Dmarc as a Service
Oct 10, 2019
BIMI leaps forward with first usable VMC certificate
The new BIMI email standard provides a secure, global framework enabling email senders to provide validated, sender-specific logos that will appear in email inboxes alongside the authenticated email messages they send.
Because these logos will appear in inbox list views as well as message views, this means BIMI-using organizations stand to gain potentially millions of brand impressions — regardless of whether recipients open their messages.
Now, a new type of certificate called a Verified Mark Certificate (VMC) will help BIMI become even more trustworthy.
BIMI is short for Brand Indicators for Message Identification, and it’s a standard that builds on DMARC: It requires a domain to be authenticated with a DMARC policy set to enforcement (p=quarantine or p=reject).
As such, BIMI provides a powerful incentive for brands to adopt DMARC. While DMARC has already seen explosive growth, with the number of DMARC records growing by 5X over the past three years, BIMI will spur even more growth, making authenticated email that much more widespread. That will have a positive effect on the overall security and trustworthiness of the email ecosystem.
But how do you ensure that logos are not fraudulent? What would prevent a bad actor from registering a new, deceptive domain (such as c0mpany.com), authenticating it with DMARC at enforcement, and attaching company.com’s logo so the fake “c0mpany.com” emails look even more like the real thing?
How VMC adds trust
That’s where VMC certificates (as they’re somewhat redundantly called) come in. A VMC is a digital certificate that ties together a company (in the real world), its Internet domain, and its logo, in a verifiable way.
In short, the VMC registration system is designed to prevent bad actors from registering logos that they don’t own. If someone does try to use a VMC to register a logo that they don’t own, the VMC registration contains everything that the rightful trademark owner needs to track down the bad actor and pursue legal action.
BIMI is currently being piloted with Yahoo Mail, where VMC certificates are not required, but VMC has been developed with future BIMI pilots in mind. Google is planning its own BIMI pilot in 2020, though it has not provided specific timing or commented on whether VMC will be a requirement.
That’s why we are so excited about today’s news that DigiCert has issued the first VMC certificate for a domain that sends email at scale: CNN.com. With this certificate, as DigiCert’s press release notes, CNN becomes the first company that is prepared to participate in upcoming pilots of BIMI that will require VMC certs.
The VMC-BIMI future
Valimail has been instrumental in the development of BIMI (our CEO Alexander García-Tobar was a cofounder of the working group overseeing the BIMI standard, and our director of industry initiatives Seth Blank is the current chair), and we worked closely with DigiCert and CNN to make this certificate happen.
We hope that this will be the first of many such certificates. VMC is built to be secure and scalable, and we look forward to helping many other companies prepare their domains to participate in BIMI.
If you’d like to find out how your company can participate in BIMI pilots and gain millions of brand impressions, read the details on Valimail Amplify here, and contact firstname.lastname@example.org for more information.