Index

BIMI

TL;DR

Brand Indicators for Message Identification (BIMI, pronounced Bih-mee) is an experimental standard to improve brand recognition in email. It allows for email clients to display a verified mark, usually in the form of a brand logo, in the inbox of the user. BIMI can be compared to verified accounts for brands, which are common for social media platforms.

Impression of what a mailbox may look like with BIMI
Impression of what a mailbox may look like with BIMI

BIMI is aimed at rewarding those who implement DMARC with the opportunity to strengthen their brand presence. The BIMI standard is currently in its second draft, named bimi-draft-01. The BIMI standard is created and maintained by the AuthIndicators Working Group.

BIMI is still very much experimental, very few email clients support it, and the required Verified Mark certificates are not commonly available.

For the latest developments on BIMI, we also have blog post on the current state of BIMI which we update periodically.

What is BIMI?

BIMI is a mechanism for brands to tie brand identification material, such as logos and trademarks numbers to their domain via a special certificate known as a Verified Mark Certificate (VMC).

If email is received from a domain that implements BIMI, and the email is DMARC aligned, the email client can display the logo and name as found in the VMC.

For this to work, the domain must have a DMARC policy of quarantine or reject, applied to 100% of the email. The Verified Mark certificate must be issued by a certificate authority that is trusted by email providers to supply VMCs.

The BIMI standard is created to drive adoption of DMARC by bigger brands, by rewarding them with stronger brand recognition.

BIMI prerequisites

For BIMI to work, a domain must comply with the following prerequisites:

Roughly speaking, BIMI works like this for the receiver:

  1. An email is received from domain.com.
  2. The email is checked for DMARC alignment against the DMARC policy as published by the domain.
  3. The receiving system checks for the existence of a BIMI DNS record at domain.com, using the selector found in the BIMI email headers.
  4. The receiving system downloads and verifies the Verified Mark certificate (VMC) from the location supplied in the DNS record. The certificate must be from a trusted authority, and match domain.com.
  5. If all previous steps pass, the SVG logo found in the VMC is displayed as brand logo in the mailbox of the receiver.

DMARC policy

Displaying a brand logo in the email client of the receiver comes with the responsibility of validating that the email is coming from an authorized source. Hence that DMARC alignment is a hard requirement for BIMI to work.

The sender domain must have DMARC enabled with a quarantine or reject policy. Any subdomain policy (the sp value) must also meet this minimum policy strength. The policy must be applied to 100% of the email sent by the domain, thus the pct DMARC value must be set to 100 or omitted (100% is the default).

The following DMARC records are not valid for use with BIMI:

v=DMARC1; p=none;       
(policy is not 'quarantine' or 'reject')

v=DMARC1; p=reject; pct=25;
(reject policy is not applied to 100% of emails)

v=DMARC1; p=reject; sp=none;
(reject policy is not applied to all subdomains)

Verified Mark certificate

The Verified Mark certificate is the source of trust for email clients to safely display a brand logo in the inbox. It is also the most misunderstood portion of the BIMI standard.

A Verified Mark (VM) certificate is a standard X.509 certificate as is used for web servers (HTTPS), but with an additional extension for mark verification. In the Verified Mark extension, the brand logo is stored as an SVG vector image, as well as any trademark numbers. The domain name that is used for the email is stored as the subjectAltName value in the certificate, a VMC may contain multiple domain names.

A VM certificate can be obtained through a Certificate Authority (CA), just like with web server certificates. The CA must verify through the relevant trademark office that the supplied logo and trademark numbers are indeed owned by the organisation that also holds the domain name. Which trademark office is queried depends on the region where the organisation originates from.

Hence, due to the amount of manual validation required for the CA to issue a VM certificate, only a select few CAs currently offer VM certificates. It is also not expected for VM certificates to be offered at competitive prices compared to HTTPS certificates.

Although the BIMI draft marks the certificate as optional, for BIMI to work with any of the public email systems the Verified Mark certificate is required.

The BIMI DNS record

A DNS TXT type resource record must be published under the email domain. This record points to an SVG vector image of the brand logo, and a verified mark certificate. Both the SVG image, as the VM-certificate must be served over an HTTPS scheme, with a valid web server certificate.

A domain can have multiple BIMI records (as a domain may serve multiple brands). Each BIMI record is identified by a selector, the same as how DKIM public keys are identified. An email sent from the domain may have the BIMI selector value in the headers of the email. If no header value is present, a default selector with value default may be assumed by the email client.

The location of the BIMI DNS record is [selector]._bimi.[domain], for example:

default._bimi.mailhardener.com

The BIMI DNS record format is the typical key/value format as we know from other email hardening mechanisms such as DKIM and DMARC. The typical BIMI record may look like this:

v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/bimi_cert.pem
Key Name Description
v Version Must be the first field in the record, must be set to value BIMI1
l Location Optional, points to an SVG format logo image of the brand, must be served over HTTPS
a Authority Evidence Location Optional, points to a PEM format VM-certificate, must be served over HTTPS

Note: In the (now superseded) first BIMI draft, it was allowed for the a= value to contain the value self, this is no longer allowed since (the current) draft-01.

We want to repeat once more that although the VM-certificate location (a=) value is technically optional, a VM-certificate is required for BIMI to work with public email providers.

You can test a BIMI DNS record for validity using our free to use BIMI record validator tool.

The BIMI email header

An optional (but recommended) header BIMI-Selector should be added to all email sent from the domain to instruct a BIMI-capable email receiver that BIMI is used, and where to find the VM-certificate.

Key Name Description
v Version Must be the first field in the header, must be set to value BIMI1, indicates that BIMI is to be used for the domain
s Selector Optional, the selector value where the DNS record is located. Defaults to default if omitted

An example of an email containing a BIMI header:

From: example@mailhardener.com
BIMI-Selector: v=BIMI1; s=demo;
Subject: This demonstrates BIMI

Hi, this is a demo for BIMI

For the example above, a BIMI capable receiver will look for a BIMI DNS record at demo._bimi.mailhardener.com.

If no BIMI header is present in the email, the receiver may still attempt to query a BIMI DNS record at the default selector location.

There are also 2 additional headers BIMI-Location and BIMI-Indicator which may be injected into the email by the receiving email server as hints to the email client (MUA).

BIMI in practice

As mentioned, BIMI is still an experimental email standard.

Some major email providers, such as Google and Yahoo are currently testing BIMI as part of a pilot program. It is not enabled for all of their customers just yet, meaning that BIMI logos are not always shown for every user.

As of writing, there are just 2 certificate authorities who are entrusted to issue Verified Mark certificates.

Mailhardener has a BIMI validation service which sees thousands of validations per day, but it is rare for us to see a domain with an actual VM-certificate set.

We also published a blog post with the current state of BIMI, which we update periodically with the latest updates on BIMI.

Mailhardener has full BIMI monitoring support in the Mailhardener dashboard.

Mailhardener domain rating showing BIMI implementation
Mailhardener dashboard showing BIMI support in domain security rating overview

Conclusion

BIMI allows for stronger brand recognition which should reduce fraudulent email and drive the adoption of DMARC.

The BIMI standard is still very much in experimental phase. Few email services have BIMI fully integrated, and only time will tell if other email services adopt the technology.

The Verified Mark Certificates required for BIMI are available from a select group of certificate authorities, but the cost of such VMC may prove too high for smaller brands.

Share your thoughts!

On last thing: If you have questions, comments or thoughts on this article, don't hesitate to shoot us an email.

You can also follow and reach us on Twitter @Mailhardener.

With Mailhardener you can configure, validate and monitor your domain for all aspects of email security. Mailhardener is free to use for a single domain.
Sign up now