BIMI training: why and how to deploy BIMI?

BIMI is much more than just a logo displayed next to your brand's emails. Deploying BIMI means ruilding your recipients' trust when they receive emails from your brand. BIMI means obliging yourself to implement email deliverability best practices while contributing to the global effort to email security. So take the time to read this training course dedicated to BIMI and written by the top deliverability experts.

What is BIMI?

BIMI (acronym for Brand Indicators for Message Identification) is a technical specification for email authentication that allows companies to enhance the security of their domain names by displaying the company logo next to the sender's name, and only with email clients that support this new standard.

Simulation of Badsender logo display in email inbox
Simulation of Badsender logo display in email inbox

BIMI is based on theDMARC authentication* (Domain-based Message Authentication, Reporting and Conformance) to certify incoming e-mails. The display of the company logo in users' inboxes (for the majority of messaging systems supporting BIMI) is based on the brand certificate. VMC (Verified Mark Certificate) to guarantee its origin and legitimacy.

* As a reminder: DMARC is an email authentication protocol that enables you to apply a security policy (QUARANTINE or REJECT) to an email that has been misauthenticated (invalid SPF and DKIM) or non-compliant (SPF and DKIM not aligned with the sending domain), and to provide activity reports to the domain owner.

Video : Discover the replay of our BIMI deployment live show

It's the kind of complex subject that's best discussed face-to-face. So Marion Duchatelet interviewed Sébastien Fisher, deliverability consultant at Badsender, during a live session.

Live also available as a podcast on listening platforms: Apple, Spotify, Deezer

Why deploy BIMI?

According to the latest Vade study from 2023 (Study : Phishers' Favorites Ranking Balance 2023), Vade reports that more than 1.76 billion phishing URLs have been sent worldwide by email... A record! All these phishing attacks have just one thing in common: they all try to create a false sender identity with the aim of deceiving recipients by posing as a brand and thus obtaining various types of information (various accesses, personal and/or sensitive information, etc.). And that's where BIMI comes in!

Thanks to its specific technical features, BIMI will make a significant contribution to strengthening the security of domain names (and therefore of messaging services), notably through its restrictive policy of DMARC (QUARANTINE or REJECT) and in the immediate recognition of a brand in users' mailboxes thanks to the display of the logo and, in certain cases, a checkmark after the sender's wording. Ultimately, BIMI will stimulate engagement and provide a visual experience for a brand's customers.

Example of Gmail's logo and blue checkmark!
Example of Gmail's logo and blue checkmark!

BIMI's main objective is to increase users' trust in brands by displaying their logo in the user's inbox, but also to "force" these same brands to strengthen the security of their domains using existing authentication protocols. SPF, DKIM, DMARC and the VMC brand certificate.

The addition of the VMC (Verified Mark Certificate) will be a plus in domain name security since it will ensure that the logo has been registered with a Trademark Office such as INPI (for France).

Implementing BIMI will benefit marketing teams, IT teams and readers alike:

  • Differentiation from other advertisers by displaying the company logo in the recipient's inbox (and/or when the email is opened);
  • Strengthening user confidence with the brand thanks to the checkmark in the recipient's inbox (blue for Gmail, purple for Yahoo);
  • Stepping up the fight against phishing by forcing the adoption of DMARC (and therefore SPF / DKIM) with a restrictive policy.

How does BIMI work?

Before implementing BIMI, you'll need to do a lot of upstream work on all the domain names you use. Some Email Service Providers (in particular as Gmail) require a lot of technical validation and a good reputation to guarantee the display of the coveted logo with the checkmark (cf. Gmail's blue checkmark, Yahoo's purple checkmark)!

To operate, BIMI relies on DMARC authentication (Domain-based Message Authentication, Reporting and Conformance), so it must be present either on your sender domain or on your organizational domain. In addition, it must have a restrictive safety policy!

DMARC offers 2 security policies:

  • Quarantine : p=quarantine
  • Reject : p=reject

If you don't have DMARC on your domain or if your security policy is set to "none", BIMI won't be activated even if you've subscribed to a VMC brand certificate!

Technically, how does it work? Example with Google

Companies that authenticate their emails (with SPF, DKIM and DMARC) must provide Google with their validated logo(s) via a Verified Mark Certificate (VMC). BIMI will rely on MVA (Mark Verifying Authorities such as Digicert or Entrust) to check logo ownership and provide proof of verification. Once emails have passed and been validated by Google's anti-spam filters, Gmail will display the advertiser's logo instead of the traditional avatar.

The VMC (Verified Mark Certificate) is a digital certificate based on MVAs (currently Digicert and Entrust). The purpose of this certificate is to provide a proof that the logo associated with the domain has been verified by a third party (cf. MVA) and are registered with a trademark registration body (cf. INPI). A word of caution about MVAs, however: it is the messaging providers who will validate whether or not a VMC trademark certificate is validated. To sum up :
- Each messaging provider supporting BIMI may have different criteria for deciding whether or not to accept VMC from an MVA.
- An MVA may be required to go through a separate verification process with each messaging provider.
- Validation of an MVA's VMCs by one or more messaging providers (who support BIMI) does not guarantee that the MVA's VMCs will be accepted by all messaging providers.

Adoption of BIMI

January 2024, Spam Resource published an article on BIMI adoption among a list of top-level domains (10 million in total). It shows that only 12% of them (or 1.2 million) have published a DMARC record, and that in the end, almost 17,000 have published a BIMI record on the main domain (there's always a margin of error in these calculations, as it's perfectly possible to deploy BIMI on a sub-domain and not declare it on the main domain - even if it's a bit silly in my opinion). This results in an adoption rate of around 1.4%! On the other hand, 14% of companies opted to purchase a VMC branded certificate in addition to deploying BIMI, which is still pretty interesting when you consider the cost of such a certificate for a company!

BIMI adoption - BIMI data from Spam Resources
BIMI adoption - BIMI data from Spam Resources

To compare, in August 2023 I checked the BIMI registrations of the main domains of CAC40 companies, and the BIMI adoption rate was 7.5%, i.e. 3 companies out of 40 had published a BIMI registration, and only one had opted for a VMC brand certificate! I look forward to seeing you in August 2024 for the first publication of BIMI adoption by CAC40 companies (and by the same token...), the update of my article on DMARC adoption by these same companies).

Which messaging providers support BIMI?

Since the launch of BIMI, many email providers have joined the working group. These include Gmail, Yahoo and Fastmail, which have been supporting BIMI since 2021. Apple has announced support for macOS / iOS16 from autumn 2022, while La Poste announced support on August 29, 2022.

Messaging providers that support BIMI

Apple, Au, Cloudmark, Fastmail, Google, La Poste, Onet, Yahoo and Zone support BIMI!
Apple, Au, Cloudmark, Fastmail, Google, La Poste, Onet, Yahoo and Zone support BIMI!

Update of 09/11/2024 : Zoner (Czech webmail) joins the group of messengers officially supporting BIMI!

Update 02/12/2024 : Axigen (email server editor) has officially announced support for Bimi in its solution

Messaging providers planning to support BIMI

At Mail, BT, Comcast, Qualitia, Seznam, Web.de / Gmx, Yahoo Japan plan to support BIMI!
At Mail, BT, Comcast, Qualitia, Seznam, Web.de / Gmx, Yahoo Japan plan to support BIMI!

Messaging providers not supporting BIMI

Microsoft doesn't support BIMI!
Microsoft doesn't support BIMI!

Messaging providers supporting BIMI but not officialized by the BIMI Group

Infomaniak and SFR display BIMI in their messaging systems!
Infomaniak and SFR display BIMI in their messaging systems!

* Update of 09/11/2024 : Zoho Mail (American webmail) has been supporting BIMI in its Mail application for several weeks now!

You can find the official list of messaging providers on the BIMI Group website

Some examples of BIMI displays from messaging providers

Apple Icloud (Mail on desktop)

The logo is not visible in the user's inbox, but only when the email is opened. Apple mentions a "Digitally Certified" verification to validate BIMI (cf. Learn more: This email was verified as coming from the owner of the logo shown and the domain "news.journaldesfemmes.fr". Apple uses the Brand Indicators for Message Identification (BIMI) standard).

BIMI management in Apple's desktop Mail application
BIMI management in Apple's desktop Mail application

Apple Icloud (Mail on mobile)

The logo is not visible in the user's inbox, but only when the email is opened. Apple mentions a "Verified Logo" verification to validate BIMI.

BIMI management on Apple's mobile Mail application
BIMI management on Apple's mobile Mail application

Gmail (Desktop version)

The logo is not visible in the user's inbox, but only when the email is opened. A blue checkmark is displayed between the wording and the sender address. When the cursor is hovered over the address, Gmail mentions that the sender has been verified and is certified.

BIMI management at Google on desktop
BIMI management at Google on desktop

Gmail (Mobile application)

The logo is visible in the inbox and when the email is opened. No checkmark visible when email is opened.

Google's BIMI management on the Gmail mobile application
Google's BIMI management on the Gmail mobile application

Yahoo! (Desktop version)

The logo is not visible in the user's inbox, but only when the email is opened. A purple checkmark is displayed between the wording and the sender address. When the cursor is hovered over the address, Yahoo mentions that the sender has been verified and is certified.

BIMI management at Yahoo on desktop
BIMI management at Yahoo on desktop

Yahoo (Mobile application)

The logo is visible in the inbox and when the email is opened. A purple checkmark is displayed after the sender address. When the cursor is hovered over the address, Yahoo mentions that the sender has been verified and is certified.

BIMI management on Yahoo's mobile application
BIMI management on Yahoo's mobile application

La Poste (Desktop version)

The logo is visible in the inbox and when the email is opened. No checkmark visible when email is opened.

BIMI management at La Poste on desktop
BIMI management at La Poste on desktop

SFR (Desktop version)

The logo is visible in the inbox and when the email is opened. No checkmark visible when email is opened.

BIMI management at Sfr on desktop
BIMI management at Sfr on desktop

Infomaniak (Desktop version)

The logo is visible in the inbox and when the email is opened. A blue checkmark is also visible when the email is opened. Infomaniak mentions that the sender has been verified and is certified.

Desktop BIMI management at Infomaniak
Desktop BIMI management at Infomaniak

Fastmail (Desktop version)

The logo is not visible in the user's inbox, but only when the email is opened. No checkmark visible when email is opened.

BIMI management at Fastmail on desktop
BIMI management at Fastmail on desktop

What are the steps involved in deploying BIMI?

To be eligible to have your logo displayed in the inboxes of BIMI-supporting email providers, you'll need to go through 5 distinct steps:

  • Authenticate your domains and apply a restrictive DMARC policy
  • Option: Register your brand and logo
  • Create a BIMI logo in SVG Tiny 1.2 format
  • Buying a VMC or CMC certificate
  • Add a BIMI record for each domain on your DNS server

It's important to note that these steps must be carried out in order. There's no point in rushing if the most important step hasn't been taken: authenticate your e-mail domains and apply a restrictive DMARC policy to them.

Authenticate domains and apply a restrictive DMARC policy

Authenticate all your organization's emails with SPF, DKIM and DMARC! This second step involves ensuring that your sender domain (or organizational domain) has a DMARC record correctly set up. To ensure that all your legitimate e-mails are DMARC-compliant, you'll need to correctly sign and align your SPF (on the MailFrom domain) and DKIM (on the From domain) records. A further constraint is that your DMARC security policy must be either QUARANTINE with a filter level of 100%, i.e. at REJECT with no restrictions on the filtering level.

v=DMARC1; p=reject; rua=mailto:dmarc+658db00214fab9b5c11f1c9a@emailconsul.com,mailto:dmarc@badsender.com; ruf=mailto:dmarc@badsender.com; fo=1;
v=DMARC1; p=quarantine; pct=10 rua=mailto:dmarc+658db00214fab9b5c11f1c9a@emailconsul.com,mailto:dmarc@badsender.com; ruf=mailto:dmarc@badsender.com; fo=1;

We have a DMARC security policy at QUARANTINE with a filtering level only at 10%.

Register your brand and logo with a trademark registration organization (such as INPI) approved by Digicert or Entrust allows you to purchase a Verified Mark Certificate (VMC).

Since the end of 2024, another type of certificate has been available. This is the CMC (Common Mark Certificate). This eliminates the need to register a trademark. Having a registered trademark and logo is now optional. However, the CMC certificate does not guarantee the same level of legitimacy to the recipient. Some messaging systems, even if they display the BIMI logo in the case of a CMC certificate, will not add certification of the mark (for example, in Gmail, the blue checkmark is not displayed in the case of a CMC certificate).

When a VMC certificate is chosen, a blue mark is displayed in Gmail to reinforce the feeling of legitimacy for the recipient. This is not the case with a CMC certificate.

To go further
Digicert and Entrustthe only bodies currently able to issue a VMC trademark certificate, have published on their respective websites the (evolving) list of all approved trademark registration bodies.
Note that INPI is recognized by both organizations! No need to register your trademark on a European scale if you're only targeting the French market.

Create your BIMI logo in SVG Tiny 1.2 format

For this third step, BIMI requires the logo to be in a specific format: SVG (Scalable Vector Graphics). And it's not just any SVG version that's required, so your logo should be in SVG Tiny 1.2 format. There are 2 possible options when it comes to creating the logo: either do it yourself with Adobe Illustrator, or use the script provided by the BIMI Group for Adobe Illustrator. If you choose option 1, here's what you need to do :

  • Convert your logo from pixel to vector format
  • Export your logo in SVG Tiny 1.2 format
  • Edit your logo in SVG format in a text editor
  • Save your logo in text format with .svg extension

Find the full tutorial on the Digicert website

Other tips for displaying your image correctly :

  • Use a square format (1:1 ratio)
  • Don't use a transparent background for your logo
  • Make sure that if your logo is displayed in a circle, no essential graphic elements are cut out.
  • When editing the SVG file in a text editor, make sure that it correctly handles "LF" line breaks (CRLF line breaks are forbidden).

Caution, you can only use a logo in the correct format that has been registered with your trademark registration agency. Otherwise, Digicert or Entrust will not validate this step and will ask you to take the necessary steps to comply.

To go further
As far as logo hosting is concerned, Google recommends hosting your logo on the domain's public server (in HTTPS) where BIMI will be implemented, rather than on external hosting, even though you could very well host it on Entrust or Digicert servers.
The height and width of the image must be at least 96 pixels and its size must be specified in absolute pixels (Example: width="96″ height="96″).
The logo image must appear on a solid-colored background. Transparent backgrounds may not be displayed as intended.
SVG file size must not exceed 32kb.

Buy a VMC or CMC certificate

Even if this step is optional, almost all messaging providers who support BIMI require a brand certificate VMC (Verified Mark Certificates) or CMC (Common Mark Certificate) on your BIMI registration to display the logo and/or checkmark.

This is the case for Gmail, for example, which is the biggest destination and often the priority for BIMI deployment.

On the contrary, Yahoo & La Poste offer the possibility of displaying the logo in the Inbox of users without a VMC or CMC certificate, but with a few restrictions:

  • Yahoo requires advertisers to have a very good reputation
  • La Poste requires proof of trademark registration in order to validate itself via their contact form.

Another important point, your VMC and CMC certificates are valid for one logo only so choose the right one so that it's clearly visible and identifiable in your users' inboxes. If you want to put several logos on your domains, you'll need to buy one VMC certificate per logo.

Price per certificate at March 22, 2024 at :

  • Digicert :
    • Price of a VMC/CMC certificate for 1 year: 1,416.00 euros excluding VAT
    • Cost per additional domain: 445.00 euros excluding VAT
  • Entrust :
    • Price of a VMC/CMC certificate for 1 year: €1,272.31 excluding VAT
    • Cost per additional domain: 488.74 euros excluding VAT

CAUTION WITH ENTRUST CERTIFICATES Apple has announced that it no longer trusts Entrust certificates. Until further notice, we recommend that you go exclusively through Digicert. More info onApple no longer supports Entrust BIMI certificates in this article.

Take note!
Purchasing a VMC or CMC certificate for a logo will only allow you to register your BIMI logo on one domain. (which includes all its sub-domains). If you wish to register your VMC certificate for several domains, you will have to pay a surcharge for each additional domain.

Add a BIMI record to your DNS server

To set up BIMI on your domain, you'll first need to create a TXT record with your hosting provider. Just like DKIM, your BIMI record will be associated with a selector. The default selector is "default"But you're free to use your own selectors if you need to manage multiple domains/logos, for example - there's no limit on that.

Deploying BIMI in a TXT record
Deploying BIMI in a TXT record

As far as registration is concerned, it must include the following elements:

  • v=BIMI1; ? Give BIMI's version
  • l=urldelimage.svg; ? Indicates the url where your logo can be found in svg format
  • a=urlducertificat.pem; ? Indicates the url where your VMC trademark certificate can be found in pem format (optional)

Here are some examples of BIMI registrations:

  • Alan.com : v=BIMI1; l=https://static.alan.com/bimi/alan_sa_tiny_ps.svg; a=https://static.alan.com/bimi/alan_sa_690040353.pem;
  • Carrefour-banque.fr : v=BIMI1; l=https://bimi.entrust.net/carrefour-banque.fr/logo.svg; a=https://bimi.entrust.net/carrefour-banque.fr/certchain.pem
  • Badsender.com : v=BIMI1; l=https://www.badsender.com/wp-content/uploads/2022/09/badsender-logo.svg; a=;

A 48-hour waiting period may be necessary before your logo appears in the inbox.

Please note
If no image and no certificate are declared (cf. v=BIMI1; l=; a=;) on a domain, then that domain will explicitly refuse to participate in BIMI and therefore no display will be available. Please note, however, that this is not the same as a domain where no BIMI registration has been declared.

How do I validate BIMI?

The official BIMI website (https://bimigroup.org/) gives you the opportunity either to generate your logo from the URLs of your logo and/or brand certificate, or to test and validate the implementation of BIMI on your domain. You'll need to visit their dedicated web page: https://bimigroup.org/bimi-generator/ and enter your domain name (organizational domain or sub-domain).

BIMI verification with the BIMI Generator from the BIMI Group
BIMI verification with the BIMI Generator from the BIMI Group

What is BIMI's deployment strategy?

Like DMARC, BIMI works with the notion of inheritance. In other words, once deployed on your organizational domain, all your sub-domains will inherit the same BIMI record. Handy if you have a single record and dozens of sub-domains to manage.

Another similarity with DMARC is that if a BIMI record is present on a sub-domain, it will take precedence over the record present on the organizational domain (useful if you want to manage several logos for the same organization).

If you want to add one BIMI record per sub-domain (even if it's exactly the same), you can do that too. However, if you need to update the record, you'll have to do so on each sub-domain!

Choice 1: Deploy BIMI only in the organizational domain

No record has been found for the sub-domain, so we'll search for the organizational domain value.

BIMI check on organizational domain after subdomain failure
BIMI check on organizational domain after subdomain failure

Choice 2: Deploy BIMI on a sub-domain

The record is present on the sub-domain, but no search is performed on the organizational domain.

Checking BIMI directly on the subdomain
Checking BIMI directly on the subdomain

Some useful links for implementing BIMI

To conclude this BIMI implementation guide, I'd like to share a few useful links with you:

Support the "Email Expiration Date" initiative

Brevo and Cofidis financially support the project. Join the movement and together, let's make the email industry take responsibility for the climate emergency.

Share
The author