BIMI
TL;DR
Brand Indicators for Message Identification (BIMI, pronounced Bih-mee) is an experimental standard to improve brand recognition in email. It allows for email clients to display a verified mark, usually in the form of a brand logo, in the inbox of the user. BIMI can be compared to verified accounts for brands, which are common for social media platforms.
NEW: Mailhardener BIMI asset hosting
Mailhardener now supports hosting BIMI assets (VMCs) directly from your Mailhardener dashboard. Mailhardener BIMI asset hosting takes care of all the technical aspects of BIMI, ensuring your BIMI logo will always work.
BIMI is aimed at rewarding those who implement DMARC with the opportunity to strengthen their brand presence. The BIMI standard is currently in its third draft, named bimi-draft-02. The BIMI standard is created and maintained by the AuthIndicators Working Group.
BIMI is still very much experimental, very few email clients support it. The required 'Verified Mark Certificate' (VMC) are not commonly available.
For the latest developments on BIMI, we also have blog post on the current state of BIMI which we update periodically.
What is BIMI?
BIMI is a mechanism for brands to tie brand identification material, such as logos and trademarks numbers to their domain via a special certificate known as a Verified Mark Certificate (VMC).
If email is received from a domain that implements BIMI, and the email is DMARC aligned, the email client can display the brand indicator and name as found in the VMC.
For this to work, the domain must have a DMARC policy of quarantine or reject. When using the quarantine policy, the applied percentage (pct property) cannot be lower than 100%. The Verified Mark certificate must be issued by a certificate authority that is trusted by email providers to supply VMCs.
The BIMI standard is created to drive adoption of DMARC by bigger brands, by rewarding them with stronger brand recognition.
BIMI prerequisites
For BIMI to work, a domain must comply with the following prerequisites:
- The domain must have DMARC implemented with a
quarantineorrejectpolicy. - A certificate with Verified Mark extension must be obtained from a trusted certificate authority.
- A DNS record must be placed which points to the certificate which must be served over an HTTPS scheme.
- Although not strictly required, all email sources that are used for the domain should add the BIMI header to all emails send.
Roughly speaking, BIMI works like this for the receiver:
- An email is received from
domain.com. - The email is checked for DMARC alignment against the DMARC policy as published by the domain.
- The receiving system checks for the existence of a BIMI DNS record at
domain.com, using the selector found in the BIMI email headers. - The receiving system downloads and verifies the Verified Mark certificate (VMC) from the location supplied in the DNS record. The certificate must be from a trusted authority, and match
domain.com. - If all previous steps pass, the SVG brand indicator found in the VMC is displayed as brand indicator in the mailbox of the receiver.
DMARC policy
Displaying a brand indicator in the email client of the receiver comes with the responsibility of validating that the email is coming from an authorized source. Hence, a 'strong' DMARC policy is a requirement for BIMI to work.
Defined in BIMI-02 section 1, a 'strong' DMARC policy is defined as:
- The sender domain must have DMARC enabled with a
quarantineorrejectpolicy. - If set, the subdomain policy (the
spvalue) must also meet this minimum policy strength. - When using
quarantinepolicy, it must be applied to 100% of the email sent by the domain, thus thepctDMARC value must be set to100or omitted (100% is the default). - When using
rejectpolicy, it is allowed to set thepctproperty lower than 100%.
The following DMARC records are not valid for use with BIMI:
v=DMARC1; p=none;
(policy is not 'quarantine' or 'reject')
v=DMARC1; p=quarantine; pct=25;
(quarantine policy is not applied to 100% of emails)
v=DMARC1; p=reject; sp=none;
(reject policy is not applied to all subdomains)Verified Mark certificate
The Verified Mark certificate is the source of trust for email clients to safely display a brand indicator in the inbox. It is also the most misunderstood portion of the BIMI standard.
A Verified Mark (VM) certificate is a standard X.509 certificate as is used for web servers (HTTPS), but with an additional extension for mark verification. In the Verified Mark extension, the brand indicator is stored as an SVG vector image, as well as any trademark numbers. The domain name that is used for the email is stored as the subjectAltName value in the certificate, a VMC may contain multiple domain names.
A VM certificate can be obtained through a Certificate Authority (CA), just like with web server certificates. The CA must verify through the relevant trademark office that the supplied indicator and trademark numbers are indeed owned by the organization that also holds the domain name. Which trademark office is queried depends on the region where the organization originates from.
Hence, due to the amount of manual validation required for the CA to issue a VM certificate, only a select few CAs currently offer VM certificates. It is also not expected for VM certificates to be offered at competitive prices compared to HTTPS certificates.
Although the BIMI draft marks the certificate as optional, for BIMI to work with any of the public email systems the Verified Mark certificate is required.
The BIMI DNS record
A DNS TXT type resource record must be published under the email domain. This record points to an SVG vector image of the brand indicator, and a verified mark certificate. Both the SVG image, as the VM-certificate must be served over an HTTPS scheme, with a valid web server certificate.
A domain can have multiple BIMI records (as a domain may serve multiple brands).
Each BIMI record is identified by a selector, the same as how DKIM public keys are identified.
An email sent from the domain may have the BIMI selector value in the headers of the email.
If no header value is present, a default selector with value default may be assumed by the email client.
The location of the BIMI DNS record is [selector]._bimi.[domain], for example:
default._bimi.mailhardener.comThe BIMI DNS record format is the typical key/value format as we know from other email hardening mechanisms such as DKIM and DMARC. The typical BIMI record may look like this:
v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/bimi_cert.pem| Key | Name | Description |
|---|---|---|
v |
Version | Must be the first field in the record, must be set to value BIMI1 |
l |
Location | Optional, points to an SVG format indicator image of the brand, must be served over HTTPS |
a |
Authority Evidence Location | Optional, points to a PEM format VM-certificate, must be served over HTTPS |
Note: In the (now superseded) first BIMI draft, it was allowed for the a= value to contain the value self, this is no longer allowed since draft BIMI-01.
We want to repeat once more that although the VM-certificate location (a=) value is technically optional, a VM-certificate is required for BIMI to work with public email providers.
You can test a BIMI DNS record for validity using our free to use BIMI record validator tool.
The BIMI email header
An optional (but recommended) header BIMI-Selector should be added to all email sent from the domain to instruct a BIMI-capable email receiver that BIMI is used, and where to find the VM-certificate.
| Key | Name | Description |
|---|---|---|
v |
Version | Must be the first field in the header, must be set to value BIMI1, indicates that BIMI is to be used for the domain |
s |
Selector | Optional, the selector value where the DNS record is located. Defaults to default if omitted |
An example of an email containing a BIMI header:
From: example@mailhardener.com
BIMI-Selector: v=BIMI1; s=demo;
Subject: This demonstrates BIMI
Hi, this is a demo for BIMIFor the example above, a BIMI capable receiver will look for a BIMI DNS record at demo._bimi.mailhardener.com.
If no BIMI header is present in the email, the receiver may still attempt to query a BIMI DNS record at the default selector location.
There are also 2 additional headers BIMI-Location and BIMI-Indicator which may be injected into the email by the receiving email server as hints to the email client (MUA).
BIMI in practice
As mentioned, BIMI is still an experimental email standard.
Some major email providers, such as Google and Yahoo are currently testing BIMI as part of a pilot program. It is not enabled for all of their customers just yet, meaning that BIMI indicators are not always shown for every user.
As of writing, there are just 2 certificate authorities who are entrusted to issue Verified Mark certificates.
Mailhardener has a BIMI validation service which sees thousands of validations per day, but it is rare for us to see a domain with an actual VM-certificate set.
We also published a blog post with the current state of BIMI, which we update periodically with the latest updates on BIMI.
Mailhardener has full BIMI monitoring support in the Mailhardener dashboard.
Conclusion
BIMI allows for stronger brand recognition which should reduce fraudulent email and drive the adoption of DMARC.
The BIMI standard is still very much in experimental phase. Few email services have BIMI fully integrated, and only time will tell if other email services adopt the technology.
The Verified Mark Certificates required for BIMI are available from a select group of certificate authorities, but the cost of such VMC may prove too high for smaller brands.
Further reading
Tools
Share your thoughts!
On last thing: If you have questions, comments or thoughts on this article, don't hesitate to shoot us an email.
You can also follow and reach us on Twitter @Mailhardener.