Red Sift OnDMARC: The best Valimail alternative for DMARC

Looking for an alternative to Valimail that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place. 

Here is your definitive comparison guide for Valimail and Red Sift OnDMARC – one of the most popular Valimail alternatives on the market. 

Red Sift OnDMARC overview

Red Sift OnDMARC is an industry-leading, automated DMARC application that helps organizations take back control of their email reputation and stop unauthorized use of their email-sending domains. By offering step-by-step implementation guidance, simplified management of DKIM and SPF, and clear, easy-to-understand DMARC reports and dashboards that provide insight into both sending services and domain health, OnDMARC enables brands to achieve DMARC enforcement (p=reject) quickly and effectively.

From November 2023, Red Sift is the new partner for Cisco Domain Protection.

Valimail overview

Valimail is an enterprise-focused DMARC vendor. According to their website, they “protect your domains and improve email deliverability with [their] best-of-breed solution that offers advanced sending service intelligence, unlimited SPF lookups, and contextual analytics.” 

Valimail has two products, Monitor and Enforce. DMARC Monitor is a free DMARC visibility and monitoring tool. Enforce is Valimail’s paid, automated DMARC application. For the purposes of this blog, we will focus on Valimail Enforce.

The comparison tl;dr

While Red Sift OnDMARC and Valimail Enforce are both designed to help security teams take back control of their email reputation and secure their domains from exact domain impersonation attacks, the key differences between these solutions are their users, features, speed to enforcement, and integrations. 

Red Sift OnDMARC focuses on expedited time to enforcement by making it easy to audit existing email-sending environments, troubleshoot setups with Investigate, and automate the management of DMARC, DKIM, SPF, and MTA-STS with Dynamic Services. It boasts an average 6-8 week enforcement timeline. OnDMARC also offers hosted MTA-STS and the only end-to-end BIMI solution on the market with integrated VMC provisioning. Additionally, OnDMARC uniquely bridges the gap between DMARC and DNS to prevent domain takeovers like SubdoMailing, thereby mitigating the risks of spam and impersonation.

Red Sift OnDMARC is used by leading organizations across a wide variety of industries. Red Sift has over 1,000+ global customers including Capgemini, Domino’s, TUI, Telefonica, and ZoomInfo. 

Red Sift is ISO 27001:2022 and SOC 2 Type II certified, a member of CyberExchange and the Global Cyber Alliance.

You can sign up for an OnDMARC 14-day free trial with access to all features from the Red Sift website.

Valimail Enforce is an enterprise-focused DMARC product. It is the DMARC product of choice for a large number of enterprises such as Uber, Yelp, and Splunk and has strong customer feedback on review sites. 

Valimail has a range of enterprise features including Instant SPF and forensic reporting. They do not offer an integrated BIMI and VMC solution, the ability to host and manage MTA-STS records, or troubleshooting tools. 

Valimail is SOC 2 Type II certified and FedRAMP authorized, proving their standardized approach to security assessment.

You cannot sign up for a free trial of Valimail Enforce from their website.

Red Sift OnDMARC 
Valimail Enforce
Average time to enforcement
32 weeks
Reporting (aggregate and forensic)
Dynamic SPF
✅ (macro-based)
Hosted MTA-STS
Hosted BIMI with VMC integration
Hosted DKIM
DNS Configuration Monitoring
Investigate tool
Customer Sucess Engineer included at Enterprise level

Let’s get into the nitty-gritty of how these two applications compare 👇

Ease of provisioning and changes

Without effective technology, DMARC can be a complex and time-consuming protocol to understand and implement. This makes it all the more important to ensure that provisioning is quick and simple.

Red Sift OnDMARC

Getting started 

Once you’ve signed up for OnDMARC’s free trial, you’ll come into the ‘My domains’ view where all the domains that are managed by OnDMARC will be displayed with visual indicators for each email security protocol and its status. 

To get started, you’ll need to run through a simple, three-step ‘add domain’ flow to load in the domains that you want to protect. You’ll be prompted to select between setting up Dynamic Services or managing your records manually. Dynamic Services allows you to manage your DMARC records from right inside the OnDMARC interface without needing to access your DNS, helping to avoid making manual configuration errors and ensuring that your journey to full protection is fast and efficient.

Once you’ve deleted email record management to OnDMARC and added the provided smart record to your DNS, you usually have to wait for up to 24 hours for DMARC reports to arrive – one of the main reasons why DMARC projects can be time-consuming.

Configuration troubleshooting

What makes Red Sift OnDMARC different from all other tools on the market is its Investigate feature. It allows you to test configuration updates in real-time rather than waiting for DMARC data to arrive over 24 hours, drastically reducing the time needed for a DMARC project and speeding up the time needed until full protection is reached. 

Use Red Sift’s Investigate tool to see if your DMARC, DKIM, SPF, and BIMI protocols are correctly set up and get actionable steps on how to fix them, if applicable.

Check your DMARC record and other key protocols now

It also ties in with your Email Sources asset list so you can see which app is using which SPF mechanism and DKIM selector, and if they’re properly authenticated.

Email record management

Traditionally, implementing SPF, DKIM, and DMARC is tedious and error-prone, especially if you control multiple domains across multiple registrars.

Red Sift OnDMARC’s Dynamic Services allows you to solve this problem by controlling these records from within the OnDMARC app. In other words, there’s no need to return to your DNS provider to update any email authentication-related records. Instead, this is done by replacing the static DNS records with OnDMARC’s smart records, either via NS delegation for DKIM and DMARC or a new smart TXT record for SPF.

Dynamic Services is laid out in a way that allows you to easily make changes to your email authentication. Whether it’s adding additional SPF mechanisms, changing your DMARC policy, or hosting 2048-bit DKIM keys that some DNS hosts do not support.

SPF management

OnDMARC’s Dynamic SPF feature solves the 10 lookup limit by enabling you to use a single dynamic include to combine all authorized services correctly at the point of query. This prevents your authorized traffic from failing SPF validation and means your email deliverability will never be impacted. 

Red Sift OnDMARC allows you to add any include mechanism for any provider. This means that you’re not limited to preconfigured assets like you are with some other DMARC providers. As and when you need to configure SPF for any new sources you have, you can manage this with a single click. 

Dynamic SPF dynamically flattens and compacts IP records and so does not rely on a macro-based approach. Though macros are widely used, they are not always supported by legacy email infrastructure which results in the entire SPF authentication failing and mail not being delivered. 

To avoid these types of deliverability issues, Dynamic SPF supports macros but does not rely on them, ensuring 100% compatibility with all legacy email structures, gateways, and receivers meaning email deliverability is never impacted. 


Getting started 

Valimail Enforce offers granular DMARC monitoring and reporting for any domains you’ve configured to use the tool with. There are several granular data views to identify services failing DMARC, whether they’re legitimate services or nefarious.

Valimail Enforce can also act as the central location for adding or removing sending services in your environment. Similar to OnDMARC, there is a UI where you can change your DMARC policy, add a service to your SPF record, or add a service to authenticate DKIM.

Configuration troubleshooting

Valimail Enforce does not offer a troubleshooting tool. Users are required to wait up to 24 hours for DMARC reports to arrive before they can begin remediating issues uncovered in the reports.

Email record management

Valimail Enforce can delegate a DMARC record via NS (Nameserver) record to control the DMARC record and policy from a UI. The same steps can be taken to manage DKIM records from the UI. However, the SPF record is different from OnDMARC’s Dynamic SPF. Valimail uses SPF-based macro – more on this below.

SPF management

Valimail has an SPF solution called Instant SPF that helps customers overcome the 10 SPF lookup limit. 

Valimail Instant SPF will host the record for you, thereby taking over the authentication process for all senders, including third-party ones. Having a DMARC vendor take over the management of records can be preferable for businesses that prefer a managed service and are happy to hand over control of their email security setup. However, it is important to note that with this approach, there’s no easy way to know what includes Valimail has in its platform, or whether they are accurate. This can make it difficult to export records at a later date if you are switching providers, for example. 

Valimail’s Instant SPF is macro-based. Although macros are widely used, they are not always supported by legacy email infrastructure. When an email goes to an unsupported receiver, the entire authentication fails causing catastrophic deliverability issues. According to an academic study on SPF, around 25% of SMTP servers fail to properly expand SPF macros.

Hosted MTA-STS

Mail Transfer Agent Strict Transport Security (MTA-STS) is a security standard that

ensures the secure transmission of emails over an encrypted SMTP connection. By integrating MTA-STS into a DMARC product, domain owners can more effectively centralize the controls and configuration of all their protocols.

Red Sift OnDMARC

Hosted MTA-STS is part of OnDMARC’s Dynamic Services interface. After you have added Smart Records to your domain’s DNS, it will host the MTA-STS policy file, maintain the SSL certificate, and flag any policy violations through the TLS report.

The hosting of the record alleviates the need to go back to your DNS to make changes, saving time and avoiding manual configuration errors.


Valimail Enforce does not offer hosted MTA-STS.


Brand Indicators for Message Identification (BIMI) is an email standard that enables businesses to show their brand logo in the avatar slot of the DMARC-authenticated emails they send. This has been proven to improve open rates by 39% and increase brand recall by 44%.

Red Sift OnDMARC

Red Sift OnDMARC’s BIMI feature is the only integrated BIMI and Verified Mark Certificate (VMC) solution available on the market. It guides you through the full BIMI application process and even helps you obtain a VMC without having to go directly to the Certificate Authority (CA). Issuing VMCs has historically been a tedious process but Red Sift’s integrated process aims to make it easier.

BIMI implementation with Red Sift includes end-to-end support from its Customer Success team. Another advantage is that a free VMC license is included in OnDMARC’s Enterprise tier so organizations don’t need to secure additional budget for BIMI.

Entrust has publicly confirmed that Red Sift OnDMARC is its preferred DMARC partner. OnDMARC is the only DMARC solution using Entrust’s API. 


Valimail has a hosted BIMI solution called Amplify.

While Valimail has a public partnership with Digicert, the company has not publicized any information on automation relating to VMC issuance inside Amplify. 

Without this automation, Amplify customers should expect increased manual effort and communication between themselves, Valimail, and the CA before the VMC can be issued and the organization can become BIMI-ready. 

DNS Configuration Monitoring

Traditionally DMARC products focus on email authentication and do not include DNS configuration monitoring. However, given the rise in SubdoMailing attacks – where attackers exploit misconfigured or deprovisioned subdomains to send “authenticated” spam – vendors offering this functionality provide a crucial and innovative layer of security.


With Red Sift OnDMARC’s DNS Guardian, security teams can swiftly identify and stop malicious mail that bypasses DMARC, including spam from domain takeovers, SubdoMailing attacks, dangling DNS, and CNAME takeovers.

Through its deep expertise in DNS and by leveraging Red Sift ASM’s continuously updated inventory of public-facing assets, Red Sift is the only DMARC provider that can surface the level of domain detail required to prevent takeover attacks like SubdoMailing. 


Valimail does not offer DNS Configuration Monitoring.

Customer Success

Another important consideration for a DMARC project is the time it will take to reach full protection quickly and safely because, in a world of unrelenting cyber attacks, speed is of the essence. One way to ensure speedy progression to enforcement is by leveraging a vendor’s Customer Success team.

Red Sift OnDMARC

Red Sift includes services from its Customer Success Engineering (CSE) at the Enterprise level. The team has global coverage, offering deep technical expertise for all email authentication standards (DMARC, SPF, DKIM, MTA-STS, and BIMI).

Red Sift CSEs are experienced in the most complex DMARC implementations at companies like Capgemini, ZoomInfo, and Telefonica, amongst others. Red Sift’s Customer Success is highly regarded by its enterprise customers, including Holland and Barrett, ZoomInfo, and TalkTalk

The quality of Red Sift’s Customer Success is reflected in their high feedback scores; 62 for NPS and 88 for CSAT. Robust customer feedback was one of the main reasons Cisco gave for selecting Red Sift OnDMARC as its DMARC solution of choice.


Valimail’s pricing page suggests that they offer a multitude of support options, however, “enhanced support”, “premier support”, and “technical account manager” are marked as add-ons, so will need to be purchased separately. 

They claim that with them, “you can reach highly accurate and continuous protection in <180 days”.

Despite more advanced technical support being an add-on and time to enforcement averaging 25 weeks, Valimail support is frequently reviewed by its customers as being very reliable.


Red Sift OnDMARC

OnDMARC has a REST API that can be used to integrate with your custom dashboards and other internal systems. All endpoints are documented here with working examples; from managing every aspect of Dynamic Services and your email sources to creating your own charts from reporting data. You can also add and remove domains, configure alerts, or analyze any domain programmatically.


According to their documentation, the API integration provided by Valimail is restricted to reporting on Sender and Unidentified Senders, offering no capabilities for domain auditing or reporting on policy enforcement. Additionally, there are no configuration options available to manage SPF, DKIM, or DMARC records programmatically. 

Sharing email intelligence with other tools


Red Sift OnDMARC is one of a handful of providers with a proprietary Spamhaus data feed that flags bad actors as well as legitimate sources that may be getting flagged and causing deliverability issues.

It is also just one of two vendors that boast the Yahoo forensics feed that enhances forensic reporting. 

Red Sift OnDMARC is one of four interoperable products on the Red Sift Pulse Platform. OnDMARC and Brand Trust, Red Sift’s impersonation discovery application, sync to automatically add your domain assets into Brand Trust and then start looking for similar domains that may be impersonating your brand.


Valimail does not offer any other cybersecurity solutions at this time. We’re not aware of any integrations with broader cybersecurity platforms.

So, which one to choose?

Deciding between Red Sift OnDMARC and Valimail ultimately comes down to the business problems you are looking to solve.

If you are an enterprise customer embarking on a DMARC implementation with no need for BIMI or MTA-STS and a healthy budget for Professional Services, Valimail is the vendor to consider. If you’re business seeking a DMARC product that has some of the most advanced DMARC capabilities on the market, and partnerships with industry giants like Cisco and Microsoft, Red Sift offers a solid path forward.

Learn more about Red Sift OnDMARC here.


Francesca Rünger-Field

23 Feb. 2024



Recent Posts


Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more

Navigating the Information Security Landscape: ISO 27001 vs. SOC 2

Red Sift

As cyber threats evolve, so do the standards and frameworks designed to combat them. Two of the most recognized standards in information security are ISO 27001 and SOC 2. What sets them apart, and which one is right for your organization? Let’s delve into the key differences. Purpose and Scope: Global Framework vs. Client-Centric…

Read more

G2 Summer 2024 Report: Red Sift OnDMARC’s Winning Streak Continues

Francesca Rünger-Field

We’re delighted to announce that Red Sift OnDMARC has again been named a Leader in G2’s DMARC category for Summer 2024. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift appeared in 11 reports – 5 new ones since Spring 2024! – earning 5 badges: A few…

Read more

Google will no longer trust Entrust certificates from October 2024

Red Sift

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now. On Thursday 27th June 2024, Google announced that it had…

Read more

Understanding the domain attack

Francesca Rünger-Field

tl;dr: The recent compromise of the domain has triggered a broad-reaching web supply chain attack, impacting over 100,000 websites across various sectors including finance, healthcare, non-profits, academia, and more. To ensure the security of your website, we strongly advise you immediately remove any reference to Latest update: 27th June 2024 Sansec, a…

Read more