DigiCert Acquires Valimail: Why It Matters and What to Watch

On September 16, 2025, DigiCert announced acquiring Valimail, a long-standing vendor in automated email authentication and inbox logo display. The companies described the deal as integrating “zero-trust email authentication” into DigiCert’s broader digital-trust platform. Financial terms were not disclosed. The announcement emphasizes combining policy and identity controls for email, especially DMARC (Domain-based Message Authentication, Reporting & Conformance) and BIMI (Brand Indicators for Message Identification), into a single vendor experience.

Why is this an interesting acquisition

DigiCert and Valimail have traveled the same customer journey from “secure delivery” to “secure identity” in email for years. BIMI logo display depends on two main components: strong authentication and policy (DMARC plus the underlying SPF, Sender Policy Framework, and DKIM, DomainKeys Identified Mail), and a mark certificate that verifies the logo and sender identity. DigiCert issues VMCs (Verified Mark Certificates) and CMCs (Common Mark Certificates), while Valimail automates DMARC/SPF/DKIM management. Combining these steps under one umbrella offers a more straightforward path from policy to visible trust signals in the inbox. The companies have a shared history; they partnered in 2020 to streamline DMARC enforcement and VMC issuance for BIMI projects.

This integration also aligns with the direction of the inbox providers. Since early 2024, Google and Yahoo have tightened requirements for bulk senders, mandating domain-aligned SPF/DKIM, published DMARC, and easier unsubscribes, effectively making email authentication a necessity rather than an option. A combined DigiCert-Valimail stack could reduce time-to-compliance by streamlining vendor handoffs between policy setup and certificate procurement.

What it means for the security market

The deal signifies further consolidation as email remains a key initial-access method. By integrating both policy automation (Valimail’s DMARC/SPF/DKIM orchestration) and assertion artifacts (DigiCert’s VMC/CMC), a major CA (Certificate Authority) is merging message-security SaaS and PKI (Public Key Infrastructure) services. Expect competitors from email-security suites and other CAs issuing mark certificates to respond with more comprehensive offerings that include DMARC tools, mark certificates, and deliverability analytics. As mailbox providers continue to reward authenticated senders, Gmail even highlights verified senders with a checkmark for VMC adopters, the standard for a “trust UX” (User Experience) in the inbox keeps rising.

Implications for DigiCert

Strategically, DigiCert secures an entry point into the email ecosystem where IT, marketing, and security teams already collaborate. It can cross-sell into certificate lifecycle management, private PKI, and device identity, while streamlining the BIMI process. When a domain reaches DMARC enforcement, selecting the appropriate VMC/CMC can be presented as a guided next step. Valimail also gains momentum through MSPs (Managed Service Providers), expanding distribution into Microsoft-aligned and mid-market channels. The usual risks of integration, support unification, product overlap, and maintaining openness with third-party gateways and certificate ecosystems remain. Still, the platform story becomes clearer: one provider for policy, proof, and ongoing governance.

Implications for customers of both companies

In the near term, customers should expect continuity with optional “better together” offers that bundle DMARC automation, certificate issuance (VMC/CMC), and implementation guidance. This can reduce project friction for BIMI and help organizations meet Gmail/Yahoo sender rules more quickly. Over time, deeper integration is likely: unified dashboards that show DMARC enforcement status alongside certificate posture; wizards that guide domains from monitoring to strict “reject”; and one-click certificate ordering once prerequisites are met. Buyers should still plan for the basics, validate pricing and packaging updates, confirm that API support and third-party integrations remain top-quality, and ensure RBAC (Role-Based Access Control) and change workflows scale as more identities and policies are managed within a single platform.

Influence on the industry

The acquisition shows that “digital trust” is turning into a platform game. Identity proofs that once existed separately, TLS (Transport Layer Security) certificates for websites, DMARC/SPF/DKIM for email, and artifacts like VMC/CMC for brand verification, are now merging into unified control systems. With a major CA investing in both sides of BIMI, expect quicker development of mark-certificate programs: CMCs expand access by not requiring a registered trademark. At the same time, VMCs continue to support registered marks and enable the Gmail checkmark. Suppose DigiCert connects telemetry across DNS (Domain Name System), certificates, and email authentication. In that case, we might see new risk scores and automated fixes that dedicated vendors must match, especially as AI makes phishing more scalable and convincing.

Bottom line

DigiCert’s acquisition of Valimail makes sense as a consolidation of related trust layers: policy (DMARC/SPF/DKIM), proof (VMC/CMC), and platform (PKI/cert management). For buyers, the benefit is easier BIMI projects and a more straightforward route to meeting stricter sender standards. The challenge for competitors increased in connecting email identity with broader digital-trust systems. The real test will be how quickly DigiCert leverages these combined assets into tangible results, reducing spoofs, speeding enforcement, improving deliverability, and ensuring brand logos appear correctly.