Email Security Intelligence - Adopting BIMI & VMCs for Email

Brand indicators for message identification (BIMI) is a standard that attaches your logo to your authenticated email messages to provide a level of assurance that the message is really from the brand it appears to be from. Recipients can recognize and trust the messages you send with this simple, visual verification. BIMI is an open framework designed to provide an organization with the ability to control which logos are displayed with their email messages. This article will discuss the uses of BIMI, as well as the required steps to properly support and implement BIMI for your company.

Why is BIMI Important?

The adoption of BIMI will increase among mail clients and email service providers because it is directly promoting the adoption of DMARC among the organizations. Phishing, spoofing, and fraudulent emails are on the rise and are causing data breach and diminishing consumer trust that it is needed to protect your brand from being targeted. Strong email authentication and identification mechanisms protect your brand and clients from fraudulent messages. BIMI gives organizations the opportunity to take a step towards that goal by giving brands a reason to implement strong authentication practices. 

Because most email consumers aren’t experts, they fail to analyze the technical information of an email such as the results of SPF or DKIM validation, the type of TLS used to transmit the message, or the return path to determine which emails are from who they claim to be and which aren’t. The industry has been trying to bring visual cues to email identification for this reason.

Benefits of BIMI For Your Business

BIMI helps build the trust in your brand in the inbox for recipients which in turn leads to fewer unsubscribes and spam complaints. This can play a big role in boosting your deliverability. You also gain another layer of protection against phishing and spoofing from attackers trying to impersonate your brand. Without your attached logo, recipients may be wary of messages claiming to be you. The more businesses adopt BIMI, the more obvious spam and phishing will be because these messages will lack credible logos.

BIMI also allows you to market your brand even if the email isn’t opened. Your subscribers will connect your sender address, subject line, and preheader text with your logo, which helps develop your brand. Adding a BIMI record to your email program doesn’t guarantee 100% deliverability rates, but it may help. One of the biggest benefits of BIMI is the ability to build trust between the sender and recipient. Some other benefits include:

• Open Rates: Research shows Verizon Media Group brands using BIMI saw a 10% increase in open rates on average, an advantage as marketers are struggling to increase open rates.
• Inboxing: BIMI is built on top of SPF, DKIM and DMARC, protocols designed to increase email security and positive signals for email providers that are deciding whether to put your email in the inbox or in the spam folder. The more positive signals, the better chance for inboxing growth.

Apple to Follow Google and Adopt BIMI & VMCs for Email

Apple is likely to adopt BIMI and verified mark certificates (VMCs) this fall in the upcoming iOS 16 and MacOS Ventura release. Apple is the latest major email provider to choose to support BIMI, which is a great thing when you take into consideration results from the Data & Marketing Association (DMA) that indicates 68% of consumers rank brand recognition as the foremost factor in their decision to open emails.

Although Apple hasn’t officially made this announcement yet concerning the change, it’s predicted that the tech giant is planning to follow in the footsteps of Google, Yahoo!, Fastmail, and other major email providers this fall. This means that with both Apple and Gmail adopting BIMI and VMCs, your organization can display your verified logo to more than 80% of email inboxes.

BIMI Helps Increase Brand Trust and Reduce Successful Phishing Attacks

Email has long been the primary means of communication between clients and businesses, particularly after the COVID-19 pandemic moved so many people to remote work locations. With the increase in the amount of email being sent, and the increased reliance upon it, so too has the amount of phishing and business email compromise scams that have been attempted. It’s become more important than ever to leverage every way possible to build trust between senders and recipients.

BIMI builds on top of DMARC to provide an additional visual level of assurance to email recipients that mail they receive from senders really did originate from who appears to have sent it. Spoofed emails of your brand are less likely to be seen by your recipients because of the multiple checks built into its design.

DMARC itself helps to prevent spoofing by determining whether the domain of an email address in the “From:” line matches the identifiers of the SPF verification and DKIM signature. Mail can then be rejected based on the DMARC policy chosen by the owner of the domain. This provides an additional level of assurance that the mail users receive really is from the person sending it.

How to Implement BIMI

Comparable to other email authentication standards, BIMI is a text record that can be found in your domain’s DNS and includes your brand’s logo saved in a square .SVG format. SPF and DKIM must be set up for the email domain in order to implement BIMI, as well as deploying DMARC with a policy that is set to either p=reject or p= quarantine. You will also need to follow best practices for deliverability and develop an engaged subscriber list. DMARC is not only needed to deploy BIMI but a security protocol that future domain security initiatives will continue to be built upon. The decision is up to the email receiver whether or not your logo is to be displayed so your practices are crucial. 

Another essential factor for implementing BIMI is maintaining a good reputation as a sender with a high engagement rate with low bounce and spam complaints. The quality of your reputation is subjective depending upon the individual receiver, having the underpinning technologies of DMARC, SPF, and DKIM makes a point that you are responsible and serious about your domain’s reputation while contributing to advancing your reputation as a sender. 

Step 1: Authenticate and Align All Emails

DMARC policy must be in enforcement (either “p=quarantine” or “p=reject”)

Step 2: Produce an SVG Version of the Logo

• Use SVG format (a vector image format with .svg extension)
• The image must be square-shaped and should contain the only logo (without any text)
• The image must be stored using HTTPS 

Step 3 (optional): Verify Your Mark

You also need a Verified Mark Certificate, which is similar to an SSL certificate, that will validate your organization and associate it with your official logo.

Step 4: Publish BIMI Record to DNS

• Format: default._bimi.[domain] “v=BIMI1; l=[SVG URL]; a=[PEM URL]”
• Example: default._bimi.acme.com v=BIMI1; l=https://acme.com/img/logo.svg; a=https://acme.com/img/logo.pem”
• Create and validate your record with a BIMI Inspector

The Bottom Line

BIMI is still new and has yet to make its way into mainstream usage. Being that it is a valuable visual signal to increase trust in your emails, and as big-name providers such as Google roll out BIMI, it’s likely that it will only continue to grow in popularity. Implementing BIMI sooner rather than later has its advantages, firstly you’ll have a better chance of getting your brand logo uploaded and approved. The process is likely to take longer once it’s more widely adopted and other businesses are trying to get their logo approved. Before implementing BIMI, however, you should start by making sure your SPF, DKIM, and DMARC are all in good standing and are following email best practices.