Dear IT Manager, take action now. The marketing department and the information security officer will soon be working together on this matter. 😉
While this might not be entirely the case yet, there is a partial truth behind the provocative headline. BIMI (Brand Indicators for Message Identification) is the latest email security measure following DMARC, DKIM, and SPF. It has gradually gained traction, and major email providers such as Google, Yahoo, and Apple already support it. Its arrival at Microsoft might still take some time, but if/when it does, IT departments might find themselves in a rush as organizations will quickly want to implement it.
What is BIMI?
BIMI (Brand Indicators for Message Identification) is an email authentication technology that helps organizations verify the authenticity of email messages. BIMI works in conjunction with DKIM, SPF, and DMARC to protect email domains from malicious actors attempting to send fraudulent emails in their name.
With BIMI, organizations can add their brand logo next to email messages in the recipient’s inbox. This helps recipients identify that the email originates from the brand or company in question. This increases trust and improves email open rates, as recipients can easily distinguish that the message genuinely came from the sender it claims to be from. The example image below shows what BIMI looks like in practice. In a message sent by LinkedIn, their recognizable logo is displayed. Additionally, Gmail displays a blue “verified” badge, which helps the recipient confirm the message’s origin.
BIMI cannot be counterfeited or exploited by any party to send malicious messages using another organization’s name and logos.
BIMI Implementation
One requirement for BIMI implementation is that the DMARC setting has been moved to either quarantine or reject mode. If DMARC is not in use or is in reporting mode (p=none), BIMI authentication will not work. This is one more reason to fully implement DMARC. I wrote about DMARC last year in a blog post titled “Communications Security Part 1,” which can be read here.
Another requirement for BIMI is a certificate. There are two different types of certificates. A VMC (Verified Mark Certificate) is stronger and requires a registered trademark for its use. A CMC (Common Mark Certificate) is available to all organizations, but its authentication is not as strong as that of a VMC. Certificates can be obtained from Digicert and Entrust. Their price ranges from approximately 1,200 to 1,600 euros per year. VMC certificates are slightly more expensive than CMCs.
Summary
In my opinion, BIMI’s concept of providing recipients with easy message origin identification is excellent. From a brand perspective, adding a logo to messages is also certainly a welcome feature for various stakeholders, such as organizations’ sales and marketing departments. However, BIMI’s challenge lies in its trademark registration requirements. While BIMI can certainly function with CMC certificates, different email services may handle their reliability in various ways. Nevertheless, I look forward with interest to seeing how BIMI will develop and gain popularity. It has the potential.
Even if BIMI implementation is not currently a priority, it is important to focus on communication reliability in Finland by adopting DMARC. In Finland, only about 50% of all organizations have implemented it. Therefore, there is still work to be done to protect our email domains from misuse.
If you are concerned about communication reliability, please contact us below to discuss further.