Emerging standard specification ties brand logos to legitimate domains. It could increase trust in email and help people avoid phishing scams.

Key Points:

  • BIMI is an emerging email specification that appears to be making progress, with Google recently announcing a Gmail trial.
  • It enables brands to display their logo alongside messages in recipients' inboxes, as evidence that they’re authentic.
  • BIMI builds on DMARC—a sending domain must have an enforced DMARC policy in order to benefit from BIMI.

BIMI, or Brand Indicators for Message Identification, is an emerging standard specification that can help organizations build trust in their email communications and help their emails stand out from the crowd. With phishing email scams on the rise—and turbocharged by the COVID-19 pandemic—BIMI could increase brand safety by boosting recipients’ confidence in legitimate brand messages.  

On average, brands see an email open rate of roughly 20%, according to marketing industry benchmarks based on aggregated data.[1] Even that batting average may be difficult to maintain. There’s the overwhelming amount of emails that people receive, of course, but there’s also a growing incidence—and awareness—of phishing emails, especially business email compromise (BEC) scams in which a criminal spoofs a business’ or its partner’s email address and website, and/or impersonates a company executive.

The amount of email fraud—and the financial and brand reputational toll it exacts—is rising. In 2019, the FBI’s Internet Crime Complaint Center (IC3) recorded 23,775 complaints about business email compromise resulting in $1.7 billion in losses.[2] To combat BEC, businesses are training employees and customers to be cautious about opening emails—and that caution can lead to legitimate emails going unopened.

How BIMI Helps Protect Brand Safety

BIMI helps protect brand safety and build trust by displaying a brand’s logo to authentic email messages, giving recipients a visual signal that the message genuinely is from that brand. The proof that a message originates from a trusted sender is ensured by the cryptographically protected third party-issued certificate.

BIMI relies on strong authentication through DMARC (Domain-based Message Authentication, Reporting & Conformance), an email authentication and reporting protocol that builds on the SPF and DKIM protocols. BIMI is not a security solution in itself, but its wider use over time could decrease the incidence of email compromise as the spec helps users more efficiently separate legitimate messages from phishing emails and other scams. 

“BIMI can help to protect your brand against abuse,” said Dirk Jan Koekkoek, VP, DMARC, Mimecast. “BIMI creates another layer of trust—legitimate emails will be much easier to recognize for the end user/receiver. BIMI is also a big plus for email marketers because it’s likely to increase open rates and helps to deliver a stronger brand experience with every email communication.”

How BIMI Works

It’s possible to link a brand logo to an email without BIMI, but it’s complicated. To support the many possible brand and logo combinations, email providers must create a unique system for logo management and display. This results in complex and proprietary systems that may or may not render a brand’s logo in the way it intended.

BIMI standardizes the process: Companies that wish to have logos appear with their emails will need a third-party issued Verified Mark Certificate (VMC). A trademark protected logo is required to obtain a VMC. Next the sender must publish brand assertions for their email domains via DNS. Once an email is authenticated, the email provider queries DNS for the corresponding BIMI record. If the record is present, the logo displays with the email in users’ inboxes in a way that is tightly controlled by the client email application. It’s important to note that the email sender must have DMARC, SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) in place so that the source can be marked as trusted.

To work with BIMI, the logos themselves must also be standardized. For example, logos must easily display at various resolutions and include characteristics that support verification and security. Logos must also be square and saved in a version of the SVG (Scaled Vector Graphic) format authored by the BIMI Working Group (the SVG Tiny Portable/Secure profile), and they cannot include script tags or external links.

Growing Industry Support for BIMI

Verizon Media Group (Yahoo/AOL) is currently the only provider to offer BIMI support on the email receiver side, but that will be changing soon.

In July, Google Cloud announced a BIMI pilot for G Suite, saying that “BIMI provides benefits to the whole email ecosystem. By requiring strong authentication, users and email security systems can have increased confidence in the source of emails, and senders will be able to leverage their brand trust and provide their customers with a more immersive experience.”[3]

The Google BIMI pilot will include VMCs, or Virtual Mark Certificates—the digital certificates that validate the authenticity of a brand logo attached to an email sender’s domain.

The BIMI working group also has announced that Comcast, Fastmail and Seznam.cz will add BIMI support for their provided mailboxes.

The Bottom Line

The emerging BIMI specification enables brands to display a cryptographically protected logo next to their email messages. This should help organizations get their messages read by proving that the email is legitimate and helping the message stand out among the many emails crowding users’ inboxes. BIMI requires an enforced DMARC policy, which is not yet widely deployed. However, with Google launching a BIMI pilot program, interest in—and use of—these brand safety and anti-phishing standards will likely grow.

 

 

[1]The 2020 Email Marketing Benchmarks Guide,” Privy

[2]2019 Internet Crime Report Released,” FBI

[3]Safety first: Announcing 11 new G Suite security features,” Google

 

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Getting to p=Reject, Mimecast’s Internal DMARC Project: Part 2

A DMARC project goes well beyond just DN…

A DMARC project goes well beyond just DNS administration; te… Read More >

Matthew Gardiner

by Matthew Gardiner

Principal Security Strategist

Posted Aug 20, 2020

Brand Safety and IP Infringement in the Digital Era

Since the rise of digital marketing, cri…

Since the rise of digital marketing, criminal hackers have i… Read More >

Alex Bender

by Alex Bender

Senior Vice President of Global Marketing

Posted Sep 08, 2020

Brand Impersonation: It Happens to Security Vendors, Too

Credential theft and revenue loss are cy…

Credential theft and revenue loss are cybercriminals’ … Read More >

Renatta Siewert

by Renatta Siewert

Senior Security Writer

Posted Aug 17, 2020