How Valimail is building email’s last line of defense

*Editor’s note: DigiCert has acquired Valimail as of September 2025

Businesses spend millions into cybersecurity defense, yet their number one form of communication — email — is often overlooked.

For years, email authentication was an afterthought: expensive to implement, and rarely considered in a security industry focused almost entirely on inbound threats. But unauthenticated email is critical — it forms the root attack vector for nearly 90% of email fraud, phishing, and impersonation, making it impossible for recipients to reliably trust who an email came from.

And the scale of the problem is only growing: in 2024, there were 4.48B global email users, a figure projected to climb to 4.89B by 2027.

“Email authentication allows you to take back control … and to make sure that no one can pretend to be you, to your customers, to your suppliers, [or] to your investors,” says Alexander García-Tobar, cofounder and CEO of automated email authentication provider, Valimail.

Authentication is paramount for trusted communications — both inbound and outbound — and filtering, encryption, and other methods of securing email just don’t cut it.

“Security doesn’t just stop at your four walls,” says García-Tobar. “You need to worry about your supply chain. You need to worry about the weakest link — your consumers, all this outbound messaging that is not getting authenticated or addressed by anyone.”

What you really need, he says, is “a zero-trust approach.”

The email authentication gap

García-Tobar acquired this zero-trust mindset early in his career, as Head of Sales at Valicert, a leading digital certificate authentication vendor he helped lead to IPO in 2000. “It taught me the power of authentication and how a zero-trust approach lets you focus on what’s good, and you can ignore the rest,” he says.

While manual email authentication options existed, they were expensive and difficult to scale; as many as 80% of projects to authenticate email fail. For years, SEGs (Secure Email Gateways), which carry out basic filtering for spam and known attacks, were the standard corporate defense. But they aren’t sophisticated enough for more complex impersonation attacks.

The global shift to digital working called for a better solution. “As enterprises’ value has moved online, the value of the content has risen,” says García-Tobar. “The damage that an attack creates has also risen commensurately.”

“Cybersecurity is becoming ever more important as all of our assets and all of our value is getting digitized and is there for criminals to grab.”

By 2015, Big Tech organizations, including Google, Facebook, and PayPal, had established an email authentication protocol called DMARC (Domain-based Message Authentication, Reporting, and Conformance).

García-Tobar saw an opportunity to apply automated, zero-trust authentication to DMARC. “DMARC was positioned as another way to stop inbound threats to your employees,” says García-Tobar. “We actually saw that there’s value in the outbound communications as well.”

Authenticating emails at scale

In 2015, he left his position as VP of Business Development at Agari, a SaaS solution for email security, to cofound Valimail — named as a combination of “valid” and “email” — with fellow serial entrepreneur and cybersecurity technology expert, Peter Goldstein.

“When I saw the ability to apply [automation] to one of our biggest problems, which is that email has no authentication built in, I jumped at that,” García-Tobar recalls.

The opportunity was clear. “Email is still our either primary or secondary form of communication on the planet,” he explains. “Its use is expanding. If you think about the fact that [when] you sign up to a loyalty club, or you get a receipt, or you get an invoice … it’s always email.”

García-Tobar and Goldstein spent a year in stealth, building a web-based interface to automate email verification, hiring their first employees, and acquiring more than a dozen customers, including Mailchimp and Uber.

“Our mission is to authenticate the world’s communications at scale.”

The company officially launched in May 2016, having raised a $1.5M seed round, to make authenticating an email as reliable as authenticating a credit card.

Valimail quickly became a profitable business, authenticating 1.5 billion emails per month. In November 2016, it announced a $12M Series A, which it invested in onboarding new clients, building out its API, and tripling its workforce. Valimail grew rapidly, adding the likes of Yelp, Fanni Mae, and WeWork to its client list.

In May 2018, Valimail announced a $25M Series B, and later that year, it expanded its platform, earned SOC2 Type 2 certification.

In a stand against election hackers, Valimail offered its Valimail Enforce email anti-spoofing service for free to United States state election boards, voting system vendors, and major party U.S. election campaigns through the 2018 midterms, to help fight bad actors.

“These rampant fake email attacks are a threat to the democracy we live in and love,” read García-Tobar’s statement. “They are also preventable. It’s time to put a stop to these offensive attempts to derail American democracy.”

Betting on the trust layer

Investment and interest in email security grew amid a spike in phishing attacks in 2019, when more than half of all organizations fell victim to at least one successful breach. This was the context for Valimail’s $45M Series C, led by Insight Partners, in June 2019.

“Valimail’s ‘trust layer’ represents a fundamentally better approach to solving this crisis of fake sender identities.”

The partnership felt right to García-Tobar: “What I was impressed with were the people who have a deep desire to have successful outcomes for their portfolio companies and [are] willing to do all the work necessary to make that happen.”

Valimail channeled the funding into a global partnership with Symantec and a unique email visibility product for Microsoft Office 365 customers. Between 2020 and 2023, Valimail grew its customers from 5,000 to 30,000 — a 500% increase in adoption.

A global leader in email security

Now the global leader in automated DMARC technology with a 100% customer retention rate, Valimail has fundamentally transformed email security by focusing on sender identity authentication rather than just content inspection. But as Valimail celebrates a decade in business, the threat landscape looks very different than when it began.

“Things are changing so quickly,” García-Tobar reflects. “And because of the exponential nature of technology, we can’t even imagine the types of attacks we’re going to have to defend against five years from now. We’re barely conscious of what we need to defend against for next year and the year after.”

He believes the age of human-driven security is nearing its limits. “Machines are going to overtake humans in terms of the ability to both attack and defend,” he says. “It’s becoming difficult for people … to know what’s real and what’s not real. [In the future], it’s going to be machines protecting against machines.”

“What is cute today is deadly tomorrow.”

Attackers are already using AI to impersonate people with uncanny accuracy. “AI is getting very good at spoofing people,” García-Tobar warns. “It’s also somewhat hard for an AI to figure out if that email is real or not.”

“I will rest when 100 million domains out there have this protection”

But this is where Valimail cuts through the noise. Zero-trust authentication is “all-or-nothing”, making it “an extremely powerful weapon against AI spoofing,” says García-Tobar. “Regardless of what industry you’re in, I’d encourage people to look at authentication as another layer in combating disinformation,” he says.

He’s quick to caution that AI alone won’t save the industry. “Only AI to fight AI is not going to necessarily solve the problems we’re seeing. A diverse and layered defense is probably the best approach.”

For García-Tobar, the goal is as ambitious as it is simple: ubiquity.

“I want to see us remain the world’s leader in DMARC,” he says. “There are 100 million email domains on the planet today. Less than a million have a solution and have implemented it. So there’s a long way for us to go. I will rest when 100 million domains out there have this protection.”

*Note: Insight Partners has invested in Valimail.