BIMI for Gmail: Google Makes Email Identity Indicators Part of Its New Security Updates
1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 5.00 out of 5)
Loading...

BIMI for Gmail: Google Makes Email Identity Indicators Part of Its New Security Updates

Google is partnering with DigiCert and Entrust Datacard to launch a BIMI pilot for Gmail — using brand indicators for message identification will boost email security and allow companies to show their logo in customers’ inboxes

For everyone who has BIMI — brand indicators for message identification — on their cybersecurity wish lists for G Suite, it looks like Christmas has come early.

Google recently announced their plans for Gmail to support BIMI as part of a larger series of G Suite security updates. And it’s partnering with two of the world’s leading commercial certificate authorities (CAs) — including DigiCert, one of our partner CAs — to make it happen. Rock on, Google.

For the newcomers to the discussion, what this means is that Gmail will display the company’s logo right in the user’s inbox, after the email passes a few security checks. That’s great for brands and great for users (it makes it easy to spot emails that are verified.)

But what does this move to BIMI standardization by Google mean for you in terms of your brand authentication and security? We’ll answer these questions about BIMI and more in this article, which also features a Q&A at the end.

Let’s hash it out.

What Is BIMI and Why Should I Care?

A DigiCert screenshot of how BIMI displays company logos
Image source: DigiCert

BIMI, the acronym for brand indicators for message identification, is an email standard that allows you to display your designated, verified brand logo next to in the “from” name on authenticated emails. While this open system relies on existing authentication protocols like DMARC, DKIM, or SPF, it isn’t a new authentication protocol in and of itself.

The BIMI standard uses two different mechanisms to verify emails before displaying the company’s logo: DMARC and verified mark certificates (VMCs).

  • DMARC, which stands for domain-based message authentication, reporting, and conformance, is key to email authentication. It gives organizations greater visibility and control of who sends emails from their domains.
  • A verified mark certificate, on the other hand, is a type of X.509 digital certificate that authenticates you to others and displays a logo. It’s issued by a trusted third-party CA — in this case, DigiCert or Entrust Datacard — who will vet your organization to ensure you’re legit.

VMCs vs Other PKI Digital Certificates

But wait, isn’t authentication what email signing certificates already do?

Yes and no. An email signing certificate is issued for an individual user (for example bob@example.com) and it doesn’t include a logo. It not only authenticates an email sender but it also encrypts email as well (if the recipient also uses an S/MIME certificate).

A verified mark certificate, on the other hand, is issued at the organization level. You can effectively fight misrepresentation of your brand by ensuring that any emails you send will display your company logo and brand.

So, in some ways, VMCs are kind of like SSL/TLS certificates in that they’re issued once a CA verifies your organization. But unlike SSL/TLS certificates, which display a padlock in the web address bar, these will put your organization’s logo front and center. This means that no one can question whether an email came from your organization. (EV SSL certificates do display your organization’s name in the certificate information, but it still won’t show your logo.)

Why Google’s BIMI Move Matters for Your Organization

To put it simply, BIMI takes your email and brand authentication capabilities to a whole new level. As Google put it in their announcement:

Our BIMI pilot will enable organizations, who authenticate their emails using DMARC, to validate ownership of their corporate logos and securely transmit them to Google. Once these authenticated emails pass all of our other anti-abuse checks, Gmail will start displaying the logo in existing avatar slots in the Gmail UI.”

Dean Coclin, Senior Director of Business Development at DigiCert, says that while using DMARC is great, brands often underutilize it.

At DigiCert, strong validation is one of the things we do best, and we are excited about participating in the Gmail BIMI pilot. DMARC can provide companies great value, but not enough brands take advantage of its protection. The BIMI working group and DigiCert are collaborating to increase usage of this important security standard while delivering additional value to those increasing security for their users.”

This Move by Google Marks a Major Step Toward Greater Email Security for Everyone

While Google isn’t the first to implement BIMI — the BIMI Group says that Verizon Media Group actually paved the way for it when they adopted it for their Yahoo and AOL email services — they certainly won’t be the last.

In 2019, DigiCert issued a VMC to CNN, which made their emails display like this:

This BIMI graphic is a screenshot of CNN's verified logo displaying in a Gmail inbox
Image source: Google

According to Coclin:

VMCs play a major role in providing cryptographic assurance that the trademarked logos have been vetted per BIMI standards and that the individual requesting is who they say they are and from the company they say they represent. This is a high hurdle to pass! VMCs provide the following benefits for organizations:

  • Ensure in the long term that customers see your logo in their inbox in email platforms using VMCs.
  • Provide an additional layer of protection against spoofing attacks through DMARC compliance.
  • Deliver a more authentic, recognizable and unified brand experience from email to conversion.
  • Distinguish your messaging from the clutter.”

All of this is to say that if you care about organizational identity, then you should care about BIMI. I say that because using brand indicators for message identification is a great step forward in the battle against email-based cybercrimes and fraud schemes. With BIMI, you can:

  • Increase your brand visibility,
  • Build customer confidence and trust in your brand, and
  • Reduce the likelihood of success for phishing and business email compromise schemes.

Basically, it’s a win-win for your company and customers and throws a massive monkey wrench in cybercriminals’ plans.

What You Should Know About the BIMI Pilot (And How It Will Affect Your Organization)

To help you better understand the impact of Google’s announcement and how to prepare for the changes it’ll bring to inboxes and your approach to DMARC, here are answers to a few questions you may have:

What Is BIMI?

Brand indicators for message identification, or BIMI, is an email standard for authenticating users and displaying brand logos. Its purpose is to authenticate organizations, prevent email fraud and enhance email delivery.

Who Supports BIMI Right Now?

As we mentioned earlier, Yahoo and AOL are currently the only email clients supporting BIMI. However, Google’s BIMI pilot will launch soon, and other email providers indicate their interest in doing so in the future as well.

When Will Google’s BIMI Pilot Take Effect?

There isn’t a specific date listed in Google’s announcement. According to the official release, they’ll launch the BIMI pilot “in the coming weeks” for a limited number of senders.

How Should I Prepare for This Change?

In general, enabling domain-based message, authentication, reporting and conformance (DMARC) is always a good idea. It’s a great way to help secure your organization’s email ecosystem. However, implementing DMARC is also a requirement for Google’s post-pilot launch.

So, if you haven’t already put DMARC to use in securing your email, then it’s time to get the ball rolling. This way, when VMC/BIMI is ready for widespread usage, you don’t get caught unprepared.

How Do I Implement BIMI for My Organization?

To get BIMI to work, you’ll need to:

  1. Create and configure your BIMI record (this is a text record that’s stored on a DNS server, much like SPF or DKIM),
  2. Validate your organization’s domain (using the DMARC standard with a policy of “p=quarantine” or “p=reject”), and
  3. Validate your logo using a VMC.

That’s it!

What Are the BIMI Logo Specifications?

To validate your logo for the BIMI standard, you need to format it in a specific way. According to the BIMI Working Group website:

The logo must be square, must be saved as a version of the Scaled Vector Graphic (SVG) format.  Specifically, the SVG logo must follow the restrictions defined by the SVG Tiny 1.2 profile published by the W3C in 2008. The logo cannot include any <script> tags and should not include any external links.”

How Do I Get a VMC?

That’s a great question, and I wish we had a better answer for you. While VMCs for organizations are on the horizon, they’re not available yet for purchase. Just keep an eye out for them to be generally available in the near future.  

5 comments
  • Hi, this is interesting, but hackers are so smart that they will find a way to mimic the logo. Especially since some of the instructions are provided in this post.

    • Hi, Susan! Thanks for your response to my article.

      Frankly, no single security mechanism is perfect. But I believe that doing something to increase email security is better than doing nothing. Using internet protocols like DMARC, SPF and DKIM is a great way to increase authentication, but there’s still always room for improvement. So while BIMI uses DMARC and such, there’s more to it.

      The advantage that BIMI presents is that it requires the sender to be authenticated by a third-party certificate authority before their validated company logo would appear. This is where the verified mark certificates come into play.

      And in order for the verified logo to appear next to your name, you’d need to have both DMARC and BIMI records. This is a place where you can set rules for how the email platforms handle unauthenticated emails from your domain (quarantine, reject, etc.).

      BIMI also has other protections that help to prevent hackers from sending spoofed logos from legit brands. So while hackers can spoof the sender’s name, the space next to your name is controlled by the email program. This isn’t something that users can control or modify.

      I hope all of this helps! Like you, we’re interested in seeing how everything goes with Google’s BIMI pilot.

  • Hi,

    interesting article. But two points are still unclear to me:

    1. Is the logo encoded in the VMC?
    2. Where is the issued VMC published?

    Thanks!

  • Hi i don’t understand this at all how would i add my Bimi logo to my Gmail to show my Company on each and every Campaign i blast out about my Company to

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Casey Crane

Casey Crane is a regular contributor to Hashed Out with 10+ years of experience in journalism and writing, including crime analysis and IT security. She also serves as the SEO Content Marketer at The SSL Store.