BIMI is an emerging email specification that enables the use of brand-controlled 'indicators' (like a logo or icon) within supporting email clients.
At Mailhardener we receive a lot of questions from customers that have set up the BIMI DNS records for their domain, and yet none of the email inboxes will show their brand indicator. This makes us to believe that BIMI is badly understood, and that the current state of BIMI support amongst email inbox providers is often misjudged.
So, in this blog post we'll have a look on what the current state of BIMI is, and answer some common questions.
NOTE: The BIMI standard is still under development, and the BIMI ecosystem is still changing very rapidly. We'll update this article accordingly.
This article has been updated on: July 2021.
BIMI (Brand Indicators for Message Identification) is a new proposal for an email standard which allows for stronger brand validation in email clients. Email clients that support BIMI will be able to show an 'indicator' (logo, icon, or other image) and some indication that a sender is authentic. To prove a brand indicator is authentic, a special type of digital certificate known as Verified Mark (VM) certificate is used.
Think of BIMI like the equivalent of verified accounts on social media platforms such as Twitter and Facebook.
The AuthIndicators Working Group, who are the authors of the BIMI standard, make no secret that the intention of BIMI is to drive adoption of the DMARC email security standard. You must have DMARC implemented for BIMI to work. BIMI is like a reward that you get for implementing DMARC (thus SPF and DKIM).
For BIMI to work, the domain that is used in the sender address of an email must place a BIMI DNS record in the domain's DNS zone. This BIMI DNS record must contain a URI to an SVG indicator file, and a URI to a VM certificate file that corresponds to the indicator file and domain name.
As of writing, the BIMI standard is still in its proposal stage.
If you have already created a BIMI DNS record for your domain, the most relevant changes from BIMI-00 to BIMI-01 are:
l=) value may only contain a single URI to an SVG, or SVGZ file.
a=) value must be a URL to a valid Verified Mark certificate. The
selfvalue is no longer allowed.
You can use our BIMI validator service to verify your BIMI record against the latest BIMI standard.
Although the BIMI specification still marks the VM-certificate as optional, it is not expected that any email provider will ever display BIMI indicators without a valid certificate. This can be seen as self-signed web server certificates, technically they are allowed, but not usable in practice.
Currently, only Google (Gmail) and Yahoo mail have limited support for BIMI. On July 21st 2020, Google announced that they'll be performing a pilot program on BIMI. For a select group of senders the BIMI indicator will be displayed in Gmail. Google mentions to have accepted Entrust Datacard and DigiCert as trusted authorities for Verified Mark Certificates.
Comcast, Fastmail and Seznam.cz have declared intent to adopt BIMI.
A Verified Mark (VM) certificate is a certificate that proves that the domain from which the email is sent, is the legal holder of the trademark. A 'brand mark' can consist of an 'indicator' (logo, icon or other image), a name and trademark numbers.
From a technical perspective, a VM certificate is the same type of x.509 certificate that is used to secure web servers. What distinguishes a VM-certificate from a server certificate is the inclusion of a number of extensions that allow embedding the brand mark information.
Verified Mark certificates are, by definition, Extended Validation (EV) certificates. The Certificate Authority (where you buy the certificate) will have to verify with your local trademark office that you indeed hold the rights to the supplied name, indicator and domain. Apart from the indicator, a VM certificate can also hold various trademark identification numbers.
As you can imagine, validation of the brand indicator is quite an involved process. The CA must work with the relevant trademark offices to validate the supplied artwork and trademark numbers.
At the time of writing only DigiCert and Entrust Datacard are accepted to supply BIMI certificates. It is expected that more certificate authorities will be offering VM-certificates in the future.
However, neither DigiCert nor Entrust Datacard are currently offering the certificates for sale, although Digicert does have a product page set up for VMCs, prices are not yet public.
At Mailhardener we often receive questions from our customers who have created a BIMI DNS record, but still don't see their brand indicator in the inbox.
The reality is that only a handful of email providers (Google, Yahoo) currently have support for BIMI. Both Google and Yahoo are currently running a limited pilot, which is often restricting this to a handful of senders. They also mandate a valid VM certificate, which are not yet available to the public.
Although the BIMI draft proposal suggests that the BIMI certificate is optional, in reality you're going to need a VM certificate for BIMI to work. This is because without certificate validation, it'll be trivial for fraudulent actors to attach a genuine brand indicator to a phishing email.
At the time of writing, BIMI is not yet usable for mainstream email senders.
For BIMI to actually work, you must follow these steps:
From now on, the Mailhardener dashboard indicates if BIMI is implemented for the domain. Currently, the implementation (or lack thereof) of BIMI in a domain does not count towards the security rating of a domain.