BIMI: why and how to deploy it

The e-mail flow security is a major asset today for all brands that use this channel to communicate with their prospects/customers:

83% of all email attacks focus on brand identity theft (example: support@yourbrand.com) and 6% are personal identity theft (example: yourceo@yourcompany.com).
68 % of phishing emails blocked by Gmail today are new variations they've never seen before! Content filtering is no longer enough to protect your brand's reputation.

Digicert, 2019

What is BIMI?

BIMI (acronym for Brand Indicators for Message Identification) is a technical specification for email authentication that allows companies to enhance the security of their domain names by displaying the company logo next to the sender's name, and only with email clients that support this new standard.

BIMI is based on theDMARC authentication* (Domain-based Message Authentication, Reporting and Conformance) to certify incoming e-mails. The display of the company logo in users' inboxes (for the majority of messaging systems supporting BIMI) is based on the brand certificate. VMC (Verified Mark Certificate) to guarantee its origin and legitimacy.

* As a reminder: DMARC is an email authentication protocol that enables you to apply a security policy (QUARANTINE or REJECT) to an email that has been misauthenticated (invalid SPF and DKIM) or non-compliant (SPF and DKIM not aligned with the sending domain), and to provide activity reports to the domain owner.

Why deploy BIMI?

According to the latest Vade study from 2023 (Study : Phishers' Favorites Ranking Balance 2023), Vade reports that more than 1.76 billion phishing URLs have been sent worldwide by email... A record! All these phishing attacks have just one thing in common: they all try to create a false sender identity with the aim of deceiving recipients by posing as a brand and thus obtaining various types of information (various accesses, personal and/or sensitive information, etc.). And that's where BIMI comes in!

Thanks to its specific technical features, BIMI will make a significant contribution to strengthening the security of domain names (and therefore of messaging services), notably through its restrictive policy of DMARC (QUARANTINE or REJECT) and in the immediate recognition of a brand in users' mailboxes thanks to the display of the logo and, in certain cases, a checkmark after the sender's wording. Ultimately, BIMI will stimulate engagement and provide a visual experience for a brand's customers.

BIMI's main objective is to increase users' trust in brands by displaying their logo in the user's inbox, but also to "force" these same brands to strengthen the security of their domains using existing authentication protocols. SPF, DKIM, DMARC and the VMC brand certificate.

The addition of the VMC (Verified Mark Certificate) will be a plus in domain name security since it will ensure that the logo has been registered with a Trademark Office such as INPI (for France).

Implementing BIMI will benefit marketing teams, IT teams and readers alike:

• Differentiation from other advertisers by displaying the company logo in the recipient's inbox (and/or when the email is opened);
• Strengthening user confidence with the brand thanks to the checkmark in the recipient's inbox (blue for Gmail, purple for Yahoo);
• Stepping up the fight against phishing by forcing the adoption of DMARC (and therefore SPF / DKIM) with a restrictive policy.

How does BIMI work?

Before implementing BIMI, you'll need to do a lot of upstream work on all the domain names you use. Some Email Service Providers (in particular as Gmail) require a lot of technical validation and a good reputation to guarantee the display of the coveted logo with the checkmark (cf. Gmail's blue checkmark, Yahoo's purple checkmark)!

To operate, BIMI relies on DMARC authentication (Domain-based Message Authentication, Reporting and Conformance), so it must be present either on your sender domain or on your organizational domain. In addition, it must have a restrictive safety policy!

DMARC offers 2 security policies:

• Quarantine : p=quarantine
• Reject : p=reject

If you don't have DMARC on your domain or if your security policy is set to "none", BIMI won't be activated even if you've subscribed to a VMC brand certificate!

Technically, how does it work? Example with Google

Companies that authenticate their emails (with SPF, DKIM and DMARC) must provide Google with their validated logo(s) via a Verified Mark Certificate (VMC). BIMI will rely on MVA (Mark Verifying Authorities such as Digicert or Entrust) to check logo ownership and provide proof of verification. Once emails have passed and been validated by Google's anti-spam filters, Gmail will display the advertiser's logo instead of the traditional avatar.

The VMC (Verified Mark Certificate) is a digital certificate based on MVAs (currently Digicert and Entrust). The purpose of this certificate is to provide a proof that the logo associated with the domain has been verified by a third party (cf. MVA) and are registered with a trademark registration body (cf. INPI). A word of caution about MVAs, however: it is the messaging providers who will validate whether or not a VMC trademark certificate is validated. To sum up :
- Each messaging provider supporting BIMI may have different criteria for deciding whether or not to accept VMC from an MVA.
- An MVA may be required to go through a separate verification process with each messaging provider.
- Validation of an MVA's VMCs by one or more messaging providers (who support BIMI) does not guarantee that the MVA's VMCs will be accepted by all messaging providers.

Adoption of BIMI

January 2024, Spam Resource published an article on BIMI adoption among a list of top-level domains (10 million in total). It shows that only 12% of them (or 1.2 million) have published a DMARC record, and that in the end, almost 17,000 have published a BIMI record on the main domain (there's always a margin of error in these calculations, as it's perfectly possible to deploy BIMI on a sub-domain and not declare it on the main domain - even if it's a bit silly in my opinion). This results in an adoption rate of around 1.4%! On the other hand, 14% of companies opted to purchase a VMC branded certificate in addition to deploying BIMI, which is still pretty interesting when you consider the cost of such a certificate for a company!

To compare, in August 2023 I checked the BIMI registrations of the main domains of CAC40 companies, and the BIMI adoption rate was 7.5%, i.e. 3 companies out of 40 had published a BIMI registration, and only one had opted for a VMC brand certificate! I look forward to seeing you in August 2024 for the first publication of BIMI adoption by CAC40 companies (and by the same token...), the update of my article on DMARC adoption by these same companies).

Which messaging providers support BIMI?

Since the launch of BIMI, many email providers have joined the working group. These include Gmail, Yahoo and Fastmail, which have been supporting BIMI since 2021. Apple has announced support for macOS / iOS16 from autumn 2022, while La Poste announced support on August 29, 2022.

Messaging providers that support BIMI

Messaging providers planning to support BIMI

Messaging providers not supporting BIMI

Messaging providers supporting BIMI but not officialized by the BIMI Group

You can find the official list of messaging providers on the BIMI Group website

Some examples of BIMI displays from messaging providers

Apple Icloud (Mail on desktop)

The logo is not visible in the user's inbox, but only when the email is opened. Apple mentions a "Digitally Certified" verification to validate BIMI (cf. Learn more: This email was verified as coming from the owner of the logo shown and the domain "news.journaldesfemmes.fr". Apple uses the Brand Indicators for Message Identification (BIMI) standard).

Apple Icloud (Mail on mobile)

The logo is not visible in the user's inbox, but only when the email is opened. Apple mentions a "Verified Logo" verification to validate BIMI.

Gmail (Desktop version)

The logo is not visible in the user's inbox, but only when the email is opened. A blue checkmark is displayed between the wording and the sender address. When the cursor is hovered over the address, Gmail mentions that the sender has been verified and is certified.

Gmail (Mobile application)

The logo is visible in the inbox and when the email is opened. No checkmark visible when email is opened.

Yahoo (Desktop version)

The logo is not visible in the user's inbox, but only when the email is opened. A purple checkmark is displayed between the wording and the sender address. When the cursor is hovered over the address, Yahoo mentions that the sender has been verified and is certified.

Yahoo (Mobile application)

The logo is visible in the inbox and when the email is opened. A purple checkmark is displayed after the sender address. When the cursor is hovered over the address, Yahoo mentions that the sender has been verified and is certified.

La Poste (Desktop version)

The logo is visible in the inbox and when the email is opened. No checkmark visible when email is opened.

SFR (Desktop version)

The logo is visible in the inbox and when the email is opened. No checkmark visible when email is opened.

Infomaniak (Desktop version)

The logo is visible in the inbox and when the email is opened. A blue checkmark is also visible when the email is opened. Infomaniak mentions that the sender has been verified and is certified.

Fastmail (Desktop version)

The logo is not visible in the user's inbox, but only when the email is opened. No checkmark visible when email is opened.

What are the eligibility requirements for BIMI?

To be eligible to have your logo displayed in the inboxes of BIMI-supporting e-mail providers, you'll need to go through 4 distinct and equally important stages.

1. Register your brand and logo

Register your brand and logo with a trademark registration organization (such as INPI) approved by Digicert or Entrust ! This is the most important step, because without a trademark and logo registration, you won't be able to claim BIMI with a VMC trademark certificate (with one exception, Yahoo).

Digicert and Entrustthe only bodies currently able to issue a VMC trademark certificate, have published on their respective websites the (evolving) list of all approved trademark registration bodies.
Note that INPI is recognized by both organizations! No need to register your trademark on a European scale if you're only targeting the French market.

2. Authenticate your domains

Authenticate all your organization's emails with SPF, DKIM and DMARC! This second step involves ensuring that your sender domain (or organizational domain) has a DMARC record correctly set up. To ensure that all your legitimate e-mails are DMARC-compliant, you'll need to correctly sign and align your SPF (on the MailFrom domain) and DKIM (on the From domain) records. A further constraint is that your DMARC security policy must be either QUARANTINE with a filter level of 100%, i.e. at REJECT with no restrictions on the filtering level.

The following recording is eligible for BIMI

v=DMARC1; p=reject; rua=mailto:dmarc+658db00214fab9b5c11f1c9a@emailconsul.com,mailto:dmarc@badsender.com; ruf=mailto:dmarc@badsender.com; fo=1;

We have a DMARC security policy set to REJECT with a filtering level here of 100% (default if not declared).

The following recording is not eligible for BIMI

v=DMARC1; p=quarantine; pct=10 rua=mailto:dmarc+658db00214fab9b5c11f1c9a@emailconsul.com,mailto:dmarc@badsender.com; ruf=mailto:dmarc@badsender.com; fo=1;

We have a DMARC security policy at QUARANTINE with a filtering level only at 10%.

3. Create your logo in SVG format Tiny 1.2

For this third step, BIMI requires the logo to be in a specific format, namely SVG (Scalable Vector Graphics). And it's not just any SVG version that's required, so your logo should be in SVG Tiny 1.2 format. There are 2 possible options when it comes to creating the logo, either do it yourself with Adobe Illustrator, or use the script provided by the BIMI Group for Adobe Illustrator. If you choose option 1, here's what you need to do :

• Convert your logo from pixel to vector format
• Export your logo in SVG Tiny 1.2 format
• Edit your logo in SVG format in a text editor
• Save your logo in text format with .svg extension

Find the full tutorial on the Digicert website

Caution, you can only use a logo in the correct format that has been registered with your trademark registration agency. Otherwise, Digicert or Entrust will not validate this step and will ask you to take the necessary steps to comply.

As far as logo hosting is concerned, Google recommends hosting your logo on the domain's public server (in HTTPS) where BIMI will be implemented, rather than on external hosting, even though you could very well host it on Entrust or Digicert servers.
The height and width of the image must be at least 96 pixels and its size must be specified in absolute pixels (Example: width="96″ height="96″).
The logo image must appear on a solid-colored background. Transparent backgrounds may not be displayed as intended.
SVG file size must not exceed 32kb.

4. Buy a VMC brand certificate

Although this step is optional, almost all messaging providers who support BIMI require that a Verified Mark Certificate (VMC) be present on your BIMI registration in order to display the logo and/or checkmark.

Yahoo & La Poste offer the possibility of displaying the logo in the Inbox of users without a VMC certificate, but with a few restrictions:

• Yahoo requires advertisers to have a very good reputation
• La Poste requires proof of trademark registration in order to validate itself via their contact form.

Another important point is that your VMC certificate is only valid for one logo, so choose it carefully so that it is clearly visible and identifiable in your users' inboxes. If you want to put several logos on your domains, you'll need to buy one VMC certificate per logo.

Price per certificate at March 22, 2024 at :

• Digicert : * Price of a VMC certificate for 1 year: 1,340.00 euros excluding VAT * Cost per additional domain: 445.00 euros excluding VAT
• Entrust : * Price of a VMC certificate for 1 year: 1,272.31 euros excluding VAT * Cost per additional domain: 488.74 euros excluding VAT

Caution, purchasing a VMC certificate for a logo will only allow you to register BIMI on one domain (which includes all its sub-domains). If you wish to register your VMC certificate for several domains, you will have to pay a surcharge for each additional domain.

BI's Bad StoryMI

On June 6, 2023, Forbes published an article on a BIMI flaw in Gmail. A cybersecurity engineer (named Chris Plummer) received a phishing email validated by Gmail with the full logo + blue checkmark. The email had gone from Facebook to a UK Netblock, then to Office 365, and finally ended up in Chris Plummer's inbox. The problem was that Gmail only checked SPF validation, so the DKIM signature could have come from any domain (which fooled Gmail, since there was no validation problem with SPF). To correct this, Google strengthened its BIMI checks with mandatory DKIM validation with domain alignment, by which I mean that the domain signed with DKIM must be aligned with the sender domain (either it must be part of the same organization and you have a FLEXIBLE alignment, or it must be identical - which in my opinion remains the most relevant - to have a STRICT alignment). Since then, no other bad experience has been reported with Gmail (or any other e-mail provider).

How do I set up BIMI on my domain?

Deployment of BIMI

To set up BIMI on your domain, you'll first need to create a TXT record with your hosting provider. Just like DKIM, your BIMI record will be associated with a selector. The default selector is "default"But you're free to use your own selectors if you need to manage multiple domains/logos, for example - there's no limit on that.

As far as registration is concerned, it must include the following elements:

• v=BIMI1; ? Give BIMI's version
• l=urldelimage.svg; ? Indicates the url where your logo can be found in svg format
• a=urlducertificat.pem; ? Indicates the url where your VMC trademark certificate can be found in pem format (optional)

Here are some examples of BIMI registrations:

• Alan.com : v=BIMI1; l=https://static.alan.com/bimi/alan_sa_tiny_ps.svg; a=https://static.alan.com/bimi/alan_sa_690040353.pem;
• Carrefour-banque.fr : v=BIMI1; l=https://bimi.entrust.net/carrefour-banque.fr/logo.svg; a=https://bimi.entrust.net/carrefour-banque.fr/certchain.pem
• Badsender.com : v=BIMI1; l=https://www.badsender.com/wp-content/uploads/2022/09/badsender-logo.svg; a=;

A 48-hour waiting period may be necessary before your logo appears in the inbox.

If no image and no certificate are declared (cf. v=BIMI1; l=; a=;) on a domain, then that domain will explicitly refuse to participate in BIMI and therefore no display will be available. Please note, however, that this is not the same as a domain where no BIMI registration has been declared.

How do I validate BIMI?

The official BIMI website (https://bimigroup.org/) gives you the opportunity either to generate your logo from the URLs of your logo and/or brand certificate, or to test and validate the implementation of BIMI on your domain. You'll need to visit their dedicated web page: https://bimigroup.org/bimi-generator/ and enter your domain name (organizational domain or sub-domain).

What is your deployment strategy?

Like DMARC, BIMI works with the notion of inheritance. In other words, once deployed on your organizational domain, all your sub-domains will inherit the same BIMI record. Handy if you have a single record and dozens of sub-domains to manage.

Another similarity with DMARC is that if a BIMI record is present on a sub-domain, it will take precedence over the record present on the organizational domain (useful if you want to manage several logos for the same organization).

If you want to add one BIMI record per sub-domain (even if it's exactly the same), you can do that too. However, if you need to update the record, you'll have to do so on each sub-domain!

Choice 1: Deploy BIMI only in the organizational domain

No record has been found for the sub-domain, so we'll search for the organizational domain value.

Choice 2: Deploy BIMI on a sub-domain

The record is present on the sub-domain, but no search is performed on the organizational domain.

Some useful links for implementing BIMI

To conclude this BIMI implementation guide, I'd like to share a few useful links with you:

• Official BIMI website: https://bimigroup.org/
  • BIMI Inspector
  • Official implementation guide
• The RFC associated with the project
• Getting ready for BIMI by Google
• The Entrust website dedicated to VMC
  • Entrust-approved trademark
• The Digicert website dedicated to VMC
  • Create your logo with BIMI
  • Trademark approved by Digicert