BIMI Email Security: Tutorial & Best Practices
Brand Indicators for Message Identification (BIMI) is a new protocol for email that allows senders to display branded logos next to their emails in recipients’ inboxes. Although BIMI offers a plethora of benefits for email marketing, it is not an email security protocol. Rather, it leverages other security technologies like Domain-based Message Authentication, Reporting & Conformance (DMARC) and Verified Mark Certificates (VMC) for email marketing.
This article will explain BIMI email security in detail, including what BIMI can do for your company and its limitations.
Key BIMI email security concepts
BIMI — as great as it is for email marketing — is not a panacea for all your email woes. The table below summarizes what BIMI does and doesn’t do across several email marketing and security categories.
|Email open rates||Users are more likely to open your emails if they stand out in their inbox with a branded logo.|
|Trust||The presence of a verifiable logo improves users’ confidence in the email.|
|Brand awareness||Recipients will see a brand in their inbox next to every email, increasing the presence and, thus, awareness of a brand.|
|Incentivizing DMARC||DMARC is a powerful tool for email security, a requirement for BIMI. More email marketers using BIMI means more senders are incentivized to set up DMARC, thus making the overall email ecosystem safer.|
|Phishing risk||A branded logo in recipients’ inboxes is not a strong deterrent against phishing. To learn about how you can mitigate phishing, check out our article on What helps protect from phishing?|
|Domain impersonation risk||BIMI does nothing to help with this aside from requiring the use of DMARC. DMARC helps prevent the threat of attackers impersonating your domain. Administrators can also enforce DMARC on incoming mail to detect some spoofed domains.|
|Brand impersonation risk||Even if you deploy BIMI, attackers can trivially use a similar-sounding domain name and other social engineering tricks to impersonate your brand.|
|Protection from cybersecurity threats||BIMI is not a security protocol and does not strive to include protections against cybersecurity threats.|
Why BIMI is not a security protocol: BIMI email security challenges
Hypothetically, a BIMI logo lets you know that an email is from the organization that owns the brand. At first glance, this bolsters security by informing you that emails with branded logos in your inbox are legitimate. In practice, these assumptions are highly problematic. To demonstrate this, let’s look at a couple of issues with this line of thinking.
Inconsistent BIMI logo verification
A BIMI logo is verified using a VMC file. However, “self-asserted” BIMI records do not have a VMC file. Some platforms will exclude the logo if the BIMI record is self-asserted. However, other platforms do not necessarily exclude a BIMI logo because the BIMI record is self-asserted. For example, consider this quote from Yahoo’s BIMI requirements:
“We currently do not require VMCs to be set up for BIMI logos to appear in Yahoo applications. However if a BIMI record includes a VMC, we will use it to inform the overall BIMI eligibility.”
– Yahoo BIMI requirements
Users lack adequate security training
BIMI is a relatively new technology and not widely understood by the general public. Thus, BIMI is inadequate as a security signal to end users.
To demonstrate this imagine the following scenario. Your organization’s security team decides to teach users that the presence of a BIMI logo means the email is safe. Subsequently, an attacker includes your logo in the body of a phishing email, which recipients assume means the email is legitimate.
In other words, instructing recipients to determine the legitimacy of incoming mail based on your branded logo opens you up to social engineering attacks.
Additional BIMI email security concerns
The two issues above are just the tip of the iceberg. Presenting BIMI as a security solution invites many other problems. For example, attackers could register a valid trademark for a logo similar to yours.
These BIMI email security challenges all result in the same conclusion: organizations should use BIMI primarily for its intended marketing purposes and not as a substitute for robust email security measures.
BIMI email security recommendations
Although BIMI is not intended to enhance email security directly, there are ways to use BIMI securely. Let’s overview some of the most important security considerations related to BIMI.
Avoid email marketing “dark patterns”
Before worrying about BIMI, you should ensure that your recipients want to receive the content you’re sending to them. There are a variety of ways to make sure of this, including:
- Allowing recipients to unsubscribe from future marketing content easily
- Obtaining explicit consent before including subscribers in mailing lists
- Don’t spam recipients with excessive emails
- If an email to a recipient bounces, remove that address from your mailing list
Although certain email marketing “dark patterns” may seem appealing as a short-term way to boost leads, such practices will inevitably hurt the credibility of your domain, brand, and organization. Building positive relationships is challenging, and harming that relationship will put you on an uphill battle to rebuild confidence with potential leads.
Acquire a verified mark certificate
To prove that a domain is the rightful owner of the branded logo included in the inbox, BIMI utilizes a special cryptographic file called a VMC, or verified mark certificate. Technically, you can use BIMI without obtaining a VMC file. In this case, your BIMI record will be considered “self-asserted.” We recommend against self-asserted BIMI, because many platforms will not include your BIMI logo in inboxes unless your BIMI record points to a valid VMC file.
You can learn more about different VMC requirements from BIMI Group’s article on Verified Mark Certificates (VMC) and BIMI.
Automate DMARC and BIMI
Maintaining DMARC and BIMI can be demanding for your IT team. These protocols require ongoing support, and different requirements can easily fall through the cracks, resulting in outages and lapses in your company’s security posture.Services exist that automate much of the process for you. Some services automate more parts of the process than others. Still, the key takeaway is that automation is safer than relying on engineers to keep DMARC and BIMI up and running manually.
In summary, BIMI is an exciting and powerful new email marketing protocol that improves the overall safety of the email ecosystem by encouraging senders to deploy DMARC. Even with the lack of direct security benefits in BIMI, you can securely enjoy the branding benefits offered by this new technology by taking proactive steps to implement the right solutions.
Subscribe to our LinkedIn Newsletter to receive more educational contentSubscribe now