Why BIMI’s so good for marketing and security
When I started TAG Cyber, the first matter of business was to design a logo. I have friends who run a wonderful design firm in New Jersey, so I approached them with an awkward request: “Make the logo vaguely reminiscent of my beloved AT&T,” I asked, “but not so much that their lawyers will be unhappy.” In other words, fly toward the sun, but not too close. In virtually no time, they designed the unique face of our company. Here it is next to AT&T’s iconic logo:
I bring this up to remind you that developing a logo is a total snap, but also to hint that not everyone treats the process honestly. Suppose, for example, that I’d been a recent retiree of Uber (do they have retirees yet?) and had wanted to create a logo that was similarly evocative of the parent organization. I might have used Adobe Illustrator to render something misleading and perhaps even downright fraudulent. Here’s an example:
How BIMI logos can increase trust in email
This challenge of maintaining logo integrity is one of many issues organizations will need to address as they begin to use the Brand Indicators for Message Identification (BIMI) draft standard. BIMI is designed to use brand logos like the ones shown above to help reduce fraud in email. And yes – it also provides a huge benefit to marketing teams who like the idea of slapping the company stamp in front of customers receiving email. (C’mon – marketing is not evil. Get over it.)
My friends at Valimail were kind enough to walk me through BIMI, and here are the guts of the standard: Business owners first publish DMARC records with enforcement policies on their domains, then publish brand indicator assertions for their domains. Receivers then authenticate inbound messages via DMARC and ask the DNS for the corresponding BIMI record, which includes the logo, along with proof of validation. If everything looks OK, the receiver adds a header to the message, which the email program uses to display the logo.
The way this looks in practice is that if you get an email message from a company such as HBO, Yelp, or Uber, and they are implementing BIMI on DMARC, and your mail client supports BIMI, then you will see their logos on the inbound messages (see below).
It’s an excellent user experience, and as we’ll outline below, represents one of the rare instances where users, marketing, and security all agree on a given control. That almost never happens.
How to implement BIMI on your domain
To get your logo displayed in the visible email using BIMI, you must first implement DMARC at enforcement. As any security expert will attest, DMARC is a great way to improve the integrity of email being sent and received. So anything that drives its greater adoption is a good thing (hence the title of this article). But additionally, the displayed logo also causes receivers to reflect, however briefly, the origin of a received message. This is a good security habit, in my opinion.
Sure, there is the risk, as outlined above for Uber, that misleading logos can be attached to misleading domains and used for mischief. But welcome to the Internet. I can barely think of a single cyber security control that does not carry some side-effect or unwanted additional risk. In our industry, it always seems to be two steps forward and one back – and implementation of BIMI for display of logos in email is probably no different. Also, because each BIMI logo must be tied to a valid domain, and domains must be issued by registrars, there will always be a way for lawyers to reach the domain owner in the event of a trademark dispute over a misleading logo.
The bottom line is that BIMI builds on DMARC, and to gain the marketing advantage of logo display, you will need to implement DMARC. Because DMARC greatly reduces email fraud, you get a double benefit from deploying these two together. So, I’m for BIMI, and highly recommend that you look into it today. Vendors like Valimail are happy to guide you through the process, so don’t worry if all this complexity around email headers and brand indicator authentication seems beyond your means. You’ll have little trouble if you ask for some help.
Let me know once you’ve implemented BIMI. I’d like to collect user experience and share the results with the community. I look forward to hearing from you.