Email Security in 2024: What is BIMI and How Does It Work?
Remember the wax seals that kings, queens, and courts used on letters years ago? It would prove to recipients the letter was legitimate and also alert them if there had been any tampering. The wax seal would protect the contents of the letter and could not be easily replicated by malicious individuals.
BIMI is the modern-day equivalent of this wax seal; it allows you to add your company logo to your emails and assure your readers of your sender legitimacy. Plus it’s great for branding!
That said, it’s not as simple as uploading a JPG file on your server and adding it to your profile. There’s a long process to implementing the BIMI protocol on your domain.
Discover the inner workings of BIMI, how it’s tied in with other security protocols, and its numerous benefits in this in-depth guide.
What is BIMI?
Brand Indicators for Message Identification, or BIMI, is an email authentication and marketing initiative that allows companies to display their brand logos alongside their authenticated emails in the recipient’s email inbox.
The goal of BIMI is to enhance the visual recognition of legitimate emails and to help users identify and trust the emails they receive.
BIMI aims to provide a visual cue to email recipients, which helps them quickly recognize legitimate emails from trusted senders and reduce the chances of falling victim to phishing attacks. However, widespread adoption of BIMI depends on both email senders implementing the necessary authentication measures and email clients supporting the display of logos based on BIMI records.
How Does BIMI Work?
BIMI works by associating a brand’s logo with its authenticated email messages, providing a visual indicator to help recipients quickly recognize legitimate emails from trusted senders.
Here’s a basic overview of how BIMI works:
- Email authentication: BIMI builds upon existing email authentication protocols, primarily DMARC (Domain-based Message Authentication, Reporting, and Conformance), DKIM (DomainKeys Identified Mail), and SPF (Sender Policy Framework).
- Brand validation: Organizations interested in implementing BIMI must first authenticate their emails using DMARC. To participate in BIMI, organizations typically need to implement strict DMARC policies. BIMI also involves brand verification to ensure the organization owns the logo associated with the domain.
- Logo specification: The logo must meet certain technical specifications, such as size and format, to ensure proper display across different email clients. The goal is to create a standardized way for brands to present their logos consistently in email clients.
- DNS TXT record: Companies publish a BIMI record in their DNS (Domain Name System). This record contains information about the location of the brand’s logo, as well as any additional information required for proper display.
- The BIMI logo: Mailbox providers that support BIMI will check for the BIMI record when processing authenticated emails from a participating domain. If found, the email client retrieves the brand’s logo from the specified location and displays it alongside the email message in the recipient’s inbox.
By integrating BIMI, the email industry aims to improve the visual identification of legitimate emails, to strengthen brand recognition, and to enhance overall email security by encouraging the widespread implementation of strong email authentication practices. Successful implementation and adoption of BIMI depends on both email senders and email clients supporting the necessary standards.
The Benefits of BIMI
BIMI offers several benefits for both email senders and recipients.
Here are 8 biggest advantages of implementing BIMI:
- BIMI allows authenticated email senders to display their brand logos alongside their messages in the recipient’s inbox. This visual cue enhances brand recognition and helps recipients quickly identify legitimate emails, encouraging trust in the communication.
- By providing a visual indicator of a legitimate brand, BIMI helps reduce the risk of phishing attacks. It becomes more challenging for malicious actors to impersonate trusted brands when legitimate logos are consistently displayed.
- It works in conjunction with existing email authentication protocols such as DMARC, DKIM, and SPF. This layered approach strengthens overall email security by reducing the likelihood of unauthorized and hostile emails reaching recipients’ inboxes.
- Implementing BIMI, along with other email authentication measures, contributes to a positive sender reputation. This can lead to better email deliverability and fewer emails being mistakenly marked as spam.
- BIMI encourages a standardized way of presenting brand logos across different email clients. This ensures a consistent and recognizable brand image, reinforcing brand identity and promoting a professional appearance in email communications.
- Implementing BIMI on a domain enhances the overall user experience by providing a visually appealing and consistent display of brand logos. This can contribute to a more engaging and user-friendly email environment.
- BIMI is gaining support as an industry standard for email authentication. As more organizations adopt BIMI, it contributes to a more secure and trustworthy email ecosystem.
- Besides security, BIMI also serves as a marketing tool. It allows companies to promote their brand visually within the email inbox, potentially increasing brand awareness and customer engagement.
As the email industry continues to evolve, BIMI represents a positive step toward improving email security and user trust.
The Role of a VMC in BIMI Implementation
A Verified Mark Certificate (VMC) is a digital certificate used in the context of email authentication, specifically in the implementation of BIMI. The VMC plays a crucial role in verifying the authenticity and ownership of the brand associated with the email, as it is issued to the organization only after successful brand verification. It serves as proof that the organization owns the brand associated with the email.
Once authenticated and verified, the organization specifies the logo they want to display alongside their emails. The logo must meet certain technical specifications, such as format and size, to ensure proper display across different email clients.
VMCs are only issued by two Certification Authorities, currently:
While a few mailbox providers currently accept logos without a VMC, we feel the tides will change, and email senders will need to use a logo backed by a proper VMC.
In the near future, using a VMC for BIMI will become the norm.
Requirements for a VMC
Here are a few points to keep in mind as you apply for a VMC:
- You must trademark your logo — in the US, you can do this through the United States Patent and Trademark Office (USPTO).
- You need a physical address.
- You need to show proof of ownership of your domain.
- You must have DMARC implemented on your domain.
- Your logo must meet the requirements as stated by the certificate authority issuing the VMC — typically, an SVG TinyP/S version of your logo.
The toughest part of this process is getting a trademark for your logo. The process might take anywhere between a year to 18 months, but it is a key prerequisite to getting the VMC.
How BIMI Uses a VMC
BIMI uses a VMC as a crucial element in its authentication process to enhance the visual identification of legitimate emails.
The process begins with an organization applying for brand verification, certifying the ownership and legitimacy of the associated brand. Following successful verification, the organization creates a BIMI record in the DNS of their domain, including the location of their brand logo and referencing the VMC in the DNS TXT record.
The VMC, which serves as a digital certificate, attests to the authenticity and ownership of the brand. As part of email authentication, BIMI works alongside protocols such as DMARC, DKIM, and SPF to ensure the secure transmission of emails. When a BIMI-supported email client receives an authenticated email, it checks for the BIMI record in the DNS, fetches the organization’s logo from the specified URL, and displays it alongside the email.
This visual indicator, backed by the VMC, enhances the recipient’s ability to identify and trust legitimate emails visually.
How to Set Up BIMI on Your Domain
The process of adding BIMI to your domain is a long one, but the benefits make the efforts worth it, especially for big brands and high-volume email senders.
- Plan the BIMI setup process
- Register your brand logo as a trademark
- Get a VMC
- Upload your brand logo
- Create a BIMI record on your domain
Looks simple enough, right?
We will now break down each of these phases, so you have a clearer idea of what the necessary steps look like.
Setting Up BIMI: Preparations
Before you begin, know that you will first need to have SPF, DKIM, and DMARC up and running on your domain. If you haven’t done that, set them up first.
The second step is to learn how to add/append TXT records on your domain.
A TXT (Text) record is a type of DNS record that serves to store text information associated with a domain. Here’s a table explaining the importance of TXT records with respect to security protocols.
Email Security Protocol | TXT function |
---|---|
SPF | TXT records define authorized mail servers allowed to send emails on behalf of a domain |
DKIM | Public keys used to verify email authenticity and integrity are stored in TXT records |
DMARC | DMARC uses TXT records to specify policies for handling failed authentication checks |
Along with these three, your BIMI information goes into this file as well. So it’s critical you keep the credentials of your domain provider ready so you can create or edit your TXT files.
Registering Your Brand Logo
This is the longest step of the BIMI installation process. Waiting for the trademark paperwork to come through can take between 9 to 18 months.
To register your brand logo as your own — a trademark — in the U.S., you need to go through the United States Patent and Trademark Office (USPTO). If you’re in Europe, you have to follow the process listed on the European Union Intellectual Property Office (EUIPO) website. In short, depending on your country, you’ll have to find an equivalent authority.
We highly recommend you hire an attorney to guide you through this process.
Here are the steps to trademark your brand logo in the U.S.:
- Before you apply for a trademark, conduct a thorough search to ensure a similar or identical trademark doesn’t already exist. This search helps avoid potential conflicts and increases the chances of a successful application. We also recommend you make it a global search.
- Determine the class of goods and services for which you intend to use the trademark. The USPTO classifies goods and services into specific categories.
- Prepare a specimen that shows how you are currently using the trademark in commerce. For a logo, this might include samples such as product labels, packaging, or marketing materials displaying the logo.
- File a trademark application with the USPTO. You can do this online through the USPTO’s Trademark Electronic Application System (TEAS).
- Pay the required filing fee; it’s currently $250. But this amount can change depending on the filing option you choose (for example, regular, TEAS Plus, or TEAS RF).
- After filing, the USPTO will inspect your application. If there are any issues or if additional information is required, you may receive an “Office Action.” Monitor your application status and respond promptly to any requests or objections.
- If the USPTO approves your application, they will publish it in the Official Gazette. This gives the public an opportunity to oppose the registration if they believe it will harm their existing rights.
- If there are no oppositions and your trademark is fully approved, you will receive a Certificate of Registration. This certificate serves as evidence of your trademark rights.
With the toughest step out of the way, you are now in the clear to apply for a VMC.
Get a VMC
To get a VMC, reach out to either DigiCert or Entrust and purchase a VMC — this will cost you between $1,299 to $1,499. The process will need you to submit a lot of documents to prove you own your business.
Once the certification authority approves your VMC, it will send you a Privacy Enhanced Mail (PEM) file. You must upload this PEM file to your web server and jot down the PEM file URL — you have to include this URL in your BIMI TXT record.
Upload Your Brand Logo
For BIMI, you need an SVG (Scalable Vector Graphics) version of your brand logo. Double-check if the SVG file meets the technical specifications outlined in the BIMI standard, including size and format requirements.
This means you have to save it in the SVG Tiny P/S format, which is a version of SVG. The logo must be square, and ensure you don’t include external links or references, scripts, or animations, or any “x=” or “y=” attributes in the <svg> root element.
It’s time to upload your logo file to your public web server, and it must be in the same domain as your outgoing email server. Copy and save the URL for the SVG file, as you will need to use it for your BIMI TXT record.
Creating the BIMI Record
We’re now at the final step!
To activate BIMI for your domain, you will have to create a DNS TXT record at your domain provider — hopefully, you have the login details ready.
The first thing you need to confirm is that the reject policy in the DMARC record is either “p=quarantine” or “p=reject” for the emails sent from your domain; without this, BIMI won’t work.
Next, follow these steps:
- Locate the settings page where you can update DNS records.
- Under HOST, type “default._bimi.example.com” where you have to replace “example” with your domain.
- For Value, type in “v=BIMI1;l=https://images.example.com/folder/bimilogo.svg;a=https://images.example.com/folder/certificate.pem”
- Under TTL (Time To Live), enter “3600 seconds.”
It can take up to 48 hours for BIMI to start working. You can run tests on the BIMI LookUp & Generator tool to verify if your new security protocol is functioning.
SPF, DKIM, DMARC: Pre-requisites for BIMI
SPF, DKIM, DMARC, and BIMI work together as a team to enhance email security, authenticate senders, and provide a visual indication of a sender’s legitimacy.
Here’s the scoop on this vigilant trio.
- SPF: SPF’s job is to prevent email spoofing by specifying which IP addresses are authorized to send emails on behalf of a domain. To do this, the domain owner publishes SPF records in their DNS, listing the authorized mail servers. Receiving mail servers then check these records to verify the authenticity of the sender’s IP address.
- DKIM: DKIM adds a digital signature to emails, allowing the recipient to verify the email was not altered during transit and that it indeed came from the claimed sender. For DKIM to work, the sender signs the outgoing emails with a private key, and the recipient uses the public key published in the DNS to verify the signature.
- DMARC: DMARC builds on SPF and DKIM, providing policy and reporting capabilities. It helps prevent email spoofing and phishing by instructing receivers how to handle unauthenticated messages. The domain owner publishes a DMARC policy in the DNS, specifying whether to quarantine or reject emails that fail SPF or DKIM checks. DMARC also includes reporting mechanisms to monitor email authentication results.
These three security protocols are immensely valuable for all email marketers, and BIMI only makes them stronger.
Teamwork: How SPF, DKIM, DMARC, and BIMI Work Together
SPF, DKIM, and DMARC do a wonderful job as email security protocols, and they will hold the fort down until BIMI becomes the norm — which should be happening soon.
Here’s a table explaining how the four work together.
Authentication Mechanism | Function |
---|---|
SPF | Verifies the sender’s IP address is authorized to send on behalf of a domain. |
DKIM | Adds a digital signature to emails to verify authenticity and integrity. |
DMARC | Sets policies for how receivers should handle emails that fail SPF or DKIM checks and provides reporting. |
BIMI | Enhances visual identification by allowing organizations to display logos alongside authenticated emails. |
The first step is where SPF and DKIM authenticate the sender’s identity.
Step two: DMARC sets policies for how to handle emails that fail authentication.
Now it’s BIMI’s turn to work its magic.
Once an email passes authentication through SPF and DKIM, and if it adheres to the DMARC policy, BIMI comes into play. The sender publishes a BIMI record in the DNS, indicating the location of their logo. Email clients that support BIMI fetch the logo and display it alongside the email.
By combining these protocols, organizations can establish a robust email authentication and security framework. SPF and DKIM verify the authenticity of emails, DMARC ensures proper policy enforcement, and BIMI enhances the visual recognition of legitimate emails, collectively creating a more secure and trustworthy email ecosystem.
Why BIMI is Critical for Email Marketers
BIMI is vital for all of us in the email marketing industry for several reasons:
- It makes your brand recognizable,
- Builds trust in your company,
- Mitigates the risk of phishing,
- Differentiates your emails from spam,
- Improves your email deliverability rates,
- Makes you look professional,
- It’s becoming the industry standard,
- Improves user experience,
- It’s a great marketing tool!
The visual indicator provided by BIMI contributes abundantly to building trust with your recipients — when users consistently see your recognizable logo next to authenticated emails, they are more likely to open your emails and engage with the content. More importantly, it adds an extra layer of protection against phishing attacks, making it more difficult for malicious actors to impersonate you and deceive recipients.
It also helps your emails stand out in crowded inboxes. The clear distinction between your authentic messages and potential spam reduces the likelihood of your emails being overlooked or marked as suspicious.
Did we mention the massive benefits to sender reputation? Combined with other email authentication measures like SPF, DKIM, and DMARC, you will make a great impression on ESPs. This translates to better email deliverability, ensuring your marketing emails reach your subscribers’ inboxes.
As BIMI gains acceptance as an industry-standard email authentication method, you’re keeping up with evolving best practices by adopting BIMI. This alignment can positively influence how mailbox providers and email clients treat your emails.
BIMI also serves as a marketing tool by allowing you to visually promote your brand directly within the email inbox. It’s like booking a tiny ad space inside your customer’s inbox each time you send an email.
But BIMI isn’t just about visibility; it also enhances email security and creates a positive and recognizable presence for you in your customer’s inbox.
BIMI’s Effect on Deliverability
While SPF, DKIM, and DMARC have a perceptible influence on deliverability, email experts wonder if BIMI improves deliverability. Or, more importantly — does not having BIMI affect deliverability?
Thankfully, it does not negatively impact your deliverability rate. As for its benefits — any mailbox provider will view an extra security protocol as favorable, which means your sender reputation gets a small boost. In the long run, this can have a positive effect on your sender score.
The second benefit is engagement and branding. Compared to seeing alphabets, a logo can strongly influence a recipient to consider your email as trustworthy and click on it. Since marketers are constantly striving for better engagement, it’s a win!
Which Mailbox Providers Support BIMI?
Here are the most notable mailbox providers that support BIMI:
- Apple
- Gmail
- Verizon Media Group (Yahoo and AOL)
- Cloudmark
- Fastmail
- La Poste
- Onet Poczta
- Zone
Interestingly, Microsoft is yet to get on board with the BIMI protocol.
We know that BIMI organizations are working on a less-tedious process to offer email senders BIMI certification, but mailbox providers like Google and Apple, both of whom go to great lengths to fight spam, will always prefer (and prioritize) senders that have gone through the traditional BIMI process. This is because the process of BIMI certification is discouraging for your typical spammer.
While you may not need BIMI to display your logo on other email services, can you really afford to ignore Google? Considering that a major chunk of email lists today are made up of Gmail users, this step will pay rich dividends for email marketers in the future.
Can You Use Your Non-Trademarked Logo with BIMI?
The short answer is yes. Currently, there are two types of BIMI records — “self-asserted” and “certified.”
If you add a BIMI record and link a non-trademarked logo (without any VMC backing it up), this is called a self-asserted BIMI record. It means you have not gone through the certification process, and you linked an image you claim is your logo. While there are mailbox providers that will accept this, the major ones don’t — for example, Gmail and Apple.
A certified BIMI record means an authorized company (DigiCert or Entrust) has verified your logo and your legitimacy as a business. Once you are issued a VMC, mailbox providers verify this record and display your logo in your subscribers’ inboxes under BIMI rules.
So you can use a non-trademarked logo with BIMI for now — it will work with Yahoo and other mail providers. But considering the market share Gmail holds, it might be wise to get started on getting that precious VMC certificate for your company logo.
Campaign Refinery and BIMI
At Campaign Refinery, we pride ourselves on always being ahead of the curve. Deliverability has always been our top priority, and implementing security protocols on your domain plays a critical role in achieving great deliverability scores from ESPs.
This is why we insist our clients have SPF, DKIM, and DMARC protocols added to their domains. As a platform, we really enjoy having a top-tier sender reputation and would like to keep it that way.
That is also why we have embraced the BIMI protocol. Though it is a new and evolving standard, we are currently in the process of implementing it ourselves. It’s a great learning experience, plus we are pretty hands-on when it comes to understanding how every tiny part of email works.
In about a year (as we were told), our email recipients should be able to see our BIMI-certified logo in Gmail and Apple inboxes, as well as many others. As a platform enabling elite email performance, we are always looking for ways to stay ahead, and implementing BIMI helps us do that.
If you’d like to discover more about how the top 1% of email marketers operate, apply to be a Campaign Refinery client today!