BIMI Checker: Best Practices
Brand Indicators for Message Identification (BIMI) is a new protocol that allows email senders to display branded logos in recipients’ inboxes. To check that BIMI is deployed correctly for a domain, you can use our free BIMI Checker. Simply supply a domain and hit enter, and the service will begin debugging your BIMI setup, including providing details about any issues.
This kind of tool is extremely useful because BIMI readiness involves getting a lot of small details right. For example, you need to host a cryptographic file that proves your ownership of the logo trademark, and you must have a strong DMARC policy and a compliant BIMI logo. There are also many other minutiae to deal with, which can be hard for human administrators to get perfectly right but are easy for an automated tool to detect and report on.
In this article, we’ll give you step-by-step instructions for checking your own BIMI deployment, with screenshots. First, we’ll teach you how to do this with Valimail’s automated BIMI checker, and then we’ll show you how you can try to do this manually. Finally, we’ll discuss common issues that may lead to failing a BIMI check.
Summary of key BIMI issues
Before we begin solving issues, it’s good to have a basic idea of what kinds of things typically go wrong with a BIMI deployment. BIMI itself is a fairly simple protocol, but it depends on other protocols, standards, and technologies that are easy to get wrong.
|No Verified Mark Certificate (VMC)||BIMI lets you prove ownership of the branded logo using a special file called a VMC. If this file is missing, many platforms will not display your BIMI logo in inboxes. You can learn more about VMCs here: Verified Mark Certificate.|
|Missing DMARC record||BIMI requires you to have a strong DMARC record present. You can learn more about DMARC here: What is DMARC?|
|Logo or VMC not provided using HTTPS||Both the BIMI logo and the VMC file must be served via HTTPS.|
|No (or invalid) BIMI record||Your BIMI record must exist at the default._bimi subdomain and comply with the rules of a BIMI record.|
|Improperly formatted logo||BIMI logos follow a custom image format called SVG Portable/Secure (SVG P/S). You can learn more about the requirements for BIMI logos here: BIMI Logo.|
Debugging BIMI issues
The basic purpose of a BIMI checker is to help you determine whether your BIMI deployment is set up correctly. If an issue arises, the BIMI checker should also help you understand what exactly went wrong. Let’s see how this looks using a real BIMI debugging tool: Valimail’s BIMI Checker.
You can follow along with your own domain using Valimail’s BIMI Checker here: https://domain-checker.valimail.com/bimi.
For the examples below, we’ll imagine that we recently attempted to deploy BIMI for our domain, your-domain.example, and now we need to make sure that we’ve set everything up correctly.
Using a BIMI Checker
The process of checking a BIMI setup with Valimail’s BIMI Checker is trivial. Simply browse to the webpage and supply the domain you wish to check. For example, here’s the output when using the tool with the domain “valimail.com”:
We see here that the domain is compliant with BIMI and ready to use. However, what happens when we supply a domain that does not have a perfectly ready BIMI setup?
To find out, let’s try using this tool on our imaginary domain to see if there are any issues.
The BIMI Checker tells us that our BIMI deployment is broken. Specifically, the BIMI record doesn’t provide a valid logo URL. We can see this in the BIMI record on the bottom of the page: The “l=” tag is empty.
To fix this, we must update the domain’s DNS record to point the “l=” tag to an HTTPS URL containing a BIMI-compliant logo image file. Once we’re done, the BIMI record should look like this in our DNS configuration.
v=BIMI1; l=https://your-domain.example/path/to/logo.svg; a=https://your-domain.example/path/to/vmc.pem;
After deploying this update, we can again run the domain through Valimail’s BIMI Checker and see what happens now.
Using the BIMI Checker to guide our debugging efforts, we were able to easily fix the issue and become BIMI-ready.
Manually checking BIMI
Debugging BIMI manually is not always easy, but it is possible. Let’s try it out in case you ever need to go “under the hood,” so to speak.
First, we’ll want to check the actual BIMI record in the domain using a tool like nslookup.
$ nslookup -type=txt default._bimi.your-domain.example Server: 10.240.80.246 Address: 10.240.80.246#53 Non-authoritative answer: default._bimi.your-domain.example text = "v=BIMI1; l=; a=https://your-domain.example/path/to/vmc.pem;"
In this case, the issue is not hard to find. The “l=” tag is empty, meaning that we aren’t providing a logo file!
This may not seem so bad, but we still have more things to verify. For example, how do we ensure that the VMC file is valid? Furthermore, if there were a logo file, how would we ensure that it follows the requirements for a BIMI logo? We’d also have to check that the domain has a strict DMARC policy in place. We could go on, but it’s easy to see how this work can become tedious to do manually.
Worse yet, the BIMI standard may change at any point in the future. If you rely on an automated solution, this isn’t a critical issue because the tool should receive updates to account for such changes. In contrast, email administrators and security engineers typically will not have a sufficiently deep knowledge of BIMI to maintain up-to-date checks.
Preventing common BIMI issues
Using a tool to find issues is very convenient, but it’s easier to prevent issues if you already know what problems are likely to occur in the first place. With this in mind, let’s look into some of the most common problems that will lead to error messages later on.
Self-asserted BIMI records
The presence of a BIMI logo should let recipients know that your email is more trustworthy. This trust is enforced with the VMC, the cryptographic file you acquire by proving that you are the legitimate owner of the trademark in your logo.
If you leave the “a=” tag in your BIMI record empty, thus not pointing to any VMC file, you disregard this essential trust element of BIMI. Some mail providers may still show your logo in inboxes, such as Yahoo:
“We currently do not require VMCs to be set up for BIMI logos to appear in Yahoo applications. However, if a BIMI record includes a VMC, we will use it to inform the overall BIMI eligibility.“
This is called a self-asserted BIMI record. However, such a record won’t show up in most inboxes, so it’s advisable to acquire a VMC if possible.
Getting a VMC
We’ve explained how important a VMC is, but how do you acquire one? You will have to pay a certificate authority (CA) and undergo a verification process. Currently, there are only two CAs with the authority to give out VMCs: Entrust and DigiCert.
Requirements include the following:
- Proving your identity
- Sitting through video calls with the verification team
- Proving ownership of the trademark
- Paying up to $1,499
You can learn more about VMCs in our article: Verified Mark Certificate.
Proper logo formatting
A BIMI logo is an SVG file that adheres to the SVG P/S standard. Luckily, you can convert a standard SVG image to the SVG P/S format using the free and open-source tools provided by the AuthIndicators Working Group: https://github.com/authindicators/svg-ps-converters.
You can find the BIMI logo by looking at the URL that the BIMI record’s “l=” tag points to.
We have a full article that explains how BIMI logos work and how you can format your logo according to the specification: BIMI Logo.
As we’ve observed throughout this article, plenty can go wrong when deploying BIMI. Depending on employees to get all of this right is expensive, time-consuming, and error-prone. What if there was a way you could automate this work to a service that takes care of the details for you?
Valimail has created a service called Amplify for exactly this purpose. Valimail has partnered with DigiCert and mail platforms to make BIMI easy.
Manually checking BIMI using traditional tools like the Unix command line is tedious when preparing for a BIMI deployment. BIMI involves enough parts that checking them all is simply too much work for most administrators. Luckily, modern email administration services like Valimail’s BIMI checker make this much easier.
Typical issues that a BIMI checker might uncover include a missing BIMI record, an invalid BIMI logo, or a missing Verified Mark Certificate, among others. Luckily, a high-quality BIMI checker will point out what’s wrong and help you understand the issue.
Subscribe to our LinkedIn Newsletter to receive more educational contentSubscribe now