Email authentication is a rising issue for organizations, marketers, and financial institutions. Bulk-senders must improve their email deliverability, which can be done with good email authentication processes, which enhances their reputation.
The 3 pillars of email authentication have already been established, which are SPF, DKIM, and DMARC. However, another email authenticity verifying mechanism is catching on, which is Brand Indicators for Message Identification, or BIMI.
Although not a direct authentication mechanism, BIMI is a standard for increasing inbox security and verifying the authenticity of the emails to the recipients. BIMI adds a visual clue to the email, ensuring the recipient that it is an authentic email, and not spam or spoof.
Table of Contents
What is BIMI
Brand Indicator Message Identification is a standard that attaches your brand’s verified mark, which is a verified brand logo, to the authenticated emails that you sent from the allowed servers. Basically, it is a stamp of authentication.
When BIMI is set up correctly and your domain sends out an authenticated email, the recipient will see your brand’s logo next to the email in their inbox, assuring them that the email is authenticated and safe to open.
To set up BIMI, you will need to configure a DNS TXT record that points to the logo of your brand. Like the other email authentication methods, a BIMI Record also requires special naming and value conventions using tags. The method to configure a BMI record has been discussed in detail below.
How does BIMI help authenticate emails?
As mentioned earlier, the 3 pillars of email authentication, which are SPF, DKIM, and DMARC, are sufficient for making a decision on how to handle unauthenticated emails – they are either rejected, sent to the spam folder, or passed through normally (in case of lenient configuration). So why do we need BIMI?
If you understand the working principles of SPF, DKIM, and DMARC, you’ll notice that these are DNS TXT records that match the information for the email’s domains, check its authenticity, and then inform the mail server on how to handle the rejected emails. However, it does not make any visual changes to the emails.
BIMI is the only standard that makes visual changes to the emails that are successfully authenticated and are done so in favor of the recipients of such emails. This way, the users on the receiving end will know that the emails are authentic, sent from a genuine source, and do not contain malicious content.
Moreover, BIMI also helps the senders, especially the marketers. For one, since BIMI requires successful DMARC alignment, it increases the integrity of the organization that needs to send out bulk emails, which in turn improves email deliverability. Additionally, a logo beside your email will help you stand out from the rest, and prevent spoofers from impersonating your brand.
How does BIMI work?
A BIMI record is a TXT record stored on your organization’s DNS. Since it can only store text, it does not contain an actual logo of your brand. Instead, a BIMI record points to an image of your brand using the HTTPS protocol.
So when a mail server receives an email, it performs a DNS lookup for the sending domain, looking for its records, including SPF, DKIM, DMARC, and even BIMI. If the BIMI record is found, the mail server uses the given URL for the logo, fetches the image, and embeds it with the email before forwarding it to the recipient’s inbox.
But there is a catch. When performing a DNS lookup, a mail server may also look for Verified Mark Certificates (VMC). A VMC, issued by a Mark Verifying Authority (MVA), attests that you own the trademark of your logo, and you are its proprietary. When a VMC is issued, you receive an entity certificate Privacy Enhanced Mail (PEM) file. Your logo and VMC are embedded in the PEM file.
Entrust Datacard and Digicert are two MVAs you can use to trademark your logo and obtain VMCs.
That said, there are a few limitations of BIMI. At the moment, BIMI only supports Scalable Vector Graphics (SVG) images. Therefore, you must use an SVG image for your brand’s logo. Moreover, you can use only the SVG file for email services that do not yet support VMCs or the PEM file with an integrated logo and certificate for mailing services that do support VMCs.
Learn about the requirements and parameters of a BIMI SVG logo, defined by the BIMI Group.
Moreover, the logo will only be added to the email if an email passes a DMARC test. If the DMARC alignment fails, the logo is not added.
What are BIMI Selectors and how to use them
Before moving forward to creating and managing BIMI records, you must first understand the concept of selectors.
Like DKIM, BIMI records also use the concept of selectors. It allows users to create more than one BIMI record for the same domain. This allows organizations to use different brand logos that use the same domain.
Similar to DKIM, the selector is used both in an email’s header and in the name of the BIMI DNS record. The following naming convention is used when creating a BIMI DNS TXT record:
[selector]._bimi.[domain]
Note that the “._bimi” portion is static, and defines the BIMI record. However, the selector and the domain need to be applies as per your circumstances.
If you are using only one logo, the default selector would be “default“, and the BIMI record name would be as such:
default._bimi.itechtics.com
If you wish to use more than one logo, you can change the selector in the BIMI record, such as the following:
marketing._bimi.itechtics.com
This BIMI record would come into play if an email header will include the following details:
From:itechtics BIMI-Selector: v=BIMI1; s=marketing
The “s” tag, which defines the selector, would then use the BIMI record with a similar selector.
That said, the value inside the BIMI record would remain the same, which has been explained below.
How to add a BIMI DNS Record
Before creating a BIMI DNS record, you must upload the SVG logo or the Privacy Enhanced Mail file (received from a Mark Verifying Authority) which also contains the logo to your mail server. If you have both, you can upload them both for both email services that do and don’t support Verified Mark Certifications.
Once you upload it there, it should have a URL, which looks something like the following:
https://images.itechtics.com/brand/ItechticsLogo.svg https://images.itechtics.com/brand/PEMCertificate.pem
Once uploaded, you may then configure with the following steps to add a BIMI record to your DNS:
Note: Each DNS server might have different configurations and settings. However, the same logic and syntax apply.
-
Log into the DNS server as an administrator.
-
Click “Add Record” and then click “Add TXT Record“.
Add new TXT record -
Use the following syntax to name the BIMI record while using your own domain name:
default._bimi.[domain]
Name the BIMI record The default select allows domain owners and mail senders to configure BIMI with no alteration to their mail server configuration.
-
Now use the following syntax to define the BIMI record while using your own URLs for the SVG/PEM files:
v=BIMI1; l=https://images.itechtics.com/brand/ItechticsLogo.svg; a=https://images.itechtics.com/brand/PEMCertificate.pem
Enter the BIMI record In this example, I have added both the SVG logo and the PEM certificate file to the BIMI record. If you only wish to add the SVG file, you shall use only the “l=” tag, followed by the SVG path. However, if you want to use only the PEM file, you must use both the “l=” tag, which will be left blank, and the “a=” tag, followed by the path to the .PEM file.
Apart from these tags, the “v=” tag defines the version of BIMI and tells the servers that this TXT record is a BIMI record.
-
[Optional] You may adjust the Time To Live (TTL) value, which is actually how long the record will be cached for.
-
When done, click Save Record.
After performing these steps, you will have successfully created the BIMI DNS records. Allow the records to propagate before checking its functionality.
Email providers that support BIMI
There are several email service provides that support BIMI at the moment, but is still to be adopted by many others. While some only support the standard, others have made it compulsory.
The following email services provide BIMI support at this moment:
| Email Providers | Remarks |
| Apple Mail | |
| Yahoo | No VMC requirement |
| AOL | No VMC requirement |
| Gmail | Requires VMC |
| La Poste | No VMC requirement |
| Netscape | No VMC requirement |
| Fastmail | |
| Cloudmark | |
| Pobox | |
| Zone | |
| Comcast | |
| Onet Poczta |
That said, at the moment, Microsoft (Hotmail/outlook) does not support BIMI, which is quite odd, since BIMI might be the next standardized authentication standard added for email authentication.
Takeaway
The takeaway from this information is that although BIMI helps entrust users with your brand, it is not a necessary authentication add-on. At least not right now.
Many other non-supporting email service providers are considering supporting BIMI, as it adds value to the incoming receiving emails. However, it still does not play a significant part in actual email authentication. Therefore, it is a question mark for the mail providers, and the question of whether or not it provides real value for non-marketers is still up for debate.
