Why BIMI is Good for Security (and Marketing)

When I started TAG Cyber, the first order of business was a logo. I have friends who run a wonderful design firm in New Jersey, so I approached them with a sincere request: “Make the logo just vaguely reminiscent of my beloved AT&T,” I asked, “but not so much that their lawyers will call.” In other words, fly a bit toward the sun, but not too close. In no time, they designed the unique face of our company. Here it is next to AT&T’s iconic logo:

No alt text provided for this image

I bring this up to remind you that developing a logo is a total snap, but also to hint that not everyone will treat the process this honestly. Suppose, for example, that I’d been a recent retiree of Uber (do they have retirees yet?) and had wanted to create a logo that was similarly evocative of the parent organization. I might have used Adobe Illustrator to render something misleading and perhaps even downright fraudulent. Here’s an example:

No alt text provided for this image

How BIMI logos can increase trust in email

This challenge of maintaining logo integrity will need attention as companies begin to use the Brand Indicators for Message Identification (BIMI) draft standard. BIMI is designed to use brand logos like the ones shown above to help reduce fraud in email. And yes – it also provides a huge benefit to marketing teams, who like the idea of slapping the company stamp in front of customers receiving email. (C’mon – marketing is not evil. Get over it.)

My friends at Valimail explained BIMI to me as follows: Businesses publish DMARC records with enforcement policies on their domains. Then they publish brand indicator assertions for their domains. Receivers then authenticate inbound messages via DMARC and ask the DNS for the corresponding BIMI record, which includes the logo, along with proof of validation. If everything looks OK, the receiver adds a header to the message, which the email program uses to display the logo. That's it.

The way this looks in practice is that if you get an email message from a company such as HBO, Yelp, or Uber, and they are implementing BIMI on DMARC, and your mail client supports BIMI, then you will see their logos on the inbound messages (see below).

No alt text provided for this image

It’s an excellent user experience, and as we’ll outline below, represents one of the rare instances where users, marketing, and security all agree on a given security control. That almost never happens.

How to implement BIMI on your domain

To get your logo displayed visibly using BIMI, you must first implement DMARC at enforcement. As security experts will attest, DMARC is a great way to improve the integrity of email being sent and received. So anything that drives greater adoption is good (hence the title of this article). The displayed logo also causes receivers to reflect, however briefly, on the origin of a received message. This is a good security habit, in my opinion.

Sure, there is the risk that misleading logos can be used. But I can't think of a security control without some unwanted additional risk. In our industry, it's always two steps forward and one back. Implementation of BIMI appears no different. Also, because each BIMI logo must be tied to a valid domain, and domains must be issued by registrars, lawyers can reach domain owners in the event of a trademark dispute over a misleading logo.

The bottom line is his: BIMI builds on DMARC. So, to gain the marketing advantage of logo display, you must implement DMARC. Because DMARC reduces email fraud, benefit from deploying these together. So, I’m for BIMI, and recommend that you look into it today. Vendors like Valimail can guide you through the process, so don’t worry if the complexities of email headers and brand authentication seem beyond your means. You’ll have little trouble if you ask for some help.

Let me know once you’ve implemented BIMI. I’d like to collect user experience and share the results with the community. I look forward to hearing from you.