Authenticating the World’s Communications: How Valimail’s Sender Identity Platform Helps Businesses Mitigate Phishing and Email Compromise Attacks

Valimail Helps Thwart Phishing And Email Compromise Attacks

TL; DR: Valimail, a provider of automated email authentication solutions for brand protection and anti-fraud defense, is on a mission to build public trust in email. Designed to verify identity and safeguard networks at their weakest points, the standards-compliant technology provides peace of mind, protects against reputational damage, and boosts ROI. Ultimately, Valimail’s ongoing feature improvements are contributing to the company’s overarching goal: to transform email into a more secure communications platform.

Email may be one of the most popular methods of communication, but it’s also fraught with risk.

Phishing — the deceitful attempt to gain access to sensitive information by disguising oneself as a trusted email sender — is an especially dangerous threat. Researchers have found that 90% of data breaches occur because of phishing or related social engineering, and 92% of malware is delivered by email.

“Phishing is so ubiquitous that when you read stories about cyberattacks, it almost never gets mentioned,” said Dylan Tweney, VP of Communications at Valimail. “Reporters almost always omit the way malware gets in the system in the first place: through a spear-phishing email.”

Valimail logo

Valimail is making email a more trustworthy communications channel.

Other times, he said, they fail to mention the fact that accounts are frequently compromised through phishing emails where the victim clicks on a button and enters password information on a malicious site. Despite how the media report these threats, the fact remains: Without email authentication, recipients have no way to verify who’s sending an email.

That’s why Valimail is on a mission to authenticate the world’s communications and bring trust back to email. The company’s founders, Alexander García-Tobar and Peter Goldstein, have worked in the security and infrastructure fields since the late 1990s and formed a friendship in the mid-2000s. By 2015, they founded Valimail to provide a fully automated email authentication tool designed to increase brand protection and defend against fraud.

Valimail provides a cloud-native solution for validating and authenticating email sender identity to stop phishing and protect brands. The company’s patented, standards-compliant technology both verifies identity and safeguards networks, providing a one-stop shop for halting phishing attacks, boosting deliverability, and protecting reputations.

“Our focus has always been on restoring trust to email and giving you confidence that whoever is sending you email is really who they say they are,” Dylan said.

Built to Verify Identity and Safeguard Your Network at its Weakest Point

Valimail hit the market around the same time as an emerging technology known as Domain-Based Message Authentication, Reporting, and Conformance (DMARC). Email receivers such as Gmail, Outlook, and AOL all perform DMARC checks on incoming mail to determine whether the domain that it appears to come from has published a policy affirming that senders are authorized to send email.

On the receiver side, the technology was widely accepted, but domain owners weren’t taking advantage of it at high rates because it proved difficult to implement.

“It was too complex: There were some limitations in the standards, and it involved monkeying around in DNS,” Dylan said. “Smaller companies just didn’t have the expertise, and bigger companies wound up running into a ton of technical issues because they had very complex email environments.”

Trust Layer

Valimail’s Trust Layer secures domains, inboxes, and brand reputation.

Valimail was founded to automate the email authentication process through DMARC and related standards. As the business grew, it expanded beyond email authentication and DMARC to become a comprehensive sender identity platform for email.

“The reason that’s needed is that a lot of security solutions focus on the content of messages,” Dylan said. “For example, these solutions will check if a message has an attachment that’s known to be bad, if it’s linking to known malicious sites, or if attacks can be parsed through AI or straight signature recognition to find out if it’s malicious.”

The problem is, those kinds of solutions aren’t ideal for identifying and validating the sender, or determining whether the sender is someone you can trust in the first place.

The Valimail Trust Layer delivers a suite of products that address these concerns, closing the gap left by content-based security techniques by focusing on sender identification and authentication. In this way, the Valimail Trust Layer provides fully automated protection against both inbound and outbound phishing, as well as business email compromise (BEC) attacks.

A Zero-Trust Approach to the Inbox

Dylan said content-based approaches and filtering solutions are becoming more sophisticated — even employing artificial intelligence (AI) and machine learning techniques to recognize new patterns. Fundamentally, however, these recognition solutions are still based on patterns and content. So, as detection approaches advance, attackers look to exploit alternative vulnerabilities.

“Instead, they’re sending messages that have no malware at all — no attachments, no links, nothing,” Dylan said. “They will send an innocuous-looking message asking you to change your bank account routing number. There’s nothing detectably wrong with it, except for the digits in the bank account number, but it gets through due to the fake sender identity.”

Checking and validating sender identify is precisely where content-based solutions fail. In the past few years, Dylan said BEC has emerged as a new category of phishing that has caused $12.5 billion in losses worldwide in the past few years, according to the FBI.

“And it’s accelerating,” he said. “Lots of different studies will tell you that it’s growing because it’s seeping through a weakness in phishing defenses, which is the weakness of identifying and validating the sender. That’s the big shift in the market.”

Dylan told us that Valimail’s technology has evolved with the times. Today, the company treats the corporate inbox as a private party in which a bouncer only accepts trusted senders — and everyone else is quarantined or rejected. “We take a zero-trust approach to the inbox,” he said. “No one’s getting in unless they’re trusted already.”

This bouncer approach makes the process straightforward. Valimail has identified tens of millions of domains that are verifiably tied to real-world entities and, therefore, can be trusted (to a certain extent).

“We’re not saying those entities are good or not,” Dylan said. “We’re just saying that there’s something real behind the domain name. It’s much easier to take a finite, identifiable list of good domains than manage and thwart attacks from an infinite number of malicious domains.”

Dylan told us the platform doesn’t solve all of the world’s cybersecurity issues, but it does address a considerable portion of phishing problems — one of the most significant weaknesses of corporate and organizational security today.

Delivering Peace of Mind, Brand Confidence, and Massive ROI

Valimail delivers several benefits, especially from a brand reputation perspective. Email authentication via DMARC ensures that criminals can’t send fraudulent emails to employees, partners, or customers in your name — or impersonate others in emails sent to you.

“For example, malicious actors can’t launch a phishing campaign and impersonate a bank that’s protected with DMARC because they can’t use the domain as a ‘from’ in their emails,” Dylan said. “That provides a branding benefit — recipients will be better able to trust protected businesses.”

Increased brand reputation also boosts email deliverability rates, improves email reputation scores, and encourages new brand impressions. “Our customers also see a 10% or more improvement on deliverability,” Dylan said.

BIMI illustration

When fully adopted, BIMI will increase brand recognition and boost open rates.

Valimail is also paving the way for the use of Brand Indicators for Message Identification (BIMI), a system that allows senders with domains authenticated via DMARC to display their official logo next to their name in the reader’s inbox. “BIMI is currently being tested in Yahoo! Mail and will be tested in Gmail later this year,” Dylan said. “Once it’s widely deployed, it will enable thousands of brand impressions for companies that have it enabled.”

The cloud-based service delivers updates every few weeks in response to market needs and threats. The Valimail customer support team is responsive and highly engaged with customers, and that level of support translates to happy customers.

“We won the 2019 Excellence in Customer Service Award,” Dylan said. “We have had a customer retention rate that’s greater than 98% since the start of the company — we’ve seldom lost a customer. And there are no hidden support or consultation charges with us.”

As if that weren’t enough, Dylan told us the onboarding process is a cinch. On the DMARC and email authentication side, set up requires a five-minute DNS change to point the relevant records to the Valimail system.

“Instead of configuring a DMARC record, you point DMARC to the Valimail system, and we dynamically generate DMARC for you. You complete the rest of the configurations through the Valimail interface,” Dylan said. “You never need to touch DNS again.”

Setting up inbound protection against impersonation requires nothing more than a one-minute authorization within Microsoft Office 365 and GSuite to authorize the Valimail system to connect to the provider’s API.

Transforming Email into a More Secure Communications Platform

Valimail is currently keeping a close eye on developments in email technology, such as Google’s AMP for email, which allows a faster and more bandwidth-efficient deployment of applications on webpages.

“AMP is the Google-backed standard for accelerating website performance, and it’s now being adapted for use in email,” Dylan said. “AMP for email will allow companies to deliver dynamic content right in the body of emails. For example, you can send a survey to someone, and they can fill out the survey, and it will dynamically pull in new questions based on your answers to previous questions.”

The technology could also enable your bank to send you an interactive email statement through which you could view account details and initiate transactions. For this to work, email would have to become extremely secure. Valimail is excited about the contributions it’s making in the sender identity part of that process.

“If there’s a widespread ecosystem for authenticating and validating sender identities, that creates the possibility for email to become a much more secure platform, and it enables things like AMP in emails to happen with much lower risk,” Dylan said. “Just imagine how much more powerful email can be as a marketing tool, as a business tool, and even for consumer benefit.”