Email Security Blog

BIMI: What It Is & Why It Matters to Email Security

Michael Cichon January 29, 2021 BIMI

Curious how BIMI can protect your email? I’ll explain what BIMI is, how it works, and how you can use it to protect your brand’s email communications.

What is BIMI?

Brand Indicators for Message Identification, or BIMI, provides a standardized method for businesses to showcase their brand logo next to the subject line of their authenticated emails so they stand out in crowded inboxes, with built-in protections against brand spoofing.

Unlike other forms of email security, BIMI is noticeable and easily identifiable even to those who aren’t tech-savvy. And it helps prevent fraudsters from impersonating your brand in phishing emails targeting your customers and other consumers or businesses, while improving your email deliverability rates.

BIMI builds on the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard for authenticating email. To use BIMI, businesses must have DMARC authentication in place, and they must establish a BIMI record that includes the URL for the location of the file containing the business’s logo.

What is a BIMI Record?

A BIMI record is a type of DNS TXT record that is used to display your brand logo within the recipient’s email inbox if the email has been authenticated using SPF and/or DKIM, and DMARC–with the DMARC policy for the sending server is set at either p=reject or p=quarantine.

If your head is spinning from all these acronyms, here’s a quick overview of how everything ties together.

BIMI – Displays your company logo next to your email messages within supporting email inboxes, boosting brand visibility while providing a visual indicator that the message is legitimate and can be trusted.

DKIM – DomainKeys Identified Mail uses cryptography to ensure the email messages you send are not modified in transit.

SPF – Sender Policy Framework is a form of email authentication that ensures email messages being sent with your domain only originate from specific IP addresses.

DMARC – Works with SPF and DKIM to enable email providers to recognize when an email message isn’t coming from a specific brand’s approved email senders, and gives the brand the ability to set policies that tell email providers what to do with these unauthorized emails. (You’ll need this first if you want to use BIMI.)

When you combine BIMI with the standards above, you help secure your email messages and increase brand visibility at the same time.

Why is BIMI important?

As the primary and preferred means of communications between customers and the brands they do business with, email has never been more important to ongoing customer support and marketing–especially since the onset of the coronavirus pandemic. In 2020, the ROI from email marketing campaigns was as high as 4,200%, returning $42 for every $1 spent.

With inboxes more crowded than ever, boosting visibility warrants attention. And with the alarming rise in phishing attacks and business email compromise (BEC) scams over the past year, the ability to establish trust with that heightened visibility is likely to prove quite powerful.

BIMI was developed by a coalition of other industry leaders, including Agari. It provides a mechanism for a verified sender’s official logo to appear alongside email messages in space controlled by the email client, typically where user avatars or initials appear.

Gmail, Yahoo, AOL, Netscape, Fastmail and other major email providers have seen enough promise in BIMI to launch pilots in support of it, and we expect rollouts to reach an expanded scale throughout 2021.

BIMI essentially rewards organizations for having proper email security by increasing their brand visibility. It’s a win for email security, brand protection, and consumer trust.

By using BIMI, email marketers can expect to see fewer bounces from spam filters, higher open rates, and potentially higher response rates. Of course, the main purpose of BIMI is to offer an extra buffer against spoofing and phishing attacks that work to impersonate businesses.

It also gives businesses more control over the use of their brand identity email by ensuring that only approved domains are allowed to have the verified logo shown alongside an email message. As a result, phishing attacks attempting to impersonate your brand will grow more obvious because they lack a BIMI-verified logo.

How BIMI works

BIMI can be viewed as an extension to DMARC, since it is required in order for BIMI to work. When a domain has DMARC properly configured, a new TXT record can be created that enables the BIMI policy. The new TXT record will contain a URL that points to the company logo.

Mail providers that support BIMI will query the domain of the incoming message to locate the BIMI file to verify the message. Once the email passes DMARC authentication, the BIMI file points the receiving email server to the brand logo and displays it in the inbox.

  • DMARC must be set to p=reject or p=quarantine
  • A BIMI record is present in the DNS server for that domain
  • The image URL is valid and contains the image in SVG format

Below is an example of what a BIMI record looks like. Let’s break down each part of the record.

v=BIMI1; l=https://images.yourbrand.com/logo.svg

v=BIMI1; – This specifies the version of BIMI that is being used. This will always be required and always need to be the first syntax used in the record.

l= – This denotes the location of the image file to be used when the BIMI check is successful. The location of the image should be hosted somewhere static, and the image format must be in SVG.

How to set up BIMI for email

    • Ensure DMARC is configured on your DNS server. BIMI requires DMARC in order to work successfully. The DMARC policies must be set to p=reject (recommended) or p=quarantine, and cannot be set to less than 100%. If you’re not sure if you have DMARC in place you can check your DMARC status with Agari. If you don’t, here’s a step-by-step DMARC setup guide.
    • Upload your logo. The SVG formatted logo must be a square in shape and uploaded in high resolution. For best results the logo should be centered on a solid background, and not exceed 32kb in size. Upload the image to a server or hosting provider.
    • Note that some email providers require a Visual Mark Certificate (VMC) from a Mark Verifying Authority (MVA), a third party organization that can provide evidence of verification of certain standards–including size, trademark, and content.
    • To include the VMC, our example BIMI record would look something like this:

    v=BIMI1; l=https://images.yourbrand.com/logo.svg; a=https//sub.yourbrand/vmc/logo.pem

    Here, “a=” points to the url for the VMC (.pem file).

      • Publish your BIMI record. Login to your DNS server and create a new TXT record. Inside, specify your new BIMI policy pointing to the URL of where your logo is located. Once you publish your record it may take 24-48 hours to take effect.
      • Check your BIMI status. You can check to see if your BIMI is working correctly by using the Agari BIMI Tool.

      If you’re looking to learn more about BIMI, or just keep up to date on email security, be sure to subscribe to the Agari blog using the form below.

Woman checking email on mobile phone

September 23, 2020 Armen Najarian

Brand Indicators for Message Identification (BIMI) Adoption Soaring to New Heights

For a growing number of email marketers, it may be "BIMI or bust." As of…

mobile image