What it is and what you need to know
At Emma, we love keeping up to date with any news regarding email security and authentication, and BIMI is one of the latest developments in the field. So we wrote this article to help you understand what BIMI is all about.
With the news in July 2021 that Gmail would be rolling out support of Brand Indicators for Message Identification (BIMI) for authenticated emails, the topic has gained prominence:
Our BIMI pilot will enable organizations, who authenticate their emails using DMARC, to validate ownership of their corporate logos and securely transmit them to Google. Once these authenticated emails pass all of our other anti-abuse checks, Gmail will start displaying the logo in existing avatar slots in the Gmail UI.
BIMI has been around for a while, but it wasn’t until now that most email marketers took notice. So what is BIMI, and what does it mean for email marketers?
Email senders can set up BIMI to display their brand’s logo alongside the email message as a way to increase security and trust in message authentication.
Relying primarily on DMARC authentication, BIMI aids in the trust of senders and inbox providers, with the brand logo displaying alongside the email. It provides an incentive to adopt a higher level of security aimed at preventing phishing and spoofing.
The requirements for BIMI aren’t as daunting as they may initially sound, but are still quite strict and specific.
BIMI requires a DMARC policy of either ‘quarantine’ or ‘reject’ to be applied to 100% of the emails sent:
“To participate in BIMI, Domain Owners MUST have a strong [DMARC] policy (quarantine or reject) on both the Organizational Domain, and the RFC5322.From Domain of the message. Quarantine policies MUST NOT have a pct less than pct=100.”
To begin with, a TXT record must be included in the DNS for the sending domain, which will look like this:
"default._bimi TXT "v=BIMI1; l=https://yourdomain.com/image.svg;"
3. Your brand logo must be a SVG
A Scalable Vector Graphics (SVG) file extension must be used for the brand logo. JPEG or .png files aren’t accepted. The specifications for this SVG file itself are as follows:
*The SVG document must not include any of the following in order to be valid under the tiny-ps designation:
4. For Gmail, trademark your logo and get SSL certificate
Furthermore, in addition to the standard requirements of DNS, DMARC and SVG, Gmail has its own requirements:
“Organizations who authenticate their emails using Sender Policy Framework (SPF) or Domain Keys Identified Mail (DKIM) and deploy DMARC can provide their validated trademarked logos to Google via a Verified Mark Certificate (VMC). BIMI leverages Mark Verifying Authorities, like Certification Authorities, to verify logo ownership and provide proof of verification in a VMC. Once these authenticated emails pass our other anti-abuse checks, Gmail will start displaying the logo in the existing avatar slot.”
A VMC means that your logo must be trademarked in order for it to be displayed by Gmail. Further information can be found here: https://support.google.com/a/answer/10911028?hl=en
The annual cost of VMC is estimated at $899 USD (estimate provided by Digicert). For those brands that have the means to set up and maintain VMC for their logos, BIMI is well worth the effort.
One final requirement is that the logo must exist on a domain with an SSL Certificate.
Emma customers with an interest in BIMI should consider the work to meet its requirements and the annual cost for VMC together with the benefit of their audience’s assurance in the legitimacy of their email messages.
In essence, BIMI is a visual change backed by proven authentication protocols for increased email security. What’s important to understand is that, when BIMI is implemented, the lack of an identifiable logo or image next to the sender’s from-name in the inbox, can increase suspicion of a malicious email sitting in the receiver’s inbox. This can help subscribers become more aware of potential malicious emails and effectively help reduce the likelihood of successful email attacks.
In order to get started, Emma customers need to begin with setting up DKIM and DMARC.
Emma DKIM authentication set up This is the very first step Emma customers must take in order to achieve BIMI authentication, followed by setting up DMARC.
With the rollout of BIMI coming to Gmail inboxes, this authentication standard is expected to be adopted by more inbox providers. Email security is increasingly important, the cost of VMC for BIMI shouldn’t prevent the majority of senders from adopting it, and it's important for email marketers to stay informed of the latest developments.
Emma customers should, as a starter, begin with DKIM authentication and furthermore, follow up with setting up DMARC for their sending domain or domains. (Check out dmarc.org for help understanding DMARC.) Once DKIM and DMARC is set up, an Emma customer can consider BIMI for their emails.