Overview

What is BIMI?
BIMI specification status
Email provider support
What is a Verified Mark certificate?
Why is my BIMI indicator not shown?
Conclusion
Further reading
Tools

The current state of BIMI

BIMI is an emerging email specification that enables the use of brand-controlled 'indicators' (like a logo or icon) within supporting email clients.

At Mailhardener we receive a lot of questions from customers that have set up the BIMI DNS records for their domain, and yet none of the email inboxes will show their brand indicator. This makes us to believe that BIMI is badly understood, and that the current state of BIMI support amongst email inbox providers is often misjudged.

So, in this blog post we'll have a look on what the current state of BIMI is, and answer some common questions.

NOTE: The BIMI standard is still under development, and the BIMI ecosystem is still changing very rapidly. We'll update this article accordingly.

This article has been updated on: July 2021.

Updates:

July 2021: Digicert and Entrust start issuing Verified Mark certificates.
July 2021: Google announces BIMI support for Google Workspaces.
March 2021: Draft specification BIMI-02 is released by the AuthIndicators Working Group.
July 2020: Draft specification BIMI-01 is released by the AuthIndicators Working Group.

NEW: Mailhardener BIMI asset hosting

Mailhardener now supports hosting BIMI assets (VMCs) directly from your Mailhardener dashboard. Mailhardener BIMI asset hosting takes care of all the technical aspects of BIMI, ensuring your BIMI logo will always work.

Read more about Mailhardener BIMI asset hosting

What is BIMI?

BIMI (Brand Indicators for Message Identification) is a new proposal for an email standard which allows for stronger brand validation in email clients. Email clients that support BIMI will be able to show an 'indicator' (logo, icon, or other image) and some indication that a sender is authentic. To prove a brand indicator is authentic, a special type of digital certificate known as Verified Mark (VM) certificate is used.

Think of BIMI like the equivalent of verified accounts on social media platforms such as Twitter and Facebook.

Screenshot of Gmail showing BIMI indicator of CNN — Screenshot of a Gmail inbox, showing an email from CNN with BIMI indicator

The AuthIndicators Working Group, who are the authors of the BIMI standard, make no secret that the intention of BIMI is to drive adoption of the DMARC email security standard. You must have DMARC implemented for BIMI to work. BIMI is like a reward that you get for implementing DMARC (thus SPF and DKIM).

For BIMI to work, the domain that is used in the sender address of an email must place a BIMI DNS record in the domain's DNS zone. This BIMI DNS record must contain a URI to an SVG indicator file, and a URI to a VM certificate file that corresponds to the indicator file and domain name.

For our full write-up on the BIMI standard, and how to implement it, please refer to our main BIMI article in our knowledge base.

BIMI specification status

As of writing, the BIMI standard is still in its proposal stage.

First draft BIMI-00 released in February 2019
Second draft BIMI-01 released in July 2020
Third draft BIMI-02 released in March 2021

If you have already created a BIMI DNS record for your domain, the most relevant changes from BIMI-00 to BIMI-01 are:

The indicator location (l=) value may only contain a single URI to an SVG, or SVGZ file.
The authority (a=) value must be a URL to a valid Verified Mark certificate. The self value is no longer allowed.

You can use our BIMI validator service to verify your BIMI record against the latest BIMI standard.

Although the BIMI specification still marks the VM-certificate as optional, it is not expected that any email provider will ever display BIMI indicators without a valid certificate. This can be seen as self-signed web server certificates, technically they are allowed, but not usable in practice.

Email provider support

Currently, only Google (Gmail) and Yahoo mail have limited support for BIMI. On July 21st 2020, Google announced that they'll be performing a pilot program on BIMI. For a select group of senders the BIMI indicator will be displayed in Gmail. Google mentions to have accepted Entrust Datacard and DigiCert as trusted authorities for Verified Mark Certificates.

Infographic showing the state of BIMI adoption — BIMI adoption infographic as released by the BIMI workgroup, June 2020. Source: https://bimigroup.org/bimi-adoption-june-2020/

Comcast, Fastmail and Seznam.cz have declared intent to adopt BIMI.

What is a Verified Mark certificate?

A Verified Mark (VM) certificate is a certificate that proves that the domain from which the email is sent, is the legal holder of the trademark. A 'brand mark' can consist of an 'indicator' (logo, icon or other image), a name and trademark numbers.

From a technical perspective, a VM certificate is the same type of x.509 certificate that is used to secure web servers. What distinguishes a VM-certificate from a regular web server certificate is the inclusion of a number of extensions that allow embedding the brand mark information.

Verified Mark certificates are, by definition, Extended Validation (EV) certificates. The Certificate Authority (where you buy the certificate) will have to verify with your local trademark office that you indeed hold the rights to the supplied name, indicator and domain. Apart from the indicator, a VM certificate can also hold various trademark identification numbers.

As you can imagine, validation of the brand indicator is quite an involved process. The CA must work with the relevant trademark offices to validate the supplied artwork and trademark numbers.

At the time of writing only DigiCert and Entrust Datacard are accepted to supply BIMI certificates. It is expected that more certificate authorities will be offering VM-certificates in the future.

However, neither DigiCert nor Entrust Datacard are currently offering the certificates for sale, although Digicert does have a product page set up for VMCs, prices are not yet public.

As of writing, Mailhardener has indexed just few valid VMCs, such as cnn.com, LinkedIn.com and ebay.com

Why is my BIMI indicator not shown?

At Mailhardener we often receive questions from our customers who have created a BIMI DNS record, but still don't see their brand indicator in the inbox.

The reality is that only a handful of email providers (Google, Yahoo) currently have support for BIMI. Both Google and Yahoo are currently running a limited pilot, which is often restricting this to a handful of senders. They also mandate a valid VM certificate, which are not yet available to the public.

Although the BIMI draft proposal suggests that the BIMI certificate is optional, in reality you're going to need a VM certificate for BIMI to work. This is because without certificate validation, it'll be trivial for fraudulent actors to attach a genuine brand indicator to a phishing email.

Conclusion

At the time of writing, BIMI is not yet usable for mainstream email senders.

For BIMI to actually work, you must follow these steps:

Implement DMARC with a 100% 'reject' or 'quarantine' policy (validate here)
Obtain a Verified Mark Certificate from a CA which is trusted by the email providers (currently: DigiCert or Entrust Datacard)
Place a BIMI DNS record in your DNS zone (validate here)
Configure your sending email services to include the BIMI header in your outgoing email.
Wait for email clients and email cloud providers to adopt BIMI.

From now on, the Mailhardener dashboard indicates if BIMI is implemented for the domain. Currently, the implementation (or lack thereof) of BIMI in a domain does not count towards the security rating of a domain.

Tools

BIMI validator

With Mailhardener you can configure, validate and monitor your domain for all aspects of email security. Mailhardener is free to use for a single domain.