Last updated: December 2024

Are you searching for a robust alternative to Valimail to efficiently protect your email-sending domains from unauthorized use? Look no further.

This guide offers a comprehensive comparison between Valimail and Red Sift OnDMARC—widely regarded as one of the top Valimail alternatives available.

Red Sift OnDMARC is an industry-leading, automated DMARC application that helps organizations take back control of their email reputation and stop unauthorized use of their email-sending domains. 

Red Sift OnDMARC focuses on expedited time to enforcement by making it easy to audit existing email-sending environments, troubleshoot setups with Investigate, and automate the management of DMARC, DKIM, SPF, and MTA-STS with Dynamic Services. It boasts an average 6-8 week enforcement timeline. OnDMARC also offers hosted MTA-STS and the only end-to-end BIMI solution on the market with integrated VMC provisioning.

Red Sift OnDMARC is used by leading organizations across a wide variety of industries. Red Sift has over 1,000+ global customers including Capgemini, Domino’s, TUI, Telefonica, and ZoomInfo. Red Sift is ISO 27001:2013 certified and a member of CyberExchange and Global Cyber Alliance.

You can sign up for an OnDMARC 14-day free trial with access to all features from the Red Sift website. From November 2023, Red Sift is the new partner for Cisco Domain Protection

Valimail is an enterprise-focused DMARC vendor. According to its website, it “protects your domains and improves email deliverability with a best-of-breed solution that offers advanced sending service intelligence, unlimited SPF lookups, and contextual analytics.” 

Valimail has two products, Monitor and Enforce. DMARC Monitor is a free DMARC visibility and monitoring tool. Enforce is Valimail’s paid, automated DMARC application. For the purposes of this blog, we will focus on Valimail Enforce.

Valimail Enforce is an enterprise-focused DMARC product. It is the DMARC product of choice for a large number of enterprises such as Uber, Yelp, and Splunk and has strong customer feedback on review sites. 

Valimail has a range of enterprise features including Instant SPF and forensic reporting. It does not offer an integrated BIMI and VMC solution, the ability to host and manage MTA-STS records, or troubleshooting tools. 

Valimail is SOC 2, type 2 certified and FedRAMP authorized, proving its standardized approach to security assessment.

You cannot sign up for a free trial of Valimail Enforce from its website.

While both Red Sift OnDMARC and Valimail are designed to help security teams manage email-sending services and protect their domains from exact domain impersonation, they cater to different audiences and offer differentiated feature sets.

The following table highlights key differences to help you choose the right solution for your needs.

Without effective technology, DMARC can be a complex and time-consuming protocol to understand and implement. This makes it all the more important to ensure that provisioning is quick and simple.

Once you’ve signed up for OnDMARC’s free trial, you’ll come into the ‘My domains’ view where all the domains that are managed by OnDMARC will be displayed with visual indicators for each email security protocol and its status.

To get started, you’ll need to run through a simple, three-step ‘add domain’ flow to load in the domains that you want to protect. You’ll be prompted to select between setting up Dynamic Services or managing your records manually. Dynamic Services allows you to manage your DMARC records from right inside the OnDMARC interface without needing to access your DNS, helping to avoid making manual configuration errors and ensuring that your journey to full protection is fast and efficient.

Red Sift OnDMARC’s Email Sources view provides a comprehensive inventory of assets per domain. It enables you to categorize email-sending sources as assets or threats, store SPF components and DKIM selectors for each source, and document key details during DNS configuration. 

This feature not only ensures you maintain an always up-to-date inventory, but also allows you to leave notes on internal ownership of each service. By keeping this information within the product, teams are equipped with continuity - ensuring that if team members leave, join, or take over the DMARC project, critical information remains easily accessible.

Valimail Enforce offers granular DMARC monitoring and reporting for any domains you’ve configured to use the tool with. There are several granular data views to identify services failing DMARC, whether they’re legitimate services or nefarious.

Valimail Enforce can also act as the central location for adding or removing sending services in your environment. Similar to OnDMARC, there is a UI where you can change your DMARC policy, add a service to your SPF record, or add a service to authenticate DKIM.

Traditionally, implementing SPF, DKIM, and DMARC is tedious and error-prone, especially if you control multiple domains across multiple registrars.

Red Sift OnDMARC’s Dynamic Services allows you to solve this problem by controlling these records from within the OnDMARC app. In other words, there’s no need to return to your DNS provider to update any email authentication-related records. Instead, this is done by replacing the static DNS records with OnDMARC's smart records, either via NS delegation for DKIM and DMARC or a new smart TXT record for SPF.

Dynamic Services is laid out in a way that allows you to easily make changes to your email authentication. Whether it’s adding additional SPF mechanisms, changing your DMARC policy, or hosting 2048-bit DKIM keys that some DNS hosts do not support.

Valimail Enforce can delegate a DMARC record via NS (Nameserver) record to control the DMARC record and policy from a UI. The same steps can be taken to manage DKIM records from the UI. However, the SPF record is different from OnDMARC’s Dynamic SPF. Valimail uses SPF-based macros - more on this below.

Sender Policy Framework (SPF) is a standard that enables domain owners to specify which mail servers are allowed to send emails on their behalf. By checking the SPF record in DNS, receiving servers can verify if an email comes from a trusted source, helping to combat spoofing and phishing attacks.

One limitation of SPF is the 10-DNS-lookup limit, which can result in legitimate emails failing verification if too many services are included in the record. Proper SPF management is key to maintaining reliable email delivery and protecting your domain’s reputation.

Hosted SPF simplifies this process by allowing you to delegate SPF setup with a single DNS update. Once in place, any future adjustments—such as adding or removing authorized servers—can be made without further DNS edits, making it a faster and more secure solution.

OnDMARC’s Dynamic SPF feature solves the 10 lookup limit by enabling you to use a single dynamic include to combine all authorized services correctly at the point of query. This prevents your authorized traffic from failing SPF validation and means your email deliverability will never be impacted. 

Red Sift OnDMARC allows you to add any include mechanism for any provider. This means that you’re not limited to preconfigured assets like you are with some other DMARC providers. As and when you need to configure SPF for any new sources you have, you can manage this with a single click.

Dynamic SPF dynamically flattens and compacts IP records and so does not rely on a macro-based approach. Though macros are widely used, they are not always supported by legacy email infrastructure which results in the entire SPF authentication failing and mail not being delivered. 

To avoid these types of deliverability issues, Dynamic SPF supports macros but does not rely on them, ensuring 100% compatibility with all legacy email structures, gateways, and receivers meaning email deliverability is never impacted. 

Valimail has an SPF solution called Instant SPF that helps customers overcome the 10 SPF lookup limit. 

Valimail Instant SPF will host the record for you, thereby taking over the authentication process for all senders, including third-party ones. Having a DMARC vendor take over the management of records can be preferable for businesses that prefer a managed service and are happy to hand over control of their email security setup. However, it is important to note that with this approach, there's no easy way to know what include mechanisms Valimail has in its platform, or whether they are accurate. This can make it difficult to export records at a later date if you are switching providers, for example. 

Valimail’s Instant SPF is macro-based. Although macros are widely used, they are not always supported by legacy email infrastructure. When an email goes to an unsupported receiver, the entire authentication fails causing catastrophic deliverability issues. According to an academic study on SPF, around 25% of SMTP servers fail to properly expand SPF macros.

DomainKeys Identified Mail (DKIM) is a protocol that uses cryptographic signatures to verify the legitimacy and integrity of emails, ensuring they haven't been altered during transit. Unlike SPF, DKIM allows emails to pass through multiple mail systems, including forwarders, while still being verifiable, which is crucial for passing DMARC checks. Implementing DKIM across all emails helps protect against tampering.

Certain email providers, such as Google Gmail, display alerts for messages that lack proper authentication.

Hosted DKIM makes managing DKIM easier by enabling you to delegate its setup with a single DNS update. Once configured, all future tasks—like adding, rotating, or removing selectors—can be handled without further DNS adjustments, saving time while improving security and efficiency.

Red Sift OnDMARC includes Hosted DKIM through its Dynamic Services interface. This feature provides secure hosting for DKIM DNS records, allowing you to set up DKIM for your email services quickly and reliably. The platform also validates the keys you input, helping to prevent common errors that could disrupt email delivery.

Valimail also offers Hosted DKIM.

Mail Transfer Agent Strict Transport Security (MTA-STS) is a security standard that

ensures the secure transmission of emails over an encrypted SMTP connection. By integrating MTA-STS into a DMARC product, domain owners can more effectively centralize the controls and configuration of all their protocols.

Hosted MTA-STS is part of OnDMARC’s Dynamic Services interface. After you have added Smart Records to your domain’s DNS, it will host the MTA-STS policy file, maintain the SSL certificate, and flag any policy violations through the TLS report.

The hosting of the record alleviates the need to go back to your DNS to make changes, saving time and avoiding manual configuration errors.

Valimail does not offer hosted MTA-STS.

Brand Indicators for Message Identification (BIMI) is an email standard that enables businesses to show their brand logo in the avatar slot of the DMARC-authenticated emails they send. This has been proven to improve open rates by 39% and increase brand recall by 44%.

Red Sift OnDMARC’s BIMI feature is the only integrated BIMI and Verified Mark Certificate (VMC) solution available on the market. It guides you through the full BIMI application process and even helps you obtain a VMC without having to go directly to the Certificate Authority (CA). Issuing VMCs has historically been a tedious process but Red Sift’s integrated process aims to make it easier.

BIMI implementation with Red Sift includes end-to-end support from its Customer Success team. Another advantage is that a free VMC license is included in OnDMARC’s Enterprise tier so organizations don’t need to secure additional budget for BIMI.

Entrust has publicly confirmed that Red Sift OnDMARC is its preferred DMARC partner. OnDMARC is the only DMARC solution using Entrust’s API. 

Valimail has a hosted BIMI solution called Amplify.

While Valimail has a public partnership with DigiCert, the company has not publicized any information on automation relating to VMC issuance inside Amplify. 

Without this automation, Amplify customers should expect increased manual effort and communication between themselves, Valimail, and the CA before the VMC can be issued and the organization can become BIMI-ready. 

Another important consideration for a DMARC project is the time it will take to reach full protection quickly and safely because, in a world of unrelenting cyber attacks, speed is of the essence. One way to ensure speedy progression to enforcement is by leveraging a vendor’s Customer Success team.

Red Sift includes services from its Customer Success Engineering (CSE) at the Enterprise level. The team has global coverage, offering deep technical expertise for all email authentication standards (DMARC, SPF, DKIM, MTA-STS, and BIMI).

Red Sift CSEs are experienced in the most complex DMARC implementations at companies like Capgemini, ZoomInfo, and Telefonica, amongst others. Red Sift’s Customer Success is highly regarded by its enterprise customers, including Holland and Barrett, ZoomInfo, and TalkTalk. 

The quality of Red Sift’s Customer Success is reflected in its high feedback scores; 62 for NPS and 88 for CSAT. Robust customer feedback was one of the main reasons Cisco gave for selecting Red Sift OnDMARC as its DMARC solution of choice.

Valimail’s pricing page suggests that it offers a multitude of support options, however, “enhanced support”, “premier support”, and “technical account manager” are marked as add-ons, so will need to be purchased separately. 

It claims that with Valimail, “you can reach highly accurate and continuous protection in <180 days”.

Despite more advanced technical support being an add-on and time to enforcement averaging 25 weeks, Valimail support is frequently reviewed by its customers as being very reliable.

Threats are becoming increasingly sophisticated, with tactics like SubdoMailing enabling attackers to bypass DMARC and send fraudulent emails that appear legitimate. These attacks often target misconfigured or inactive DNS records and subdomains, underscoring the importance of maintaining strong DNS hygiene. Implementing DNS configuration monitoring provides an additional layer of security, helping organizations proactively identify and address vulnerabilities.

Red Sift OnDMARC includes DNS Guardian, a feature that enables you to quickly identify and resolve potential vulnerabilities within your DNS, such as those resulting from domain takeovers, SubdoMailing attacks, dangling DNS records and CNAME takeovers. It provides actionable guidance on how to resolve an issue when it has been detected and what exactly to look for in your DNS.

By combining advanced DNS knowledge with Red Sift ASM’s dynamic inventory of public-facing assets, Red Sift OnDMARC provides a unique level of visibility into your domain infrastructure. This capability helps proactively mitigate risks from attacks like SubdoMailing and ensures your domains remain secure.

Valimail does not include DNS configuration monitoring as part of its feature set.

Large Language Models (LLMs) and AI assistants like GPT-4 offer significant value by providing quick answers and troubleshooting support. However, for security teams, these tools often aren't integrated into existing workflows or customized with cybersecurity-specific intelligence, which can limit their effectiveness. When vendors embed this advanced technology into security processes, it adds substantial value by saving time and streamlining workflows.

Red Sift OnDMARC integrates with Red Sift Radar, making it the first DMARC application to include an embedded, specialized LLM. This feature helps you identify misconfigurations, syntax errors, and exposures in your email system that could compromise its integrity. If you're implementing DMARC, this integration can accelerate issue detection and support a quicker progression to DMARC enforcement (p=reject), ensuring that robust email security policies are effectively enforced.

At the time of publication, Valimail does not offer an LLM or an AI assistant. 

OnDMARC has a REST API that can be used to integrate with your custom dashboards and other internal systems. All endpoints are documented here with working examples; from managing every aspect of Dynamic Services and your email sources to creating your own charts from reporting data. You can also add and remove domains, configure alerts, or analyze any domain programmatically.

According to its documentation, the API integration provided by Valimail is restricted to reporting on Sender and Unidentified Senders, offering no capabilities for domain auditing or reporting on policy enforcement. Additionally, there are no configuration options available to manage SPF, DKIM, or DMARC records programmatically. 

Red Sift OnDMARC is one of a handful of providers with a proprietary Spamhaus data feed that flags bad actors as well as legitimate sources that may be getting flagged and causing deliverability issues.

It is also just one of two vendors that boast the Yahoo forensics feed that enhances forensic reporting. 

Red Sift OnDMARC is one of four interoperable products on the Red Sift Pulse Platform. OnDMARC and Brand Trust, Red Sift’s impersonation discovery application, sync to automatically add your domain assets into Brand Trust and then start looking for similar domains that may be impersonating your brand.

Valimail does not offer any other cybersecurity solutions at this time. We’re not aware of any integrations with broader cybersecurity platforms.

Deciding between Red Sift OnDMARC and Valimail ultimately comes down to the business problems you are looking to solve.

If you are an enterprise customer embarking on a DMARC implementation with no need for BIMI or MTA-STS and a healthy budget for Professional Services, Valimail is the vendor to consider. If you’re business seeking a DMARC product that has some of the most advanced DMARC capabilities on the market, and partnerships with industry giants like Cisco and Microsoft, Red Sift offers a solid path forward.

Learn more about Red Sift OnDMARC here.