What is BIMI and how does it benefit businesses?

Imagine your customer opening their inbox on a Monday morning. Tons of emails have poured in over the weekend, and a lot of them are phishing, spoofing, or spam messages—which your customer is all too accustomed to. In the slew of suspicious emails, your customer is bound to miss out on your brand's emails even if they’re essential. Brand Indicators for Message Identification (BIMI) gives your brand, and its email, the opportunity to stand out in this chaos.

What is BIMI?  

BIMI is a recent and emerging email specification that allows brands to associate an official logo with their emails. With BIMI, a brand's logo is displayed next to its emails in their customers' inbox.

For every email from the brand that passes DMARC authentication, the brand logo will be displayed alongside BIMI-supported email clients.

How can you get BIMI for your emails? 

You can adopt BIMI for your brand in just a few steps, outlined below.

Step 1: Authenticate your organization emails with SPF, DKIM, and DMARC 

DMARC compliance is mandatory for emails with BIMI. SPF and DKIM authentication must be done for the email sending domain, and DMARC policy must be set to p=quarantine or p=reject.

Sender Policy Framework (SPF) identifies the servers that are allowed to send emails from your domain. DomainKeys Identified Mail (DKIM) adds an electronic signature that shows the integrity of the email content that originated from your domain.

Take a more detailed look into SPF and DKIM -->

Once SPF and DKIM are set up, publish a DMARC policy for your sending domain that informs recipient servers what to do when emails that appear to be from you fail SPF or DKIM authentication.

Example of DMARC policy:

"v=DMARC1; p=quarantine; pct=20; rua=mailto:admin@yourdomain.com"

p/sp=quarantine or p/sp=reject is the action advised for the recipient server when there is SPF or DKIM failure. The 'p' parameter is the domain policy, while 'sp' applies to subdomains.

"pct" is the parameter used to denote the percentage of email that the policy will apply to.

For BIMI adoption, the following rules must be followed in DMARC policy:

• p/sp=reject or p/sp=quarantine at pct=100

Note: p/sp=none and pct<100 are not accepted.

Step 2: Create your BIMI logo image 

Generate an SVG Tiny PS version of your official logo. This image has to be publicly hosted and accessible through HTTPS. The best format for the image would be a perfectly square dimension that contains just the logo with no text so that the logo will be visible in the email client's small display.

Step 3: Obtain a Verified Mark Certificate (VMC) [Optional] 

As an optional step, you can acquire a VMC for your organization's logo. It validates that you own the trademark for your logo. VMC is not currently mandatory for BIMI, but it’s an emerging practice being quickly adopted by many businesses.

You can obtain your VMC from DigiCert or Entrust.

Step 4: Publish the BIMI record 

Publish the BIMI record as a TXT file in your DNS. A BIMI record looks like this:

default._bimi.[domain] IN TXT “v=BIMI1; l=[Logo URL]; a=[PEM URL]

• domain: Your email sending domain

• Logo URL: The URL of the SVG format logo

• PEM URL: The link of your VMC. This parameter is optional.

For example, if the domain is zylker.com, the URL is https://zylker.com/bimi-logo.svg, and the PEM URL is https://zylker.com/logo.pem, then the BIMI record will be:

default._bimi.zylker.com IN TXT “v=BIMI1; l=https://zylker.com/bimi-logo.svg; a=https://zylker.com/logo.pem

When a recipient server receives an email that passes DMARC, the DNS is checked for a BIMI record and if it’s present, the logo is displayed accordingly.

Why do you need BIMI?  

The advantage of adopting BIMI is multi-fold. It holds benefits for both the business adopting it and the supporting email clients.

The importance of BIMI for businesses  

Security reinforcement

In the process of BIMI adoption, you’ll have to make some security reinforcements like SPF, DKIM, and DMARC authentications. This helps you fortify your email security to ensure that no third-party entity is impersonating you.

Protect against phishing

By adopting BIMI, you can protect your customers from phishing or spoofing attacks. With a visual cue with every email, your customers become well accustomed to identifying your emails and telling them apart from attempts of scamming.

Brand recognition

Getting your email noticed in a sea of emails in your customer's inbox is no mean feat. Having a logo that is instantly recognizable and pops on the screen right next to the email can hugely help with brand recognition and branding efforts.

The importance of BIMI for email client providers  

DMARC adoption

With more businesses adopting BIMI and, in turn, DMARC, mailbox providers can protect their users better. Along with measures they take on their own, wide DMARC adoption will help in preventing users from being exposed to risks.

Better experience 

With colorful logos and a sense of authenticity, email clients that support BIMI can give their users a much more enhanced and richer user experience.

Supporting email clients 

Email providers that currently support BIMI include:

• Apple

• Cloudmark

• Fastmail

• Google

• La Poste

• Onet Poczta

• Yahoo

• Zone Webmail

FAQs 

1. Does BIMI support multiple domains and logos?
Currently, BIMI supports one logo for multiple domains and subdomains. BIMI certificates (VMCs) each only support a single logo.

2. Should I only publish BIMI on my organizational domain or each subdomain?
A BIMI record published at the organizational domain level is inherited by the subdomains. If a BIMI record is found at the subdomain level, the mail client can use it even if it is different from the BIMI record published at the domain level.

3. Why is a mailbox provider or testing tool reporting issues in retrieving my SVG/VMC file?
Retrieving an SVG file is done via an HTTPS transaction. The request is sent to a web server, and many web servers are configured to include a test to prove that the request is not automated using a CAPTCHA. The processes used by email clients for SVG retrieval is often automated and will fail the CAPTCHA.

4. How is Yahoo different from the other BIMI implementations?

Yahoo has its own set of conditions under which the BIMI logo will be displayed:

• Published BIMI record

• DMARC policy of quarantine or reject

• Bulk emails

• Sufficient reputation and engagement for the email address

You can check out Yahoo documentation for BIMI help.

5. Do we have to publish a DMARC enforcement policy at the organizational level, even if we’re only using the subdomain?
Yes, BIMI adoption requires that the organizational domain and subdomain be covered by a DMARC reject or 100% quarantine policy.