A variety of companies are leveraging BIMI or the Brand Indicators for Message Identification standard, in conjunction with trademark confirmation via verified mark certificates or VMCs. In this blog post, we will tell you all you need to know about the offering.

With email-based phishing and other forms of fraud on the rise, brand owners can now take advantage of an additional layer of email authentication that can boost brand recognition and engagement while also instilling a sense of trust and security in their emails. This layer is BIMI, in conjunction with trademark validation via validated mark certificates (VMCs)

BIMI: An Overview

Email marketers are constantly looking for new methods to boost engagement and exposure among their subscribers, which leads to higher open and conversion rates. Brand Indicators for Message Identification is an abbreviation for Brand Indicators for Message Identification, a new standard that makes it simple for a user’s brand logo to appear alongside their email message in the inbox. This not only improves brand visibility, but it also improves deliverability by avoiding bogus emails.

BIMI is a valuable tool for increasing trust and providing a better subscriber experience, which is something that many companies aspire for at every level of an email program. BIMI supports recipients in recognizing a brand in their email inboxes. This fosters trust, which may assist an organization in increasing its deliverability.BIMI is built on the DMARC standard. Before the brand’s logo is shown as part of BIMI, the connected domains must first be authenticated by DMARC email security to ensure their legitimacy.

As the legal brand logo grows more familiar among diverse audiences, several features improve. It can boost email engagement while lowering the likelihood of effective brand impersonation and email-borne assaults like phishing, spoofing, and Business Email Compromise (BEC).

BIMI is still in its infancy, with just a few large email providers supporting it. However, it remains an innovative and relatively new standard that has sparked interest in the industry. Having a DMARC policy in place and keeping a strong reputation as an email sender are two critical considerations for launching BIMI.

Implementing BIMI the Right Way

Google has produced an in-depth guide on BIMI implementation. To use BIMI, senders must have the following email authentication methods in place for the domain in question:

  • Sender Policy Framework (SPF), which determines the IP addresses that are authorized to send emails for the domain;
  • Domain Keys Identified Mail (DKIM), which adds a digital signature to ensure that emails are valid and have not been altered in transit; and
  • Domain-based Message Authentication, Reporting, and Compliance (DMARC), which is constructed on top of SPF and DKIM to notify the recipient mail server about what to do if SPF and/or DKIM authentication fails.

It is critical for BIMI that the Dmarc Record Generator be configured to quarantine or reject emails that fail authentication.

Following the implementation of these, the brand must generate a logo in the SVG graphical file type and submit it to its webpage. Next, in the Domain Name System (DNS) zone for its domain, the brand should produce a BIMI entry in the form of a TXT record. That DNS record will effectively refer to the location of the brand’s logo on its web server, which email clients will use to validate and retrieve it.

The Role of VMC 

BIMI recordings are classified into two types. The most basic is “self-asserted” in which the logo is published and connected with a domain without independent third-party verification that the domain’s registrant has any rights to the logo. Some email providers accept self-asserted BIMI data and show the accompanying logos; however, others, most notably Gmail, do not and require the logo to be confirmed as being linked with a certain domain. To remedy this, mark verification authorities (MVAs) affirm the following:

  • the legitimacy of a logo;
  • that the applicant has rights to it; and
  • that it is associated with the domain name in question.

MVAs issue VMCs, which are analogous to secure sockets layer (SSL)/transport layer security (TLS) certificates used typically to encrypt communication between browsers and websites. The VMC validation process involves rigorous identity and trademark verification to decrease the likelihood of VMCs being used to spoof a brand. Notarized personal identification documents and a live meeting with the MVA are required, and the MVA must verify the trademark registration by consulting the official database of the trademark registry.

The validation process is very similar to that of extended validation certificates – the highest level of SSL/TLS certificates with the most vigorous identity verification requirements. VMCs, like SSL/TLS certificates, provide the cryptographic means to securely authenticate and identify the MVA by verifying the issuance chain and associating the VMC to the specified domain.

BIMI is advantageous to both senders and mailbox providers due to the greater security it provides. If a mailbox provider supports BIMI, all messages get an added degree of legitimacy, improving the likelihood of them being delivered. Subscribers will also be more likely to recognize the brand, which reduces the likelihood that they would designate the brand email as spam.