- Glossary
-
BIMI
Brand Indicators for Message Identification (BIMI) is an emerging security technology that helps authenticate your email marketing and builds trust with your customers. BIMI works with DKIM, SPF, and DMARC protocols to protect your domain from being used by malicious actors to send fraudulent email. It causes your logo to appear right next to your messages in a user’s inbox, so that your contacts and their email service will know these emails are really from you or your business.
What is BIMI?
BIMI is a new effort to standardize the use and display of brand logos to help consumers avoid fraudulent and spam emails. It makes your email more visible to your contacts. While other emails have a blank space or generic icon next to them, your logo will set yours apart.
By putting your brand’s logo next to an email you’ve sent, BIMI allows consumers to instantly identify that the email they see is from your brand or business. This increases trust and open rates by clearly marking your email as legitimate.
Before BIMI, the steps to make your logo show up next to an email were specific to each email service your message was sent to. Sometimes the process was completely manual or relied on other applications to aggregate your brand information and share it across participating platforms.
The AuthIndicators group, which includes email service providers (ESPs) like Verizon Media, Google, IONOS by 1&1, and Fastmail, is working to implement BIMI within commonly used ESPs. Other companies, like Mailchimp, are also working closely with this group to help guide adoption and implementation processes.
Why is BIMI important?
For email marketers, protecting a brand against fraud is part of the job, but sending email securely can be complicated and time consuming. Because the tools available to protect your brand from malicious actors can be difficult to implement and test effectively, taking advantage of vulnerable domains and email addresses has become a lucrative industry for malicious actors.
The Federal Bureau of Investigation (FBI) reports that United States-based businesses lost more than $2 billion through email fraud between 2014 and 2019 because of just 2 email services. These fraud statistics are based solely on what individuals and businesses report to the FBI’s Internet Crime Complaint Center. This makes you wonder how much money—as well as opportunity—is lost but not reported.
More than 306 billion emails were sent every day in 2020. With so much clutter, it can be difficult to stand out. Even legitimate emails from trusted brands can get lost in a sea of spam.
Adding the security protocols and certificates to your domain that allow you to use BIMI also helps protect it from being misused. Since a domain is central to marketing your business online, you can protect your business’s reputation by implementing email authentication protocols. Securing your domain when sending email will help you avoid becoming a statistic in the FBI’s next email fraud report.
How does BIMI work?
BIMI uses a multistep process to validate email messages by making sure that they're really associated with the sender’s domain. Senders will need to have a TXT record in their domain name system (DNS) records for BIMI.
For BIMI to work, domains have to have several other fraud protections in place, including:
- Sender Policy Framework (SPF): authenticates emails by identifying mail servers that are allowed to send from specific domains
- DomainKeys Identified Mail (DKIM): adds a digital signature to each email to verify it was sent from an authorized domain
- Domain-Based Message Authentication, Reporting, and Conformance (DMARC): confirms both SPF and DKIM records and specifies how unaligned emails should be handled
When emails are sent using BIMI, the receiving mail server will first perform the standard DMARC/DKIM authentication and SPF validation. If the email passes these tests, the server will check to see if it has a valid BIMI record, validate it, and display your brand’s logo.
The file for your logo is required to be in a certain format called SVG Tiny Portable/Secure. SVG stands for Scalable Vector Graphics. Vector graphics, unlike pixel-based graphics like JPGs or GIFs, define the visual shapes and elements in an image with lines and points. This makes the graphic scalable, or easy to use at different sizes. Requiring a vector graphic with this secure format helps ensure that your logo looks good anywhere it’s displayed through BIMI.
Some ESPs may require a Verified Mark Certificate (VMC) to provide evidence that you own the trademark and content of the logo. Although this is not a requirement for implementing BIMI on your domain at this time, VMC is expected to become part of the standard in the future.
How does BIMI interact with DMARC, DKIM, and SPF?
The first step toward using BIMI to display your logo is to implement DMARC. This is stored as a TXT record for your domain. For DMARC to work with BIMI, the reject policy in that record must either be p=quarantine or p=reject for all emails being sent from your domain.
While BIMI requires DMARC, DMARC requires your domain to have DKIM records to work. DMARC only requires either SPF or DKIM to align, but it’s best to include SPF records for additional security when using BIMI. These 2 security tools are also stored as TXT records for your domain.
How do I get my logo in the right format?
You’ll need to convert your logo into the right type of file to use with BIMI. While vector graphic formats are a standard for logos—so they can be scaled to use as a tiny icon or printed on large banners or billboards—BIMI requires you to supply the logo in an appropriate secure vector format.
The AuthIndicators Group provides a helpful tool you can download to convert an SVG Tiny 1.2 file into the correct SVG Tiny P/S secure format. However, if you have a different file type, such as an unsupported SVG file, an EPS file, a PNG, GIF, or JPG, you’ll need to use image editing software or a file type converter to recreate your file in the correct format.
You’ll also need to make sure the file is the correct size and shape. The file must be no larger than 32KB and be square in shape. The background cannot be transparent, and a solid color is recommended. For best results, there should be space around the logo in case it’s cropped or clipped. You can see more detailed instructions and examples on the BIMI website.
What is a Verified Mark Certificate (VMC)?
A Verified Mark Certificate (VMC) is a digital registration that authenticates the ownership of a logo for use with BIMI. It adds another layer of protection by verifying the correct logo for use. While it’s not mandatory for use of BIMI at this time, some ESPs will require it to display your logo.
When you send an email to a contact, the receiving mail server that manages their inbox will take the URL from the tag that indicates where the logo is to be displayed. It will then check the VMC to ensure the right logo is used. Once your logo is verified by the VMC, BIMI will display it next to your email.
To get a VMC, your domain must have DMARC implemented. Your logo will need to be registered (and in good standing) with the US Patent and Trademark Office and owned by your company. While different countries will have their own guidelines, in the US authorized trademarks can be:
- Design marks: made up of only a design
- Word marks: contain words, letters, and/or numbers, without any particular font, size, color, or style
- Combined marks: include a combination of words along with a design, stylized letters, or numbers
Entrust Datacard and DigiCert are the first 2 companies issuing Verified Mark Certificates for the BIMI standard. You can contact them to help you obtain one.
How to set up BIMI
Setting up BIMI will require you to publish a DNS record along with an image of your brand logo in the SVG P/S format. You can use AuthIndicators Group’s BIMI Generator to help you make a properly formatted record.
The exact values you’ll need to put into your records will depend on the name of your domain, how you send email, and what version of your logo you want to use if you have more than one. For instance, here’s what domain records for example.com could look like using BIMI and what it would take to set it up.
- Ensure DKIM/DMARC and SPF are already set and validated for your domain.
- Confirm the DMARC TXT record for your domain has a policy of either p=reject or p=quarantine. If set to p=quarantine, pct must be set to 100, either implicitly (by omitting the pct tag) or explicitly (by setting pct=100).
- Confirm that you have your logo in SVG P/S format, the file is less than 32KB, the image shape is square, and the background is a solid color.
- Upload the image to a service of your choice, and save the https:// URL where it’s available for future reference.
- Access your DNS records through your domain service provider. If you’re not sure how to access your domain records, reach out to the person or team that manages your website or email address for assistance.
- Create a new TXT record at the default._bimi subdomain. The exact steps to create the subdomain and TXT record will depend on your domain provider’s service. For example: default._bimi.example.com
- Add a value for the TXT record that includes the BIMI version (v=) and location (l=) of the logo file. For example: v=BIMI1; l=https://example.com/images/logo.svg;
- If you have a VMC, include the authority (a=) with the URL for the certificate .pem file. For example: v=BIMI1; l=https://example.com/images/logo.svg; a=https://example.com/certificate/aa0-0aa/aa/aa-example_com_vmc_2021-01-01.pem
- Save your new record and wait for it to propagate across the internet.
- Use AuthIndicators Group’s BIMI Inspector to make sure everything is set up properly.