The future of email?

Some exciting things are happening in the email space leading to an opportunity from both a marketing and security perspective – and it’s actually as (what some people might think) “boring” as a fairly new DNS record!

BIMI, which stands for “Brand Indicators for Message Identification” allows verified brand and trademark owners to use their brand logo to help the email recipient identify what is not a fraudulent message.

BIMI makes your authentic emails easily recognizable and capitalizes on the positive associations that consumers have with a brand and a logo that marketers have worked so hard to instill in the consumers’ minds. Hypothetically increasing deliverability and opens. According to Verizon studies by up to 10 %.

Simply put it makes your emails stand out. It indicates to the recipient that the message is authentic, letting them open and interact safely. And is built as a pretty much industry-wide initiative to protect users from fraudulent activity.

History of BIMI

The creation of BIMI is actually not that recent, it’s been around for a couple of years and behind the initiative, you’ll find some real heavyweights like Verizon (with email clients such as Yahoo/AOL) and Google (who runs Gmail and actually joined the BIMI program in 2020).

The BIMI standard was created due to the extreme complexity of linking a brand’s logo to an email. If created per email client, there are hundreds of thousands of brand/logo combinations, and the need for a standardized option became more and more apparent. Without a standardized means of discovering and publishing each brand’s preferred logo, each mailbox provider or email interface wanting to display logos was required to invest and create a unique system for logo management and display.

This would result in hard to maintain, proprietary systems that frequently would leave brands frustrated. And if done incorrectly, would be easily abused by fraudsters. BIMI was developed to help standardize logo display for participating organizations.

How does BIMI work?

 BIMI allows organizations to leverage the hard work they’ve put into implementing DMARC, a security feature that prevents spoofing and ensures only authorized senders utilize the domain in question. BIMI adds to DMARC by communicating a key recognizable feature of the brand to the consumer’s inbox and further indicate to the consumer that this is an authentic email.

This is done through domain owners (or brands) publishing the BIMI record into their DNS.

It’s actually not an overly complicated record, it’s a TXT record which is standard. The TXT record simply contains a URL leading to an SVG file of your logo. You as an organization will publish a BIMI record containing these URLs into your DNS.

The standard requires for participating/supporting email clients to check if your domain’s DNS contains a BIMI record. If so, the record client will check the sending domain’s DMARC policy and verify that it is meeting the requirements. If these checks are successful, the email client will use the logo from the URL in the BIMI record to populate the email with a logo.

So instead of this

You get this

The tricky part here is DMARC, and the implementation complexity of DMARC greatly varies from organization to organization. If you already have it, getting your logos to display will be a cakewalk in comparison. If not, Dmarc is where the heavy-lifting will take place for you.

What is DMARC?

DMARC, or Domain-Based Message Authentication Reporting and Conformance, is an email authentication policy and reporting protocol. DMARC defends against unauthorized use of domains by preventing direct domain impersonation within email. It protects brands by ensuring participating mailboxes only receive emails actually sent by or on behalf of a domain. It utilizes SPF and DKIM records for this.

There can be multiple authorized senders from your domain. Marketers will typically use for example Sendgrid and they need to be verified in your DNS in the SPF record.

When implementing a DMARC record, you have 3 policies to choose from. These policies inform the recipient server how to treat mail sent from you that is not DMARC compliant.

  • None: Treat all mail sent from your domain as it would be without any DMARC validation
  • Quarantine: The recipient server may accept the mail, but should place it somewhere other than the recipient’s inbox (usually, the spam folder)
  • Reject: Completely reject the message.

Ideally, as you implement DMARC, you move through these policies from none to eventually reject when you’ve confirmed no authorized messages will be blocked.

For BIMI to work, your policy needs to be set to quarantine or reject.

However, it’s worth noting that only in the near past I’d personally say the development reached a critical point where it became something that needs to be on the agenda for brands. If you are still following what I’m talking about, you’ll probably be thinking. How can they verify authorized use of a brand logo?

Well, for quite some time the BIG question for the working group behind BIMI was exactly this. How to verify that the logo being used was actually the IP of the company in question and how to mitigate risks of abuse that would put the receiver at risk. Enter, VMC…

What is VMC?

VMC or “Verified Mark Certificate” is, as the name suggests, a safety feature that validates and confirms that an organization is rightfully using a logo.

It combines Tech and Legal to create a safe way for brands to communicate with their consumers.

It’s a certificate that is generated by an Authorized Certificate Authority, like Digicert or Entrust Datacard. The requirements for getting one issued is that you have a correctly registered figurative trademark, with an affiliated intellectual property authority, like EUIPO, that is owned by the same organization as the domain and is an exact match of the logo uploaded to your BIMI record.

Not all email receivers require it to utilize the BIMI record and display logos, but I suspect and so do the creators of BIMI, that it will become standard recruitment for all email providers/software that care for their consumers and want to ensure their security whilst using their service. The most important of these email clients, Gmail, is currently implementing and developing support for both BIMI and VMC. They’re running a closed pilot.

Something I should also mention here is that Microsoft is running its own mechanism to display brand logos and not, at least currently, use the BIMI standard.

Now, there are still a lot of questions surrounding BIMI that we currently don’t know the answer to
  • How will adoption by the market look?
    The standard does require some sense of public education in order to be effective. If the average user does not know why a logo is displaying, it will not impact their perception of authenticity. The more brands that adopt BIMI, the more common knowledge it will become.
  • Will VMC become a requirement by all email clients involved in the initiative for displaying a brand logo?
    Personally, I’d prefer it as various providers using different requirements becomes confusing and VMC seems like the safest route instead of relying on a trust/reputation model. VMC also requires a registered trademark, which (and I shouldn’t say ensures) but at least makes it more probable that the email is authentic.
  • Will Microsoft scrap its own mechanism and join BIMI?
    Microsoft runs one of the largest email providers on the market, Outlook – it remains to be seen if they see the benefit of joining the BIMI standard or will remain true to their own. It’s definitely clunkier for brands to keep track of all the various standards.

However, we do know that in the world of email, higher security has been on the agenda for a while and DMARC, as well as now potentially BIMI, will be commonplace in the future. As an example, government authorities/branches in Denmark are now required to have DMARC implemented whilst more and more brands are implementing DMARC every day.

My recommendation is to review implementing DMARC for your organization and ensure you have the right trademark protection in place for your business today.

Thanks to you who have read this far! Feel free to contact us at hello@dotkeeper.com if you have any questions!