BIMI: the New Word in Email Authentication

Here we go again. Just when you figured out what all these weird abbreviations (DKIM, SPF, DMARC) are, one more pops up on the horizon. Weren’t you safe enough already? Weren’t the spoofers, seeing your robust DNS records, quietly running away? Not all of them. The bad news is that you need to become familiar with the new kids on the block –  BIMI records. Good news – we’ve got them covered for you. Read on!

What is a BIMI Record?

BIMI stands for Brand Indicator for Message Identification. It’s a new approach that aims to prevent spoofing attempts but also increases the credibility of email senders. When fully implemented, hackers will have a very hard time trying to impersonate brands in emails, and maybe in a lot of other places too.

A BIMI record is a DNS TXT record indicating what a brand’s logo is. When properly certified and authenticated, brands will be able to display their logo next to each message in an inbox, just like in the example below.

When it’s well adopted and more logos start popping up in inboxes, users will be able to quickly spot when something’s not right. They’ll also learn to recognize the brand they know and like, coming with obvious benefits for the companies. We will cover more about that later.

BIMI email authentication is developed as an open standard and it is possible that not only email clients will adopt it. Among the most likely candidates, messaging and social media apps are mentioned. Companies present there could also benefit from additional security. The platforms will probably be eager to get verified accounts on board. BIMI records could make a lot of difference.

We’ll see how it all plays out. At the time of writing (Dec. 2019), BIMI is in a pilot stage with Verizon Media Group (Yahoo!, AOL). Google recently also announced that they will be trialing BIMI in 2020. If everything works out as expected, we can see BIMI records being adopted more in the coming years.

What are the requirements to join the BIMI club?

For BIMI to work, several conditions need to be met:

  • The sender’s domain needs to be DMARC-authenticated, with either ‘reject’ or ‘quarantine’ policy set up
  • The domain’s owner needs to obtain the right certification
  • A good sending history needs to be built

Let’s discuss these conditions one-by-one.

Be DMARC-certified

We already discussed DMARC on our blog, but if you wish to read more about it, check out our DMARC Explained article, along with our tips on how to set up DMARC record.

Long story short, DMARC is an authentication method that works on top of SPF and/or DKIM.

SPF is used to specify which IP addresses are allowed to send emails on behalf of a given domain. DKIM, on the other hand, allows incoming servers to verify the headers and body of a message, so that they look just like they did when they were leaving the sender’s inbox.

DMARC runs either check (or both) and performs a separate domain alignment test for the methods used. Finally, a policy assigned with DMARC can suggest an incoming server if emails that fail a test should be:

  • Reject -> discarded and not delivered to the recipient’s inbox
  • Quarantine -> sent to the spam folder
  • None -> treated as though no check was made (good for testing)

As we mentioned earlier, to qualify for BIMI, the policy needs to be set to either ‘quarantine’ or ‘reject’. Of course, the DMARC record needs to be properly configured.

DMARC doesn’t require both DKIM and SPF to be set up (though it’s a smart thing to do). For the BIMI record to have any effect, either of these methods should be in place, along with DMARC, of course. A check will be performed every time a message is due to be delivered, so it’s worth triple-checking if everything is intact.

Obtain a certification

To add an additional layer of security, bodies governing BIMI, referred to as Mark Verifying Authorities (MVA), will ask for additional proof of domain ownership. 

To get in, you’ll need to obtain an EV (Extended Validation) certificate and meet several additional requirements:

  • Prove the ownership or the right to use a registered trademark
  • Have this trademark registered in a competent jurisdiction
  • Make sure the logo from the BIMI record matches the trademark
  • Assure the owner of a trademark is also a registrant of a given domain name (alternative, those using a trademark under a license must be registered as licensees of a domain)

Only if all of these conditions are met, the MVA will proceed to issue a respective certification.

Keep in mind that these rules may change at any point. CNN was the first company to obtain a certificate from MVA and it happened only in October 2019. Before the program is rolled out to the public, the rules will likely be re-evaluated a number of times and some tweaks might be introduced. We’ll do our best to update this article if any of these happen.

Maintain a good sending history

The last requirement is rather vague, but is important to keep in mind. In order to qualify for BIMI, you’ll need to have a good sending reputation, both for your domain and IP address. 

This means having a healthy, engaged list of subscribers. Of course, you should avoid email bounces and spam reports, but the fact that your emails are regularly opened by the recipients will also play a significant role. 

You also will need to have a track record of sending a significant volume of emails. Smaller senders may also be granted access to BIMI at some point but for now, only bigger brands will have a shot.

How to implement BIMI records?

Once you meet all the requirements and obtain respective certifications, you can go on and add a proper record to your Domain Name System (DNS).

Then, you’ll need to upload your logo, necessarily in SVG format to a public HTTPS address. It’s recommended that it’s square-shaped and transparent. You may also want to avoid any unnecessary text as the logo displayed will be really small, making reading nearly impossible.

Finally, you will add a TXT record for default._bimi.DomainAddress in the following format:

v=BIMI1; l=logoURL;

For example, for Mailtrap it could be:

v=BIMI1; l=https://www.mailtrap.io/logo123.svg;

(it’s not really a valid address but if you wish to use our logo, let us know!)

That’s all. If you’re approved into the program and everything was configured properly, you should see the first effects within a few days.

Where can BIMI authentication make a difference?

When talking about BIMI authentication and its impact, the first thing that comes up is email security. After all, that’s precisely what BIMI record was introduced for. We also can’t underestimate the marketing impact it can have on brands. Let’s talk about these two aspects.

Security impact

While DKIM and SPF help prevent spoofing, skillful fraudsters can bypass these measures, especially if only one of them is set up. DMARC is much more difficult, as domain alignment is also checked. Chances are someone will pass through.

That’s when BIMI comes very handy. Most users don’t check email addresses of the senders and email clients don’t display them right away. Instead, all users see is the display name of a sender, sometimes with company initials.

This can be easily spoofed. When a BIMI record is in place, a brand’s missing logo may raise a yellow flag for those used to seeing the branding displayed for each email.

Popularizing BIMI will also directly impact the adoption rate of DMARC. Even after several years since the release, most companies still don’t use this technology and, according to Agari’s research, only 8% of Fortune 500 companies have ‘reject’ or ‘quarantine’ policies in place. All the others are vulnerable to attacks, most of which can be easily prevented with the more sophisticated tools.

It’s in the best interest of both users and email service providers to drive the adoption of DMARC. BIMI has a chance to finally move the numbers in the right direction.

Marketing impact

BIMI implementation can have a major impact on marketing efforts. Since BIMI is and will be free to participate in, brands will get free exposure with almost no effort. Users will learn to recognize their logos right on the spot.

Emails signed with logos will also build users’ trust, especially if the content that follows is valuable. They will certainly feel safer opening emails from familiar sources.

BIMI will likely expand at some point to other forms of online communication. Those that participate will be able to continuously develop brand awareness and quickly gain recognition.

Since the BIMI logo for an email is fetched from a DNS every time a message is delivered, rebranding will also run smoother than it usually does. All it will take is updating an SVG file in the domain’s DNS and changes will be applied with the next email delivered.

Wrapping up

All of this sounds really exciting and we’ll be watching closely how this all evolves. Many companies will surely take advantage of this opportunity and once the pilots wrap up, many more will follow their steps. 

Chances are that a few years from now, we’ll be looking suspiciously at emails coming in without company logos. Or who knows, maybe a completely different approach will take over by then and change the way we think about email authentication.

Whether you’re eligible for the program or not, you likely have a vital interest in making your emails better, and rightly so. On the Mailtrap blog, we write a lot about email authentication and other related topics. We share tips for improving your campaigns and warn of the mistakes many marketers make. Explore our blog and become an email testing expert in no time!