Brand Indicators for Message Identification (BIMI) is a standard email specification in which Marketers can display their trademarked logos next to emails in supported MailBox Providers (MBP) such as Yahoo, Fastmail, and Gmail.
The purpose of BIMI is to:
- Allow Marketers to display and control their brand logos in user’s inboxes
- Cultivate brand recognition
- Enhance user confidence by allowing users to see the trademarked/copyright logos associated with the specific brand before they open/interact with the email. The BIMI logo is displayed in the email list view of email messages.
BIMI works in conjunction with DMARC to further protect your brand against phishers/spoofers. The organizational (sometimes referred to as the top level) domain must pass DMARC authentication and the DMARC policy must be set to quarantine or reject to ensure emails are not being spoofed/impersonated as a prerequisite for BIMI to be applied.
BIMI was designed to be used at the Organizational domain level. While some MBPs like Yahoo do not require a Verified Mark Certificate (VMC) for BIMI to work, other providers like Gmail do. The annual purchase of a VMC on a domain is cheaper if you can proceed on the organizational domain as the VMC applied on the Org level will apply to all subdomains.
Can BIMI be applied on subdomains? Yes. However, applying BIMI on subdomains could cost a lot more depending on how many subdomains you use since you would have to purchase a VMC for each. Additionally, while BIMI does currently work on the subdomain level, Mailbox providers are expected to update their code to require on the organization level. So, if possible, it is best to proceed on the organizational domain.
What exactly is BIMI? Bimi is a text record added to the domain DNS zone records. The record includes the logo required. And if VMC is purchased, the record contains the hosted certificate location. MBPs will read the domains BIMI record to pick up the logo and VMC. If the domain passes all the criteria (DMARC set to quarantine or reject/bimi) then the logo is displayed.
In the case of Yahoo, they will cache a copy of the logo on their own image servers to minimize the number of calls when receiving mail. |
Getting Started
Below are the steps to getting BIMI set up for your domains.
- Confirm your domain is passing authentication and has a DMARC policy of quarantine/reject. This link https://BIMIgroup.org/implementation-guide/ contains the details of how to get BIMI set up.
a. Ensure you have SPF/DKIM set up on your sending domains and they are passing authentication. For domains delegated to Marigold, we ensure this for your mailing domains.
b. If you do not have a security provider that offers a DMARC solution, you can
-
-
- Reach out to providers such as RedSift, Proofpoint, Dmarcian, Agari, Valimail etc
- Ask us for referral for RedSift/OnDMARC who we have a relationship with
- In some cases, we can support DMARC reporting for a fee. Ask us how.
- Reach out to providers such as RedSift, Proofpoint, Dmarcian, Agari, Valimail etc
-
c. If you already have a Dmarc provider, then set your DMARC on your sub-domains and organizational domain to a DMARC Policy of quarantine or reject.
-
-
-
- If you do not have it set to quarantine or reject, review your DMARC reports to make sure you do not have any outliers that need addressed before moving your DMARC record to quarantine or reject. Failing to check your reports for outliers could result in failed mail deliveries on that specific outlier. As most MBPs will reject or quarantine mail that fails DMARC authentication.
- If you cannot set up DMARC quarantine/reject on your organizational domain for business reasons, then you can proceed with doing so on the subdomain level. However, eventually MBPs will not provide BIMI support on subdomains where the organizational levels are not DMARC compliant. But for now, they do accept DMARC on the subdomain only.
-
-
- Create an SVG Tiny PS version logo according to specs outlined in the below link. Note that it is important to follow all steps as any variation will cause issues for the logo to pass BIMI specifications. Common mistakes are failure to remove attributes and missing solid color backgrounds. https://BIMIgroup.org/creating-BIMI-svg-logo-files/
- Acquire a Verified Mark Certificate for each domain. While VMCs are not required for Yahoo/AOL at this time, Gmail does require a VMC for BIMI. Applying for VMC can be a lengthy process. It requires proof of trademark on the logo and verification you are really who you say you are. At this time, only Entrust and DigiCert are authorized to generate VMCs for domains:
- Publish a BIMI record on the Domain DNS.
Example Record:
- default._BIMI.[domain] IN TXT “v=BIMI1; l=[SVG URL]; a=[VMC URL]"
- default._BIMI.entrust.com in TXT “v=BIMI1;l=https://bimi.entrust.net/entrust.com/logo.svg;a=https://bimi.entrust.net/entrust.com/certchain.pem”
- You can use this link to generate your record: https://bimigroup.org/bimi-generator/
- We do recommend adding / at the end of each field as a separator after the BIMI1 and the svg url. Example: _BIMI.[domain] IN TXT “v=BIMI1/; l=[SVG URL]/; a=[VMC URL]
- If you do not purchase the VMC, then leave the a= record empty
- Example: default._BIMI.clientdomain.com TXT v=BIMI1\;
- l=https://i.clientdomain.com/wpm/588/ContentUploads/Images/APQ.svg\; a=\;
- The Organizational BIMI record can also be placed in the subdomains so you can provide these to us to apply as well.
- If you are not placing the BIMI record Organizational domain (but only in the subdomains), we can handle the BIMI record as the domain is delegated to us. However, you will need to provide us with the Logo in proper format and the VMC.
- Once you have added the BIMI record to the domain, use https://BIMIgroup.org/BIMI-generator/ to verify it is working appropriately. Note that it will take up to 48 hours for propagation to show up.