luring ineligible individuals with promises of significant refunds. Other popular cons are “professionals” offering to set up your IRS accounts (to steal your data), lying about fuel tax credits you can get, or fake charities exploiting your kindness to pocket donations. Other scammers try to bait people through phishing emails and texts, pretending you need to simply “update personal info” or something else seemingly non-nefarious.
Like always, it’s smart to keep your personal info safe and be cautious of any surprise emails or calls pretending to be from the IRS or similar tax organizations. One small piece of advice: if you ever get questionable requests, check the IRS and/or FBI website for scam alerts to protect yourself, no matter how convincing the communication sounds.
Sound rather daunting? Help is on the way…
Google and Yahoo’s New Requirements
The biggest vector for abuse happens when a bad actor can fraudulently use a business’s trusted emailing domain to send legitimate-seeming messages to their employees, partners, or users. Google and Yahoo have set new requirements that began taking effect in February 2024, focusing on enhancing authentication and anti-spam measures for emails, to stop spam, phishing, and fraud. These rules require emailers to secure their domains from fraudulent usage and apply to nearly every business that sends email to Gmail or Yahoo inboxes.
These rules, once fully in effect, should make it much harder for scammers to leverage trusted domains to defraud users. However, it’s important to note that these changes won’t be fully implemented for this tax season. Google and Yahoo will gradually enforce these rules to give senders ample time to comply. This means that while some improvements in email security might be noticed, the full benefits of these new requirements in curbing tax scams and other phishing attempts will be more fully realized in future tax seasons.
How to Avoid Tax-Related Phishing Attempts THIS Season
Before the upcoming regulations fully take effect, forward-thinking businesses are proactively elevating their security measures, especially during tax season. Valimail is at the forefront of this movement – creating ways to keep brands reliable and customers feeling safe. Here’s how Valimail can assist.
Valimail Align keeps you in step with the changing delivery rules of major providers such as Google and Yahoo, giving you peace of mind about your compliance across various services. With our automation platform, you can effortlessly align SPF and DKIM, ensuring your emails are delivered smoothly without gaps.
Valimail Enforce offers a smarter and more efficient path to DMARC enforcement. Our dedication lies in crafting top-tier automation solutions that ensure ongoing enforcement without the hassle of manual SPF and DKIM setups.
With our market-leading products, you can safeguard your domains and enhance email deliverability. We provide sophisticated sender intelligence, unlimited SPF lookups, and insightful analytics, all bundled into an easy-to-use application suitable for anyone.
DigiCert Acquires Valimail
Posted in Commentary with tags Digicert, Valimail on September 16, 2025 by itnerdDigiCert, a leading global provider of digital trust, backed by Clearlake Capital Group, L.P. (together with its affiliates, “Clearlake”), Crosspoint Capital Partners L.P. (“Crosspoint”), and TA Associates Management L.P. (“TA”), today announced the acquisition of Valimail, a market leader in zero trust email authentication delivered as a service. With more than 92,000 clients worldwide, up 70% this past year, Valimail is recognized as a leader in protecting organizations from phishing, spoofing, and domain-based threats.
The acquisition advances DigiCert’s strategy of delivering end-to-end digital trust. Valimail adds leadership in zero trust email authentication to the DigiCert ONE platform that already brings together public CA, private PKI, certificate lifecycle management, and DNS to give customers a unified view of digital trust.
Valimail is a pioneer in Domain-based Message Authentication, Reporting, and Conformance (DMARC). Today, the company protects global brands, enterprises, and government agencies, and holds the industry’s most robust portfolio of DMARC-related patents. Valimail is also the only DMARC provider with FedRAMP authorization, underscoring its leadership in highly regulated environments.
DigiCert is also a leading global provider of Mark Certificates (MCs) and Verified Mark Certificates (VMCs), which enable organizations to display verified brand logos in customer inboxes. When combined with DMARC, VMCs power BIMI (Brand Indicators for Message Identification), allowing users to instantly recognize trusted emails. This not only helps prevent phishing but also reinforces brand identity with visual trust indicators such as the blue check mark alongside the sender’s name. By bringing together DMARC enforcement, VMCs, and DigiCert’s leadership in digital trust, organizations can deliver a safer and more trustworthy email experience for their customers.
Sidley Austin LLP served as legal advisor to DigiCert. Piper Sandler served as the exclusive financial advisor to Valimail while Fenwick & West LLP served as legal advisor.
Leave a comment »