Dmarc as a Service

The benefits of BIMI — and how to get ready for it

BIMI logos can boost engagement in email marketing campaigns. This post explains the details of the BIMI standard. For the basics, see the first post in this series.

Quick recap: What is BIMI?

BIMI (Brand Indicators for Message Identification) is a new email specification that puts brands in control of how their logo appears within supporting email clients. Simply put, BIMI allows companies to tell inbox providers what logos in they’d like to appear in customers’ and prospects’ inboxes, rather than just letting the inbox provider display generic avatars or the company’s initials.

Email isn’t going away anytime soon. And as marketers, we’re always looking for ways to stand out in the inbox. Being able to control your logo when sending emails, newsletters, receipts, offers, etc. is invaluable. It’s similar to having the perfect, consistent vanity URLs and display names across social media profiles – it’s low-cost, but shows consistency, conveys trust, and increases recognition and reach.

Sounds great, right? It is! Initial pilots have shown an increase in engagement by an average of 10% when inboxes display trusted brand logos next to email messages.

Successful implementation of BIMI requires that a brand’s emails be authenticated – which means the brand’s outgoing emails cannot be spoofed. This is an essential safeguard, preventing BIMI from being used by bad actors to sow further confusion. This also promotes security hygiene and encourages the email ecosystem to take better precautions against phishing attacks by deploying and enforcing email authentication.

Let’s break that down.

What are the prerequisites for implementing BIMI?

Taken directly from the AuthIndicators Working Group’s website, you need the following to get ready for BIMI:

  • Authenticate all of your emails with SPF, DKIM, and DMARC
    • Ensure domain alignment (the domain used by SPF and DKIM is the same as the one used by DMARC)
  • Ensure your DMARC policy is at enforcement
    • This means either “p=quarantine” or “p=reject”
    • No sp=none and no pct<100
  • Publish a BIMI record for your domain in DNS
    • Where required, obtain a Verified Mark Certificate (VMC)

In our next blog in this series we will dive into how exactly you get to DMARC enforcement at a policy of either reject or quarantine, thus aligning SPF and DKIM. For now, here’s a quick overview.

How SPF, DKIM, and DMARC work together

Sender Policy Framework (SPF) is the standard that launched domain-based email authentication, letting domain owners publish a list of approved IP addresses. If a mail server with an IP address not on the approved list tries to send an email using that domain, it won’t pass SPF authentication.

DomainKeys Identified Mail (DKIM) improves upon SPF’s protocols by using public key cryptography to authenticate individual email messages.

Both of these standards have limitations, however (which we will cover in-depth in our next post). This is where Domain-based Message Authentication, Reporting, and Conformance (DMARC) comes in.

Neither SPF or DKIM authenticate the sender based on the “From:” field that a user sees. The policy specified in a DMARC record ensures that the DKIM key’s domain (or the SPF-verified Return-Path header) and the domain shown in the “From:” address are “aligned,” i.e. that they match. This prevents any potential scammers or phishers from using a bogus domain in the “From:” address while signing the message with an unrelated domain that they control. This simple check provides an enormous amount of protection that hadn’t previously existed for email.

So in order to be BIMI-ready, your organization must have taken all of the steps necessary to implement a DMARC enforcement policy of quarantine or reject – thus being protected against spoofing to the highest standard out there today.

What’s a BIMI certificate and do I need one?

To be BIMI-ready for some mail clients, you may be required to obtain a Verified Mark Certificate (VMC), also known as a BIMI certificate, from a certificate authority like DigiCert or Entrust Datacard. In their own words, VMCs “allow companies to render their brand logo next to the ‘sender’ field in email clients — visible even before the message is opened.” It essentially validates that your organization actually owns the logo you’re using for BIMI. In order to be issued a VMC, your organization must have a logo that has been registered with the trademark office —an additional step to ensure that your organization’s email logo display cannot be spoofed.

Valimail and DigiCert have partnered to offer one-stop shopping for getting BIMI ready, with DMARC monitoring and automation from Valimail and VMC issuing from DigiCert.

Want to find out if your organization is BIMI-ready? Enter your domain into our BIMI Checker. There you’ll see your BIMI-ready status as well as your current DMARC status.

How do you get started?

In our next post, we’ll dive into the process of getting to DMARC enforcement, with a policy of reject or quarantine — the heaviest technology prerequisite for achieving BIMI-readiness. Organizations often struggle with getting to enforcement for a number of reasons, the largest of which is a lack of visibility into the activity from their sending domains. But don’t worry – we’ll cover the limitations of SPF and DKIM and how DMARC largely solves for those, and how it is an ongoing process (not just a project)!

Can’t wait to get started? Get DMARC visibility for free with DMARC Monitor, the industry’s leading DMARC visibility tool.