Learn about BIMI — a new email standard that could boost your email visibility, build customer trust, and help fight phishing
If your job is related to email marketing, terms such as MX, PTR, SPF and DKIM are likely to be your bread and butter. If you’re not familiar with these terms, though, let me give you the quick summary: These records protect you and your customers from spam and help email servers (such as Yahoo, Gmail, etc.) trust your server.
Well, guess what! It’s time to add a new element called BIMI to your bread and butter. And this newcomer does something very different than the existing protocols — it showcases your company logo in your recipients’ email inboxes.
Let’s hash it out.
What is BIMI?
An acronym for Brand Indicators for Message Identification, BIMI is a new email standard that will allow brands to display designated, verified logos for authenticated email messages.
In simpler words, you can display your company’s logo in users’ inboxes (right next to your emails) once you’ve been authenticated to implement BIMI. In an email client that supports BIMI, your emails will look something like this:
Besides the obvious branding benefit, BIMI is intended to incentivize DMARC usage and help fight spam/phishing.
BIMI provides a meaningful incentive to help organizations complete their DMARC implementations, which will dramatically reduce fraud in inboxes worldwide. We hope the benefits of this standard will spur greater DMARC adoption of organizations of all sizes, thereby, making the entire email sending and receiving community safer.BIMI Group
Verified Mark Certificate (VMC): The Glue to Stick BIMI to Your Emails
A Verified Mark Certificate (VMC) is a digital certificate that authenticates your organization to display a BIMI logo. Verified Mark Certificates provide several key functions:
- Validate your organization and associate it with your official logo.
- Stop phishers and spammers from showing well-known logos next to their emails.
- Fight misuse of your company logo and brand.
Just like SSL/TLS certificates, Verified Mark Certificates will also be issued by trusted third-party certificate authorities upon successful verification of the business. The current plan is for Verified Mark Certificates to be mandatory for BIMI to be activated on a domain. DigiCert is one of the first CAs to join this initiative — they’ve already issued a verified mark certificate to CNN.com:
DigiCert is excited to work with CNN and members of the AuthIndicators Working Group to take this first step in demonstrating the feasibility and benefit of VMCs for global brands under the BIMI pilot program. We know that there is a demand for issuing VMCs at scale and we are fully committed to providing that capability.Jeremy Rowley, DigiCert Chief of Product
How Does BIMI Work?
In order for BIMI to work, you need to:
- Set up your BIMI record,
- Validate your domain, and
- Validate your logo.
For verification of your domain, you need to validate your domain through the Domain-based Message Authentication, Receiving & Conformance (DMARC) standard with a policy of quarantine or reject.
To authenticate your logo, you’ll need a Verified Mark Certificate. This certificate, as we mentioned, is issued by certificate authority.
What is a BIMI Record?
Fundamentally, BIMI is a text record stored on the DNS server — just like MX, PTR, SPF and DKIM. Once you’ve set up a BIMI text record on your server, your recipients’ email service providers will attempt to verify it before displaying your logo. Therefore, in order for BIMI to work, both your domain and logo need to be validated properly.
A basic BIMI record is pretty simple—it looks something like this:
How Verified Mark Certificates Work
As mentioned above, verified mark certificates work on a similar principle as SSL certificates — they need to be verified and issued by a trusted third party (certificate authority). In this case, the certificate authority is verifying the organization details and the organization logo.
Because BIMI is still a work in progress, the precise details of verified mark certificates are still being hammered out. But we can assume the final product (hopefully available in 2020) will have a validation and issuance process similar to an OV or EV SSL certificate.
How Verified Mark Certificates Validate BIMI Records
Here’s how verification of your logo happens:
- The email server will take the URL specified in the / tag, which is where the logo is stored.
- If the logo URL is found to be valid, then the server will take the location of the Verified Mark Certificate (VMC).
- Next, the email server will check whether the certificate verifies the published logo. Upon successful verification of the logo, the email server accepts it and displays the logo next to the message in the recipient’s inbox.
The Significance of BIMI and VMC
Emails are most fraudsters’ No. 1 choice when it comes to fooling and baiting users. We’ve seen many phishing scams that start with a simple email that claims to be an official email (but isn’t) and end up putting the security of entire organization at risk. This is an area where BIMI and VMC can play a crucial part:
- As email providers display verified logos of companies, the distinction between real and spoof emails will be clearer, and this can help users identify and avoid scam emails.
- Not only that, verified logos will enhance brand reputation and *could* lead to better results by improving brand visibility.
- BIMI increases the incentive for companies to implement DMARC, which really helps email providers identify and reject imposter emails.
Is BIMI Currently Being Used?
Right now, BIMI is undergoing its pilot phase, which means many email service providers are testing it before its full-fledged use begins. Entrust Datacard issued the first Verified Mark Certificate on Aug 30, 2019, then in October DigiCert announced it had issued a Verified Mark Certificate for CNN.com. Currently, Yahoo is testing a pilot of BIMI and Google is planning its own BIMI pilot in 2020. Soon, more major email service providers are expected to roll out support for BIMI and, as a result, it’ll become an industry standard.
As always, leave your thoughts and questions in the comments!