BIMI: the New Word in Email Authentication

On December 19, 2023
7min read
Piotr Malek Technical Content Writer @ Mailtrap

Here we go again. Just when you figured out what all these weird abbreviations (DKIM, SPF, DMARC) are, one more pops up on the horizon. Weren’t you safe enough already? Weren’t the spoofers, seeing your robust DNS records, quietly running away? Not all of them. The bad news is that you need to become familiar with the new kids on the block –  BIMI records. Good news – we’ve got them covered for you. Read on!

What is a BIMI Record?

BIMI stands for Brand Indicator for Message Identification. It’s a new approach that aims to prevent spoofing attempts but also increases the credibility of email senders. When fully implemented, hackers will have a very hard time trying to impersonate brands in emails, and maybe in a lot of other places too.

A BIMI record is a DNS TXT record indicating what a brand’s logo is. When properly certified and authenticated, brands will be able to display their logo next to each message in an inbox, just like in the example below.

When it’s well adopted and more logos start popping up in inboxes, users will be able to quickly spot when something’s not right. They’ll also learn to recognize the brand they know and like, coming with obvious benefits for the companies. We will cover more about that later.

BIMI email authentication is developed as an open standard and it is possible that not only email clients will adopt it. Among the most likely candidates, messaging and social media apps are mentioned. Companies present there could also benefit from additional security. The platforms will probably be eager to get verified accounts on board. BIMI records could make a lot of difference.

Email Providers Supporting BIMI 

As Google committed to the BIMI pilot in 2021, it became a major event in the email authentication industry. This means BIMI will now be supported by “two of the three biggest North American free mailbox providers,” writes Len Shneyder, vice president of industry relations for Twilio. The Authindicators Working Group has now brought together the most outstanding email tech providers: Google, Yahoo, Twilio, Comcast, Valimail, 250ok, and ReturnPath.

Verizon Media Group (Yahoo, AOL, Netscape), Gmail, and Fastmail are currently in the beta phase of supporting BIMI. Comcast and Seznam.cz are in their planning phase for the BIMI adoption, while Microsoft hasn’t announced its support for BIMI yet. The trending numbers in BIMI adoption tracked by BIMI Radar mean that BIMI will now be available to more than 2 billion inboxes worldwide.

What are the requirements to join the BIMI club?

For BIMI to work, several conditions need to be met:

  • The sender’s domain needs to be DMARC-authenticated, with either ‘reject’ or ‘quarantine’ policy set up
  • The domain’s owner needs to obtain the right certification
  • A good sending history needs to be built

Let’s discuss these conditions one-by-one.

Be DMARC-certified

We already discussed DMARC on our blog, but if you wish to read more about it, check out our DMARC Explained article, along with our tips on how to set up DMARC record.

Long story short, DMARC is an authentication method that works on top of SPF and/or DKIM.

SPF is used to specify which IP addresses are allowed to send emails on behalf of a given domain. DKIM, on the other hand, allows incoming servers to verify the headers and body of a message so that they look just like they did when they were leaving the sender’s inbox.

DMARC runs either check (or both) and performs a separate domain alignment test for the methods used. Finally, a policy assigned with DMARC can suggest an incoming server if emails that fail a test should be:

  • Reject -> discarded and not delivered to the recipient’s inbox
  • Quarantine -> sent to the spam folder
  • None -> treated as though no check was made (good for testing)

As we mentioned earlier, to qualify for BIMI, the policy needs to be set to either ‘quarantine’ or ‘reject’. Of course, the DMARC record needs to be properly configured.

DMARC doesn’t require both DKIM and SPF to be set up (though it’s a smart thing to do). For the BIMI record to have any effect, either of these methods should be in place, along with DMARC, of course. A check will be performed every time a message is due to be delivered, so it’s worth triple-checking if everything is intact.

Obtain a certification

To add an additional layer of security, bodies governing BIMI, referred to as Mark Verifying Authorities (MVA), will ask for additional proof of domain ownership. At this time, there are two certifying authorities issuing VMCs (Verified Mark Certificate) for BIMI: DigiCert and Entrust Datacard.

To get in, you’ll need to obtain an EV (Extended Validation) certificate and meet several additional requirements:

  • Prove the ownership or the right to use a registered trademark
  • Have this trademark registered in a competent jurisdiction
  • Make sure the logo from the BIMI record matches the trademark
  • Assure the owner of a trademark is also a registrant of a given domain name (alternative, those using a trademark under a license must be registered as licensees of a domain)

Only if all of these conditions are met, the MVA will proceed to issue a respective certification.

Keep in mind that you will require multiple VMCs in case you need to secure multiple domains. The same is true for multiple logos. 

Maintain a good sending history

The last requirement is rather vague but is important to keep in mind. In order to qualify for BIMI, you’ll need to have a good sending reputation, both for your domain and IP address.

This means having a healthy, engaged list of subscribers. Of course, you should avoid email bounces and spam reports, but the fact that your emails are regularly opened by the recipients will also play a significant role. And if you want to check the full senders requirements from Google and Yahoo, click the links.

You also will need to have a track record of sending a significant volume of emails. Smaller senders may also be granted access to BIMI at some point but for now, only bigger brands will have a shot.

How to create BIMI records?

Once you meet all the requirements and obtain respective certifications, you can go on and add a proper record to your Domain Name System (DNS).

Then, you’ll need to upload your logo, necessarily in SVG format to a public HTTPS address. It’s recommended that it’s square-shaped and transparent. You may also want to avoid any unnecessary text as the logo displayed will be really small, making reading nearly impossible.

Finally, you will add a TXT record for default._bimi.DomainAddress in the following format:

v=BIMI1; l=logoURL;

For example, for Mailtrap it could be:

v=BIMI1; l=https://www.mailtrap.io/logo123.svg;

(it’s not really a valid address but if you wish to use our logo, let us know!)

That’s all. If you’re approved into the program and everything was configured properly, you should see the first effects within a few days.

Where can BIMI authentication make a difference?

When talking about BIMI authentication and its impact, the first thing that comes up is email security. After all, that’s precisely what BIMI record was introduced for. We also can’t underestimate the marketing impact it can have on brands. Let’s talk about these two aspects.

Security impact

While DKIM and SPF help prevent spoofing, skillful fraudsters can bypass these measures, especially if only one of them is set up. DMARC is much more difficult, as domain alignment is also checked. Chances are someone will pass through.

That’s when BIMI comes in very handy. Most users don’t check the email addresses of the senders and email clients don’t display them right away. Instead, all users see is the display name of a sender, sometimes with company initials.

This can be easily spoofed. When a BIMI record is in place, a brand’s missing logo may raise a yellow flag for those used to seeing the branding displayed for each email.

Popularizing BIMI will also directly impact the adoption rate of DMARC. Even after several years since the release, most companies still don’t use this technology and, according to Agari’s research, only 8% of Fortune 500 companies have ‘reject’ or ‘quarantine’ policies in place. All the others are vulnerable to attacks, most of which can be easily prevented with the more sophisticated tools.

It’s in the best interest of both users and email service providers to drive the adoption of DMARC. BIMI has a chance to finally move the numbers in the right direction.

Now, BIMI Radar tracks the DMARC readiness and the adoption of BIMI with companies and organizations’ domains worldwide on a daily basis. It is interesting to note that Global BIMI readiness is around 1.9% at the moment. The highest numbers go for the Netherlands – 48.5%,  with the UK standing at 38% and the US at 23.8% respectively. In general, European countries such as the Netherlands, Norway, and France lead the way in modern means of email authentication.

Marketing impact

A recent study Consumer Interaction with Visual Brands in Email conducted by Red Sift and Entrust revealed new patterns in consumer behavior with the brands that have incorporated BIMI into their email strategy and now display their logos in the inboxes.

The survey found that the inclusion of BIMI standards logo has affected consumer behavior drastically by:

  • increasing open rates by 21%, irrespective of brand strength or market share. Customers demonstrated higher responsiveness to the emails with the logo of the brand.
  • increasing average purchase chances by 34%. Purchase feasibility was directly influenced by the recognizable brand logos displayed in the inbox.
  • increasing brand recall by 18%, after a 5-second exposure. A good sign for strengthening brand strategy and communication.

As the survey proves, emails signed with logos build users’ trust, especially if the content that follows is valuable. Customers certainly feel safer opening emails from familiar sources.

BIMI will likely expand at some point to other forms of online communication. Those that participate will be able to continuously develop brand awareness and quickly gain recognition.

Since the BIMI logo for an email is fetched from a DNS every time a message is delivered, rebranding will also run smoother than it usually does. All it will take is updating an SVG file in the domain’s DNS and changes will be applied with the next email delivered.

Wrapping up

The early data on BIMI implementation presented in recent surveys reveals quite promising perspectives. The adoption of BIMI has already significantly influenced the companies’ email marketing strategies and brand communication as well as elevated consumers’ responsiveness and trust.

Although the global adoption of BIMI might not be going as fast as one could have expected, with only roughly a quarter of companies around the world displaying BIMI records readiness, it still seems to gently but persistently push email environments to the highest standards of security.

Chances are that a few years from now, we’ll be looking suspiciously at emails coming in without company logos. Or who knows, maybe a completely different approach will take over by then and change the way we think about email authentication.

Whether you’re eligible for the program or not, you likely have a vital interest in making your emails better, and rightly so. On the Mailtrap blog, we write a lot about email authentication and other related topics. We share tips for improving your campaigns and warn of the mistakes many marketers make. Explore our blog and become an email testing expert in no time!

Article by Piotr Malek Technical Content Writer @ Mailtrap