by Ken Magill for emfluence
The idea behind BIMI, or Brand Indicators for Message Identification, is pretty simple: An organization buttons up its email security. Then the organization can have its logo displayed in the avatar box next to the from line on mobile inboxes or in the messages in web browsers in participating email inbox providers.
What is BIMI?
BIMI’s aim is to drive the adoption of DMARC, the scheme under which domain owners authenticate their servers using the SPF and DKIM standards, and then provide instructions to inbox providers on how to handle unauthenticated email purporting to be from the authenticated domain. Under DMARC, domain owners can instruct inbox providers to do one of three things with suspect emails: nothing, quarantine them (usually in the spam folder) or reject them altogether.
In order to implement BIMI, DMARC must be set to quarantine or reject. With all the security behind BIMI, one might be tempted to consider it an opportunity for the sender to tell recipients: If it doesn’t display our logo, it’s not from us. Not so, according to Matthew Vernhout, vice president, deliverability, Netcore Cloud:
“The logo’s not a trust mark. It’s a branding opportunity for organizations that take authentication seriously,” he said. “The general idea is the brand can control [their logo] in any mail client or web browser that supports BIMI and have a consistent brand experience across all of those platforms.”
Vernhout is also the communications chair of the BIMI Group, but not authorized to make statements on its behalf. According to Vernhout, the most difficult part of implementing BIMI is getting the company’s domains to have DMARC enforced.
“It’s not just doing a sub-domain, which is easy,” he said. “You need to do it throughout the organization, which for a Fortune 100 company (where the parent might own thousands of businesses) might mean 10,000 domains. But those are the domains we want to see protected.”
According to Vernhout, some inbox providers have been sourcing logos on their own, but because of human error, those aren’t always accurate. BIMI standardizes logo display for participating organizations.
“The idea was: Let’s put control of the brand logo back in control of the brand,” said Vernhout. “Here’s a tool to do that, but in order to play, you have to be this tall to ride.”
Platforms supporting BIMI are Verizon, which includes Yahoo! AOL and Netscape, Google, and Fastmail. Comcast is considering supporting BIMI. Microsoft does not support it. “Like everything else, [BIMI] will be slow to start but once everyone figures out how to do it, it will grow,” Vernhout said. “Every time Google does something, people are interested.”
There are two types of BIMI records: self-asserted and certified. Self-asserted is where the brand publishes a BIMI logo without it being verified. Certified is where the brand certifies the logo by getting a verified mark certificate, or VMC, from one of the two approved VMC providers, DigiCert or Entrust Datacard.
How Do I Implement BIMI?
In order to implement BIMI, the brand must create a square logo in scaled vector graphic (SVG) tiny portable/secured format.
Here are logo instructions at a glance:
- Open the file in Adobe Illustrator.
- Save the file as SVG tiny 1.2.
- Open the SVG file with a text editor.
- Change the base profile from “tiny” to “tiny-ps.”
- Remove the x/y attributes
- Add a title.
For detailed instructions, click here.
After creating the logo, the brand then must publish a BIMI record for their domain in DNS that points to the logo to be used, and/or a Verified Mark Certificate (VMC) for those receivers that require it. So far, according to Vernhout, around 70 brands have implemented BIMI with a VMC, and more than 6,000 with a self-asserted BIMI record. Yahoo! AOL and Netscape will consider self-asserted BIMI logos. Google requires a VMC. Currently, getting a VMC requires a trademarked logo.
Here are trademark instructions at a glance:
- Make sure the mark is registerable and in the correct format.
- Clearly identify goods and services provided.
- Perform a search to ensure the mark does not conflict with any other registered marks.
- Begin the process with one of the eight recognized intellectual property offices.
- It is best to go through this process with professional legal help.
For detailed trademark instructions, click here.
To brands that don’t have a trademarked logo or don’t have a VMC, Vernhout says: “You can still do this for your users at Yahoo! You don’t have to go through the VMC process at Yahoo! Get it working there and then go get your VMC.”