Email Security Blog

BIMI is the Next Chapter in Email Authentication

Patrick Peterson March 27, 2018 Online Brand Protection
brand impressions bimi

Today’s announcement that deployment of Brand Indicators for Message Identification (BIMI) has begun marks the next chapter in the fight to make the world safe from identity deception.

Many of BIMI’s developers, including Agari, worked together from 2010 to 2013 to develop the DMARC email authentication standard, aimed at stopping the plague of phishing and other email attacks. Billions of phish have been prevented but we’re just getting started and are excited to be working with the same group of companies on this next chapter.

Brand indicators extend DMARC’s foundation of authentication and provides an economic incentive to adopt DMARC. Email platforms (a.k.a. email receivers) like Yahoo will display logos only for senders whose internet domains have implemented DMARC reject or quarantine policies. Companies that adopt BIMI will gain the opportunity for an unlimited number of free brand impressions.

With BIMI, email applications display the sending company’s brand logo alongside authenticated emails in the inbox list and within emails themselves. The logos appear on screen real estate controlled by the email application, not in the body of the email, preventing criminals from faking the logos.

This is the second major boost for strong email authentication in the last six months. In October 2017, the U.S. Department of Homeland Security ordered federal agencies with .gov email domains to fully implement strict DMARC policies by October 2018.

Unlike most other email protection methods focused on identifying malicious email, BIMI shows users at a glance which emails and messages are authentic. As such, it reflects an Agari strategy of identifying the good. There will always be a new variant of malware or malicious email that has never been seen before. But while we don’t know what every type of bad email looks like, we know very well what good email looks like. Modeling the good helps identify anything that departs from the model.

BIMI adds another layer of authentication on top of DMARC. When the standard is complete and fully implemented, domain owners will need to use a trusted third-party authority – a Mark Verifying Authority (MVA) – to verify ownership of their brand and logo and issue a BIMI certificate.

BIMI certificates are a type of public key certificate similar to the Extended Validation (EV) Certificates that confirm the authenticity of a website. The vetting by the MVA will include all the requirements for obtaining an EV Certificate, the strictest of three levels for proving domain ownership, and will also audit all relationships between the domain name and the associated logo.

For everyone who wakes up in the morning with an inbox full of urgent messages, worried about what to open, they should be able to wipe some of the sweat off their brows.

Agari Blog Image

April 27, 2022 Monica Delyani

5 Big Myths about DMARC, Debunked

With email attacks contributing to billions of lost dollars each year, a growing number of…

Agari Blog Image

March 4, 2022 Jessica Ellis

Top Social Media Threats Targeting the Retail Industry

Social media threats targeting enterprises more than doubled last year. Attacks on the retail industry specifically…

Laptop with multiple paddle locks with key holes

January 24, 2022 John Wilson

2022 Data Privacy Week – Education and Inspiration

As the world becomes more and more dependent on online resources to complete daily tasks,…

Agari Blog Image

May 12, 2020 Chuck Holland

Hosted DMARC: Accelerating Protection Against Email-based Brand Jacking Scams

The coronavirus pandemic is shining a spotlight on the importance of hosted Domain-based Message Authentication,…

Agari Blog Image

October 25, 2018 Seth Knox

The ROI of Protecting Your Brand, Customers and Partners from Phishing

Over the past 6 months, 100% of Agari customer brands and more than 80% of…

mobile image