Verify what's real.
Table_Of_Contents
Introduction
We're thrilled to announce Outtake Verify: the email security product that guarantees you’re communicating with trusted counterparties. Designed for enterprise teams and executives that use email for sensitive workflows,
Verify is a simple browser extension that cryptographically signs emails with your unique device Passkey or your World ID- ensuring official communication is unmistakable and preventing vendor or executive impersonation or account takeover.
It's free, easy to deploy, and available now. In this post, we'll explain why email desperately needs this authentication layer, and how Verify delivers it.
Ready to never second-guess an email again?
figure 1
Watch our launch video to see how simple Verify really is.
The Pain: Email's Lack of Trust is Costing Billions
Situation: Early on at Outtake our team was flooded with phishing emails claiming to be me (Alex). They varied in sophistication and in what they requested from us: personal details, phone numbers, invoices, etc.
figure 2
One of the funnier, but less sophisticated phishing attempts we received
This problem is foundational in email. Email was built in the 1970s for messaging, not security. Anyone can spoof a domain, hijack an account, or craft convincing fakes.
And this lack of built in email security costs enterprises billions. 90% of data breaches start with a phishing email. In 2023 alone, the FBI reported $2.9 billion in losses from business email compromise (BEC) scams.
With generative AI enabling near zero cost for highly personalized and effective phishing campaigns, traditional email security providers are stuck in an accelerated arms race to distinguish real emails from the fakes.
As we swiped Junk on more and more fake emails, we became frustrated with why emails themselves weren’t properly authenticated. With the latest advances in passkey technologies and new email protocol standards like RFC 5322, we knew this was now possible.
So we decided to build that deterministic authentication layer.
figure 3
In 2023, Business Email Compromise (BEC) caused $2.95B in losses, making it the second costliest cybercrime after investment scams.
Meet Outtake Verify: Identity Built Into Every Email
Outtake Verify isn’t like existing SEGs (Secure Email Gateways) that set rules and probabilistically filter out spam and phishing emails. Instead, Outtake Verify is a deterministic process that allows senders to verify their identity on-the-fly when they send sensitive emails - preventing both impersonation and account takeovers. Verified emails will appear with a "Verified Badge" to recipients who have the extension installed, illustrating who actually pressed the Send button with 100% certainty.
Verify can be layered in an enterprise’s existing email security stack to require Verification on workflows that meet certain sensitivity criteria or to enable focused inboxes for Verified messages, filtering out all unverified messages.
figure 4
A short video showcasing Verify’s user experience.
How It Works: Sophisticated Tech, Simple Experience
Verify blends cutting-edge cryptography with effortless biometric or device-based verification built on FIDO standards, all without storing or transmitting your raw emails to Outtake’s servers. Here's the high-level breakdown:
- Secure Onboarding: Verify Yourself using your Device Passkey or World ID App
Participating organizations first onboard by verifying ownership of their domain, logo, and other relevant business assets.
When employees signup, their name, role and organization are registered at verify.outtake.ai. We secure this onboarding by validating enterprise domains via DNS records and integrating with SSO/HRIS systems. No fakes slip in.
Then, employees register their preferred verification mechanism via authentication partners like World ID or FIDO-standard device passkeys. These verification mechanisms are then used to sign the employee’s emails, which can then be securely tied back to the employee details and their affiliation with a known organization.
figure 5
Verification mechanism a via authentication partner World ID.
- Signing Emails: Biometrics + Passkeys
Users install our Chrome extension (currently for Gmail and Superhuman, with Outlook support coming soon- see our integrations page for details). The extension injects a special "Send Verified" button in your email client; clicking it will challenge the user to prove their identity using their preferred verification provider from step (1). The organization's security admins can set a session length so users only need to re-authenticate every few hours or days on a given device.
Behind the scenes the extension hashes your email content and builds a Merkle Tree (the foundation of Git and Bitcoin) — a tamper-proof structure that securely hashes your message. Only this hash of the email is ever sent to Outtake's servers and stored, everything else happens on your device.
Attackers can't fake this process; they'd need access to your passkeys or biometrics. Yet, to you and your employees, it's as easy as unlocking your device- no IT overhauls required.
figure 6
Highly simplified diagram describing sending a verified email.
- Receiving Emails: Instant Verification Badge
On the recipient's end, Verify rebuilds the Merkle tree from the incoming email and checks it against our database. If the email signatures match, a Verified badge appears in the recipient’s email client, confirming that this email was sent by the expected person. No more second-guessing- you’re sending and receiving emails that you know you can trust.
figure 7
Highly simplified diagram describing verification on the reciever end.
How is this different from legacy solutions?
Email has a long history of email policies, with mixed outcomes. Unlike existing policies like SPF, DKIM, and DMARC, Verify adds a layer that is tied to your identity, so the recipient can trust that you work where you claim to work, and that you are who you claim to be.
Furthermore, unlike S/MIME or PGP/GPG, Verify does not rely on messy encryption, key-sharing, or Web of Trust techniques. Instead, Verify sends your emails as-is; verification occurs in the background via privacy-preserving lookups against a table of verified email hashes.
Finally, although modern email security products using ML to detect phishing are powerful, they still have false positives and false negatives. In contrast Verify’s deterministic nature means messages are either Verified or they are not. This also means Verify does not suffer from the expensive process of training a classifier against your organization's inbox, it does not require cumbersome setup in your email environment, and it will never delay messages from hitting your inbox on time.
figure 8
A comparison chart of Outtake Verify against legacy tech.
Why Enterprises Need Verify: Unbreakable Verification
- Zero Impersonation Risks: Spoofed domains or compromised accounts? Useless without biometrics. Verify ensures only the real person sends "verified" emails, slashing BEC threats.
- Network-Wide Trust: Protection doesn't stop at your inbox—it extends to partners and customers. When you receive verified emails, you know you can trust that counterparty, and vice-versa.
- Resilient and Compliant: No raw data is ever stored or transmitted to our servers, just hashes for verification. It's Zero Trust for email.
- Easy and Free: Deploys in minutes via Chrome—no MX changes or training. And it's free for all enterprises.
figure 9
Verify sits on top of your existing email defenses.
Join the Verified Network Today – Before the Next Attack
Phishing isn't slowing down-it's evolving faster with AI. Don't wait for the next breach. Outtake Verify is your breakthrough: identity built into every email, deterministically.
Join leading cyber-conscious enterprises in securing emails. Request access to our closed beta to learn more today.
figure 10
A sent email being successfully verified with Passkey.
