The year 2024 is off to a great start! Visit consulting and auditsGoogle and Yahoo announcements, I can't say I'm bored at the start of this year... I'm taking advantage of a little break to tell you about my latest publication on my analysis of a Babbel email. Marine called out to me on a point I'd found very interesting, concerning the display of a brand's logo - as BIMI does so well - in Gmail's inbox.
I suggest you use the same configuration as Babbel and display your logo in your Gmail users' inboxes by setting up BIMI (Brand Indicators for Message Identification) but without purchasing a VMC (Verified Mark Certificate) !
Marketer friends, this article is for you 🙂
Publish a restrictive DMARC record
Before getting to the heart of the matter, you first need to prepare your sending domain to be BIMI compliant... I'm not the one who says it, but the 4th draft of BIMI !
To participate in BIMI, Domain Owners MUST have a strong [DMARC] policy (quarantine or reject) on both the Organizational Domain, and the RFC5322.From Domain of the message. Quarantine policies MUST NOT have a pct less than pct=100.
Your first objective is to have a DMARC record on your sender domain (or on your organizational domain if you've opted for a sender subdomain) with a restrictive security policy: Either QUARANTINEor REJECT.
Important point to remember If you choose QUARANTINE, filtering must be set to 100%: either have the tag pct=100;or do not have the tag pct (the default value is pct=100;).
Using the Babbel example, they opted to publish a DMARC record on the subdomain used as the sender with a REJECT policy: v=DMARC1; p=reject; rua=mailto:rua@dmarc-reports.babbel.com; ruf=mailto:ruf@dmarc-reports.babbel.com; adkim=s; aspf=r; rf=afrf; pct=100;
P.S: Before publishing your DMARC record, please remember that your MailFrom (return-path) domain must have a valid SPF record aligned with the sender domain, or your From (sender) domain must have a valid DKIM record aligned (or signed) with the sender domain. If SPF and DKIM fail, the DMARC security policy will apply... If you'd like to learn more about domain alignment, please visit see our article on the subject!
Authenticate your sender domain with BIMI
Preparing your logo for BIMI and Gmail
The first step is to have a logo that meets BIMI's requirements. Only one format is recognized: SVG (Scalable Vector Graphic).
For our example, we'll need a BIMI-compliant logo, but for display as a profile photo in Gmail, a JPG or PNG format will suffice.
I invite you to follow Digicert's excellent tutorial for the logo creation in SVG format ! We used it to create our own and we approve 🙂
Once you've created your logo, you'll need to import it onto your domain's Web server.
Publish a BIMI record on your domain
The second step is to publish your BIMI registration on your sending domain. However, there are a few constraints to be respected...
- BIMI must be published in a TXT record;
- BIMI must be associated with a selector (like DKIM), the one used is
default
; - The BIMI record must contain the following tags:
v
for the BIMI version,l
for the logo url,a
for the trademark certificate url (optional) ; - BIMI works by inheritance, so if you deploy it on your organizational domain, all sub-domains will inherit the same record.
Some examples of BIMI declarations
- Babbel's BIMI recording:
v=BIMI1; l=https://link.members.babbel.com/custloads/758336025/md_36162.svg
- - -
nslookup -q=txt default._bimi.members.babbel.com
default._bimi.members.babbel.com text = "v=BIMI1; l=https://link.members.babbel.com/custloads/758336025/md_36162.svg"
- Badsender BIMI registration:
Need help?
Reading content isn't everything. The best way is to talk to us.
v=BIMI1; l=https://www.badsender.com/wp-content/uploads/2022/09/badsender-logo.svg; a=; - - - nslookup -q=txt default._bimi.badsender.com default._bimi.badsender.com text = "v=BIMI1; l=https://www.badsender.com/wp-content/uploads/2022/09/badsender-logo.svg; a=;"
- Women's Journal BIMI registration with declaration of a VMC trademark certificate:
v=BIMI1;l=https://bimi.entrust.net/journaldesfemmes.fr/logo.svg;a=https://bimi.entrust.net/journaldesfemmes.fr/certchain.pem - - - nslookup -q=txt default._bimi.journaldesfemmes.fr default._bimi.journaldesfemmes.fr text = "v=BIMI1;l=https://bimi.entrust.net/journaldesfemmes.fr/logo.svg;a=https://bimi.entrust.net/journaldesfemmes.fr/certchain.pem"
Change your Gmail profile picture
To display your logo to all your Gmail users, you must either send emails from your free Gmail account or have a paid Google Workspace account with access to Administration Console...
Changing the profile picture of a free Gmail account
The procedure is super simple, just edit the profile picture of your Gmail account:
Changing the profile picture of a Google Workspace account
To change your profile photo via your Google Workspace account, you'll need to go through the admin console. You won't be able to upload the photo you want yourself.
- In the administration console, click on Directory ' Users
- Click on user name to open the account page
- Click on profile avatar to modify the photo
Test your logo display on Gmail
To test the display, simply send a test from your routing tool:
Example with Babbel
Babbel uses the Emarsys routing tool to send their e-mails. The Mx record of the sending domain points to Google servers.
nslookup -q=mx members.babbel.com
members.babbel.com mail exchanger = 10 aspmx2.googlemail.com.
members.babbel.com mail exchanger = 20 alt1.aspmx.l.google.com.
members.babbel.com mail exchanger = 20 alt2.aspmx.l.google.com.
members.babbel.com mail exchanger = 30 aspmx2.googlemail.com.
members.babbel.com mail exchanger = 30 aspmx3.googlemail.com.
members.babbel.com mail exchanger = 10 aspmx.l.google.com.
Example with Badsender
Since my personal address is @gmail.com, the Mx record necessarily points to Gmail's servers.
nslookup -q=mx gmail.com
gmail.com mail exchanger = 5 gmail-smtp-in.l.google.com.
gmail.com mail exchanger = 20 alt2.gmail-smtp-in.l.google.com.
gmail.com mail exchanger = 10 alt1.gmail-smtp-in.l.google.com.
gmail.com mail exchanger = 40 alt4.gmail-smtp-in.l.google.com.
gmail.com mail exchanger = 30 alt3.gmail-smtp-in.l.google.com.
The final word from Badsender...
So now you know how Babbel displayed its logo in my Gmail inbox without a VMC certificate. All you have to do is reply if you don't have the option of purchasing a branded certificate.
There are 2 advantages to this manipulation:
- Your Gmail users will have a better perception of you (even if you don't have the blue checkmark) thanks to the display of your logo (note that this is not a guarantee of security).
- Your sender domain (or organizational domain) is already ready for BIMI should you decide to purchase a VMC branded certificate in the short or medium term.
If you have any questions or requirements about implementing DMARC or BIMI, please don't hesitate to contact us. contact us directly 😉
4 réponses
Hi Sebastien! Thanks for this detailed article 🙂
We're in the process of deploying BIMI at ilek (DMARC 100% quarantine, INPI logo registration in progress with a view to purchasing the VMC), and at the moment, without having published a BIMI registration, it seems that we already have our logo displayed for our main domain (because the logo is loaded into the Google console): https://prnt.sc/NRPvtV5en_1V
So do you think that BIMI registration is required to have this fake-BIMI? Wouldn't this be standard behavior if your domain is associated with a Google Workspace account?
Hello
I managed to put in the dns
default._bimi.badsender.com text = " v=BIMI1; l=https://www.badsender.com/wp-content/uploads/2022/09/badsender-logo.svg; a=;"
However, I don't understand how to add this field.
nslookup -q=txt default._bimi.badsender.com
Are you in a position to help me?
Hello Philippe,
The "nslookup -q=txt default._bimi.badsender.com" command was just mentioned to manually check BIMI's DNS declaration via Terminal (on Mac).
It doesn't need to be added anywhere.
Kind regards,
Sebastien.
Hello Robin,
Displaying the logo in the Gmail inbox doesn't necessarily require BIMI registration (simply uploading it to Google Workspace administration is sufficient). However, for the purposes of this article, the intention was - first and foremost - to secure the domain name with DMARC and then BIMI (without a VMC certificate), with the added bonus of displaying the logo for Gmail users.
To answer your question, yes it's standard behavior 😉
Kind regards,
Sebastien.