189 Upvotes | 36 Comments.
The author voluntarily contributed this tutorial as a part of Write to Contribute program.
Brand Indicators for Message Identification (BIMI) is an email specification that gives brands the flexibility to decide which logo should appear alongside the sender name of their email messages in some mailbox user agents (MUA).
There is no platform required to define a BIMI record as it is a set of DNS based instructions providing the web location of your logo and Verified Mark Certificate (VMC). Both of which will be used by an email client to show your logo in the user interface.
BIMI is an open framework built to provide a brand with the ability to control which logos are displayed with their email messages. It is important to note that BIMI usage is not limited to just email, instead, the opportunities are endless where a validate logo could be used. It is easy to see that adoption might extend across social media platforms and messaging apps like WhatsApp, Telegram and even in different mobile payment solutions for business verified accounts.
In this comprehensive BIMI guide, you will learn the A-Z of BIMI, along with the required implementation steps to properly support BIMI for your brand.
BIMI works as part of a comprehensive solution relying on other email authentication technologies that include SPF, DKIM and DMARC. In order to implement BIMI you will need to complete the following items:
Once you’ve implemented the required DNS configuration your logo will be evaluated by the recipient's Mailbox provider and when it meets their specific criteria the logo will be shown to the end-user.
Frequently asked questions
Simply publishing a BIMI record doesn't guarantee your logo will display. BIMI is just a framework to mention your preferred logo for brand identification. The decision to show a logo entirely lies with the mailbox provider and supported email client. This would happen primarily for these reasons:
The adoption of BIMI is currently in its early stages. Yahoo has been the first one to extend its support for BIMI in both its webmail and mobile email applications. Gmail announced support for BIMI in 2020, which has driven interest among email marketers.
Currently, not all mail clients support BIMI. So, even though you may have a high sender reputation and have implemented the required BIMI records, your brand logo might not start appearing in all the mailboxes. Some providers only support BIMI on specific classifications of the email (i.e. commercial and transactional vs personal) while others support it for all mail from a domain.
List of providers with no support for BIMI:
This list is last updated on Oct 2020. Source: BIMIGroup
Configuring BIMI requires some effort to have your brand's email authentication in order, follow the BIMI Implementation Guide to get started.
With the rise of phishing, spoofing, and fraudulent emails causing data breaches and eroding consumer trust it is important to protect your brand from being targeted or used in these efforts. You’ve likely already heard dozens of stories about fraudulent transactions, accounts getting hacked, and data breaches impacting consumer privacy and brand trust.
It is important to have strong email authentication and identification mechanisms to protect your brand and consumers from these fraudulent messages. BIMI is an important step towards that goal by giving brands a reason to implement strong authentication practices.
Most email consumers are non-techies. So, they can't analyze the technical information of an email like the results of SPF or DKIM validation, the type of TLS used to transmit the message, or the return path to determine which emails are legitimate and which are a fraud.
For this reason, the industry has been trying to innovate to bring visual cues to email identification for the last couple of years.
Few great examples of visual modes of spam identification:
"Broken logo or no logo will soon be a symbol of distrust. Email recipients will start categorizing such broken emails as spam, and getting low email open rates will be higher."
No email authentication solutions are mandatory at this time, but their use is highly recommended. As such, BIMI is not a compulsory email specification to implement. Having said that, the user experience and anti-spam values which BIMI brings to the table are tremendous.
As per Netcore’s experts, the adoption of BIMI is expected to increase with time and has been growing steadily over the last year.
Marketing executives are looking at BIMI as an opportunity to market their brand without even getting an email open. Email users spend less than a second reading on a particular subject line in a preview pane. If your subject is not engaging enough, then you may be missing the opportunity to get open and click.
Marketers have relied on the subject line and sender name as the driving factors for getting an email open, but now with the launch of BIMI users may start seeing the brand logo in their preview panes which are predicted to influence their decision to open an email. Not all implementations currently support Logo in the list view portion of the email clients.
That's precisely why email marketers worldwide should look to include BIMI as a part of their email programs.
BIMI will also create new opportunities for the designers to innovate with logos or favicons to make their brand stand out in the email preview pane.
SPF, DKIM and DMARC are the email authentication parameters for protecting emails from being spoofed. But, the reality is the average email users is not aware of these authentication frameworks. You can't expect them to read the email headers to identify the source IP and what all authentications are failing. Therefore, it's important to give users some more visual representation to identify potential spammers and protect their losses at a very early stage.
While Gmail and a few other global leaders are trying to enhance these more visual elements, many email clients are still lagging. As per Retruster 2019 Security stats, last year 76% of businesses and 60% of American families reported they were victims of one or the other phishing or scam attacks. These numbers are enough for the industry to take some immediate steps. BIMI is one such outcome focusing on driving support of strong authentication in an effort to help users and mailbox providers identify the authenticity of the sender.
The adoption of BIMI will increase among mail clients and email service providers because it is directly promoting the adoption of DMARC among the organizations.
Spammers currently enter your mailboxes with fraudulent brand identities, like a fake lottery or a fake overseas job offer. But, once the adoption of BIMI increases, so will the adoption of DMARC with strict policy rules (i.e. either quarantine or reject). With such a strict DMARC policy check in place, many of the brands impersonated emails will not be able to deliver to the inbox nor even make it out of the spam folder.
BIMI, along with DMARC, will enhance the email security layer for many sensitive business units like banks, payment gateways, social media platforms, donation platforms and online retailers. Thanks to the efforts of the BIMI group for making this happen. It's going to be a reward for all good senders for following the strong authentication standards.
BIMI requires a strict DMARC configuration(explained below) to be set on your organization domain (ie. company.com).
Having a strict DMARC record helps the receiver decide what to do with emails messages from the brand's domain that fail authentication. This allows the receiver to test whether it is safe to show the brand-defined logo or not. Leveraging on the existing authentication framework is probably the best part of BIMI, which in turn is the email ecosystem.
In the next sections, you will learn what DMARC enforcement is and how to implement BIMI for your emails.
A DMARC record without enforcement (p=none) is like checking everyone’s identification at the door but letting everyone come inside the building anyway. It’s a good way to report on who is entering and to gather data to make sure the proper safeguards are in place while not interrupting the day-to-day use of the building. It is also the start of a journey into protecting your brand, employees and customers by collecting data to identify areas for improvement.
DMARC enforcement refers to a specific parameter in the TXT record, indicated by "p". In this parameter, the domain owner can set the mail handling request for the receiving server. To enable DMARC, start with a p=none record and evaluate your authentication. Then look to move to a stricter enforcement policy of p=quarantine with an eye on moving to p=reject in the future.
In case of DMARC authentication failure, the receiving mail server will check the value of "p=", and may take the requested action of none, quarantined or reject the message from the server.
1. Implement SPF and DKIM: This is the first step to get your domain ready for BIMI. You need to not only implement SPF, DKIM and DMARC but also need to ensure domain alignment across the two. You can achieve domain alignment by updating the SPF and/or DKIM must be authenticated using your From Domain.
2. Implement DMARC with enforcement policy: You need to set up the DMARC record on the From domain. While setting up the DMARC record, you must keep the value of p to either "p=quarantine" or "p=reject". Enabling enforcement policy on your emails shows confidence in the proper authentication of the emails you are sending and helps you build a positive sender reputation with the receiver. Here is a sample DMARC record with enforcement enabled:
_dmarc.pepipost.com TXT v=DMARC1; p=quarantine; sp=none; fo=1; ri=3600; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org
3. Publish a BIMI record: The next step is to create your BIMI compatible logo. Currently, BIMI specifications support only a square-shaped image in the SVG tiny-ps format. This SVG logo should be hosted publicly and must be accessible via secured HTTPS. Once the logo is ready and hosted on a public HTTPS URL, you can go ahead with updating the BIMI record on your DNS.
Here is an example of a BIMI record published for pepipost.com:
default._bimi.pepipost.com. TXT "v=BIMI1; l=https://toolsapi.pepipost.com/image/logo.svg; a=;"
You should connect with your graphic designer and IT team to get these records implemented. Based on your hosting/nameserver provider, the exact steps to publish these records in your DNS may vary.
The most common issues while implementing SPF, DKIM, DMARC or BIMI record is the use of line-wraps, newlines, or whitespaces. Please ensure you're copying and updating the correct record without any additional characters.
The requirement for obtaining a Verified Mark Certificate (VMC) also referred to as BIMI certificate is currently optional, but the requirement for a BIMI VMC will become more important once they are available to all brands and domains. In a recent announcement, Google has recommended email senders to use Entrust Datacard and DigiCert as the Certification Authorities to validate their logo ownership.
For any queries, please feel free to comment below or contact us for a free 1-1 email consultancy.