Overview

The current state of BIMI

BIMI is an emerging email specification that enables the use of brand-controlled logos within supporting email clients.

At Mailhardener we receive a lot of questions from customers that have set up the BIMI DNS records for their domain, and yet none of the email inboxes will show their logo. This makes us to believe that BIMI is badly understood, and that the current state of BIMI support amongst email inbox providers is often misjudged.

So, in this blog post we'll have a look on what the current state of BIMI is, and answer some common questions.

NOTE: The BIMI standard is still under development, and the BIMI ecosystem is still changing very rapidly. We'll update this article accordingly.

This article has been updated on: September 2020.

What is BIMI?

BIMI (Brand Indicators for Message Identification) is a new proposal for an email standard which allows for stronger brand validation in email clients. Email clients that support BIMI will be able to show a logo, and some indication that a sender is authentic. To prove a brand logo is authentic, a special type of digital certificate known as Verified Mark (VM) certificate is used.

Think of BIMI like the equivalent of verified accounts on social media platforms such as Twitter and Facebook.

Screenshot of Gmail showing BIMI logo of CNN
Screenshot of a Gmail inbox, showing an email from CNN with BIMI logo

The AuthIndicators Working Group, who are the authors of the BIMI standard, make no secret that the intention of BIMI is to drive adoption of the DMARC email security standard. You must have DMARC implemented for BIMI to work. BIMI is like a reward that you get for implementing DMARC (thus SPF and DKIM).

For BIMI to work, the domain that is used in the sender address of an email must place a BIMI DNS record in the domain's DNS zone. This BIMI DNS record must contain a URI to a SVG logo file, and a URI to a VM certificate file that corresponds to the logo and domain name.

BIMI specification status

As of writing in September 2020, the BIMI standard is still in its proposal stage. In February 2019 the first draft (BIMI-00) was released, which has been updated by BIMI-01 in July 2020.

If you have already created a BIMI DNS record for your domain, the most relevant changes from BIMI-00 to BIMI-01 are:

You can use our BIMI validator service to verify your BIMI record against the latest BIMI standard.

Although the BIMI specification still marks the VM-certificate as optional, it is not expected that any email provider will ever accept BIMI logos without a valid certificate. This can be seen as self-signed web server certificates, technically they are allowed, but not usable in practice.

Email provider support

Currently, only Google (Gmail) and Yahoo mail have limited support for BIMI. On July 21st 2020, Google announced that they'll be performing a pilot program on BIMI. For a select group of senders the BIMI logo will be displayed in Gmail. Google mentions to have accepted Entrust Datacard and DigiCert as trusted authorities for Verified Mark Certificates.

Infographic showing the state of BIMI adoption
BIMI adoption infographic as released by the BIMI workgroup, June 2020. Source: https://bimigroup.org/bimi-adoption-june-2020/

Comcast, Fastmail and Seznam.cz have declared intent to adopt BIMI.

What is a Verified Mark certificate?

A Verified Mark (VM) certificate is a certificate that proves that the domain from which the email is sent, is the legal copyright holder of the brand mark. A 'brand mark' can consist of a logo image, a name and copyright numbers.

From a technical perspective, a VM certificate is the same type of x.509 certificate that is used to secure web servers. What distinguishes a VM-certificate from a server certificate is the inclusion of a number of extensions that allow embedding the brand mark information.

Verified Mark certificates are, by definition, Extended Validation (EV) certificates. The Certificate Authority (where you buy the certificate) will have to verify with your local trademark office that you indeed hold the copyright to the supplied logo. Apart from the logo, a VM certificate can also hold various copyright numbers, patent numbers, etc.

As you can imagine, validation of the brand logo is quite an involved process. The CA must work with the relevant trademark offices to validate the supplied artwork and copyright numbers.

At the time of writing only DigiCert and Entrust Datacard are accepted to supply BIMI certificates. It is expected that more certificate authorities will be offering VM-certificates in the future.

However, neither DigiCert nor Entrust Datacard are currently offering the certificates for sale to the general public, although Digicert does have a product page set up for VMCs, prices are not yet public.

As of writing, Mailhardener has indexed just one valid VMC, for cnn.com.

Why is my BIMI logo not shown?

At Mailhardener we often receive questions from our customers who have created a BIMI DNS record, but still don't see their brand logo in the inbox.

The reality is that only a handful of email providers (Google, Yahoo) currently have support for BIMI. Both Google and Yahoo are currently running a limited pilot, which is often restricting this to a handful of senders. They also mandate a valid VM certificate, which are not yet available to the public.

Although the BIMI draft proposal suggests that the BIMI certificate is optional, in reality you're going to need a VM certificate for BIMI to work. This is because without certificate validation, it'll be trivial for fraudulent actors to attach a genuine logo to a phishing email.

Conclusion

At the time of writing, BIMI is not yet usable for mainstream email senders.

For BIMI to actually work, you must follow these steps:

From now on, the Mailhardener dashboard indicates if BIMI is implemented for the domain. Currently, the implementation (or lack thereof) of BIMI in a domain does not count towards the security rating of a domain.

Mailhardener domain rating showing BIMI implementation
Mailhardener dashboard showing BIMI support in domain security rating overview


With Mailhardener you can configure, validate and monitor your domain for all aspects of email security. Mailhardener is free to use for a single domain.
Sign up now