All About Brand Indicators for Message Identification (BIMI)
Brand Indicators for Message Identification FAQs
Q: What is Brand Indicators for Message Identification (BIMI)?
A: BIMI is a standardized way for brands to publish their brand logo online. It lets the logos be easily incorporated into messaging and social media applications. BIMI does this with built-in protections that safeguard the brand, application providers, and consumers from impersonation attempts.
With BIMI, email applications display the sending company’s brand logo alongside authenticated emails in the inbox list and within emails themselves. BIMI-sourced logos appear on screen real estate controlled by the email program, not by the email. When coupled with email authentication, it provides greater visibility, reliability and trust, which are benefits to both marketing and security.
BIMI logos aren’t just for email. They can be incorporated into any internet-based communications service including social media apps, online services, messaging services and more. It is being developed as an open standard available to any company wishing to implement it, without licensing fees.
Q: What are the basics of how BIMI works?
Brand Indicators for Message Identification builds on the DMARC (Domain-based Message Authentication, Reporting & Conformance) standard for authenticating email. Before sending an email to a user’s inbox, email platforms like Outlook, Yahoo, Outlook and Gmail already check the email against the sender’s DMARC record to confirm authenticity. For domain owners with strict DMARC policies, the email platforms will reject or quarantine unauthenticated emails instead of delivering them.
Email platforms (also known as email receivers) like Yahoo will display BIMI logos only for senders whose internet domains have implemented DMARC reject or quarantine policies. Domain owners will need to add BIMI instructions to their DNS (Domain Name System) records, including the URL for the location of the file containing their logo.
When the standard is complete and fully implemented, domain owners will need to use a trusted third-party authority to verify ownership of the brand and logo.
Q: What’s the relationship between BIMI and email security?
A: BIMI offers a powerful incentive for companies to improve their cybersecurity practices by adopting DMARC. Organizations that adopt DMARC and BIMI will gain a new opportunity to keep their brands in front of consumers, increase customer trust in their communications and protect their brands.
For companies and other organizations, it’s a way to protect their customers and their own brands. BIMI reduces the risk of their customers being defrauded through deceptive emails appearing to come from the company.
The trust a consumer places in a brand will be harder for other actors to take advantage of by impersonating the brand, and this ultimately will increase trust in the brand.
As use of BIMI becomes widespread, we believe people will start expecting and trusting brand logos in messages and other communications.
Q: Is this proprietary technology?
A: No, Brand Indicators for Message Identification is being developed as an open standard available to any company wishing to implement it, without licensing fees. It is being developed by the Authindicators Working Group, which includes Agari, Comcast, Google, LinkedIn, Microsoft, Oath, Returnpath and Valimail. The group is chaired by an Agari executive.
The goal of the Working Group is Internet-wide adoption. Great care is being exercised to ensure compatibility and the right incentives are present for the many various stakeholders.
Q: Is BIMI just for email?
A: No, BIMI can be incorporated into any internet-based communications service for mobile and web applications, including social media apps, online services, messaging services and more. Companies we expect to soon participate in the pilot include those providing fund transfers, document and data sharing, and digital transaction management. These companies offer their services through a range of applications and platforms.
In the social media context, such as where Facebook, LinkedIn, and Twitter allow brands to establish and manage their own pages, BIMI provides a way for brands and social media companies to coordinate display of the correct and current logo media. In addition, BIMI-based publishing assurances provide application developers with safeguards against impersonation attempts by others.
Q: Is BIMI mainly for email marketing?
A: No. BIMI-sourced logos will also display on emails sent by individuals working for organizations using BIMI. For example, an email from a bank employee providing an account number for a funds transfer would be marked with the bank’s logo. Phishing or other malicious emails asking for funds transfers won’t be able to display the logo.
BIMI Pilot, Implementation and Standard Development
Q: When does the pilot begin and who is participating in the BIMI pilot?
By early April, users of Yahoo Mail’s mobile, web and desktop applications will start seeing logos for companies participating in the pilot, which will soon include large brands in the financial services, airline and technology industries.
Agari, which chairs the Authindicators Working Group that developed the underlying Brand Indicators for Message Identification standard, is working with Yahoo to coordinate with and bring its customer base to the trial.
Q: When will the BIMI standard be complete?
A: The group aims to complete all required draft specifications in 2018.
Q: When will the technology move from pilot to widespread implementation?
A: We expect an email provider would spend many months testing the technology to ensure it doesn’t disrupt regular communications. We may see more widespread implementation by the fourth quarter of this year.
You would have to ask email service providers about their specific plans to implement the Brand Indicators for Message Identification standard.
Q: Is Google going to implement this in Gmail?
A: Google is participating in the development of the Brand Indicators for Message Identification standard. We don’t have any information on Google’s product plans, you will need to ask them.
Q: Will people using the desktop versions of email clients like Microsoft Outlook or Apple’s Mac Mail be able to use it? Will it work on mobile phones?
A: Brand Indicators for Message Identification can be built into email clients and other applications on mobile phones, websites and desktop computers. It is up to the developer to determine whether and when to support it. The Oath trial of BIMI on Yahoo Mail will include its desktop app (Yahoo Mail via the web) along with Android and iOS for mobile. Longer term, we expect desktop applications such as the Mac Mail application and updated versions of Outlook to include support for displaying BIMI-sourced brand logos.
Benefits of BIMI
Q: What are the expected marketing benefit to organizations using BIMI?
A: Organizations will get free, sanctioned brand impressions within the world’s largest email platforms. Sending organizations will also get, as a side effect of the requirements of BIMI, a more secure communications channel between themselves and their customers.
For senders and brands, Brand Indicators for Message Identification offers the benefits of immediate brand recognition and an enhanced user experience, and ensures their logo is current and consistent across platforms.
Q: What are the expected benefits to email platforms and social media providers?
They gain benefits associated with broad adoption of email authentication, including lowered costs and a better ability to safeguard their end users. They also gain access to a high quality pool of brand logos, published and kept current by brands themselves, and with appropriate impersonation protection safeguards. This will enable them to launch new and enhanced applications using the logos and improve usability and navigation.
BIMI will also allow them to publish different sizes and versions of logos in different environments and applications.
Q: How much is BIMI expected to reduce how often users are tricked by fraudulent emails?
A: The security benefit of BIMI will come by encouraging companies to enforce DMARC policies, which makes it much harder for scammers to send email falsely appearing to come from another company’s domain.
Agari research of public DNS records last year showed that 92 percent of all Fortune 500 companies have left their customers and business partners unprotected from phishing and other forms of email attacks that impersonate their corporate email domain. Only eight percent were enforcing DMARC reject or quarantine policies.
First and foremost, BIMI is a publishing standard designed to enable the safe and efficient distribution of brand logos and trademarked identities on the Internet. BIMI is a standardized means of distributing digital brand identity (visual logos) for use with online services. When coupled with email authentication, it provides greater visibility, reliability and trust, which are benefits to both marketing and security.
Q: So is BIMI a marketing tool or a cyber security standard?
Like Shimmer Non-Dairy Floor Wax in the old Saturday Night Live skit (“A floor wax AND a dessert topping!”), BIMI is a communications standard that also delivers cybersecurity benefits.
Q: Haven’t I seen something like this before?
A: Email providers like Yahoo, Google and Microsoft have previously used limited, proprietary technologies to display the logos of select organizations. Microsoft for a time was manually managing a set of logos for specific companies, and Yahoo has used an automated application that grabs logos from the internet.
BIMI replaces closed systems with an internet-scale open standard, available to any organization that meets the requirements. It provides stronger security and ensures that the correct logos are used.
BIMI puts brands back in control of how their logos are being displayed. Clients like Yahoo Mail and Gmail already display logos obtained from other sources that might or might not be official or accurate. BIMI ensures that clients display the correct logo as endorsed and approved by the brand. It also allows brands to tell a receiver not to display a logo if desired.
BIMI and Cyber Security
Q: What are the security benefits of BIMI?
A: We expect BIMI to spur companies to become compliant with best practices for email which can protect email coming from their domains. We believe organizations are more likely to invest the time and effort to authenticate their email if it also gives them the ability to influence how the email they send is displayed. BIMI can also be used to show logos on social media pages (e.g. brand pages on LinkedIn, Facebook, and Twitter) to better protect against impersonation.
We believe BIMI will encourage more companies in laggard sectors like retail and healthcare to adopt DMARC to protect their brands and customers.
Once a major company in a sector adopts BIMI, competitors are likely to feel pressure to do the same.
Q: Why can’t scammers and spammers just put fake corporate logos in their emails?
A: BIMI-sourced logos appear on screen real estate controlled by the email program (Yahoo, Outlook, Gmail, etc.), both in the inbox and in individual emails. Email senders have no control over what appears in those spaces (sometimes called an application’s “chrome”) through anything sent in the email. The content of the email message plays no role, only the identity of the email’s sender, if this identity has been authenticated through DMARC.
Q: How does the email client know which emails are authentic?
A: BIMI builds on the DMARC standard for authenticating email. Before sending an email to a user’s inbox, email platforms like Yahoo, Outlook and Gmail already check the email against the sender’s DMARC record and via authentication methods present within each email message to confirm authenticity.
Every website domain has an openly available Domain Name System (DNS) record, which specifies the IP address that hosts the website (along with other information used by applications like web browsers). To adopt DMARC, a company adds a DMARC record to the larger DNS record. The DMARC record instructs email platform providers how to handle unauthenticated emails appearing to come from that domain (i.e., monitor, quarantine or reject them).
Domain owners will need to add BIMI instructions to their DNS records, including the URL for the location of the file containing the logo.
Email platforms (email receivers) like Yahoo will display BIMI logos only for senders whose internet domains are authenticated via DMARC. Receivers will also rely on additional factors like reputation and internal trust signals as well as existing anti-fraud technology to determine trust.
DMARC virtually eliminates domain spoofing, by verifying that an email appearing to come from a domain (e.g., Dropbox.com) actually comes from that domain.
But DMARC doesn’t block display name deception, which is far easier for criminals than spoofing the domain name. Many email clients don’t even show an email address, just the name of the sender. It’s easy for a criminal to use, for example, a senior bank executive’s name as the display name in an attempt to deceive another bank employee. With BIMI, that email won’t display the bank logo.
There’s no single solution for preventing email fraud. But we believe BIMI has the potential to reduce fraud from identity deception, while helping safeguard brands.
Q: How will companies get their logos to the email providers? How will the email providers know what logo to display?
A: Brand owners won’t need to coordinate with individual email platform providers to get their logos displayed or update them. Instead, BIMI instructions are added to the domain’s DNS record.
To adopt BIMI, domain owners will need to add their BIMI preferences as specially formatted text records placed in specific DNS subdomains. The preference data is called a “BIMI Assertion Record. ” It includes a URL (an Internet address) for the location of a logo-containing file, which must be in SVG (Scalable Vector Graphics) file.
In addition, email platform providers will require evidence of trademark ownership by the brand associated with the domain name. Such evidence is required to be vetted by carefully overseen third parties called Mark Verifying Authorities and the results conveyed and protected cryptographically.
Q: Will the logos be part of the emails?
A: No. The logos aren’t attached to the emails. The BIMI assertion record (within the DNS records for the domain) points to the web address containing the logo.
Q: What happens when a company changes its logo? Will it have to update the logo with each application that uses BIMI to display the logo?
A: No, the company will update the logo in only one place — the web address specified in the BIMI assertion record — and it will be available to all the email platforms. This makes re-branding straightforward and ensures the brand’s presence with major platforms will always be current.
How Can Organizations Begin Using BIMI?
Q: What does a company need to do to adopt BIMI for its domain?
A: First, the organization needs to implement DMARC based email authentication. Individual email platforms could require a strong DMARC policy. Yahoo, for example, is currently planning to require a policy of either reject or quarantine. Companies with no DMARC policy, or a DMARC policy of none (monitor) won’t be able to have their logos displayed. In the future, BIMI could be extended to accept other authentication standard such as S/MIME.
Second, the domain will need a BIMI Certificate, demonstrating that it meets the requirements of BIMI. (The certificate requirement is part of the standard, but isn’t being used in the Oath / Yahoo pilot, which is hand-vetting applicants and logos).
Third, it needs to update its domain records to include its BIMI policy.
Q: What is a BIMI Certificate and how can an organization obtain one?
A: BIMI certificates are a type of public key certificate similar to the Extended Validation (EV) Certificates that confirm the authenticity of a website.
A new type of organization called a Mark Verifying Authority (MVA) will provide BIMI certificates. The vetting by the MVA will include all the requirements for obtaining an EV Certificate – the strictest of three levels for proving domain ownership – and add additional requirements:
The MVA audits all relationships between the domain name and the associated logo. The applicant must demonstrate (1) ownership or license to a registered trademark; (2) the registered trademark must be registered in a competent jurisdiction; (3) the proposed mark or logo must match the registered trademark; and (4) the owner or licensor of the trademark must also be the registrant (or licensee) of the associated domain name.
Q: What if there is a dispute over trademark ownership?
A: Should a brand take issue with the award of a BIMI certificate to another applicant, existing systems of law for addressing the problem come into play.
This includes court-issued injunctions; the MVAs, upon being served with an injunction, may be required to revoke an issued certificate. Certificate revocation mechanisms developed for TLS certificate management will be leveraged for BIMI certificates, enabling email receiving platforms to obtain notice.
Q: What is included in a BIMI certificate?
A: A BIMI certificate contains:
1) Legal entity name and place of registration
2) One or more domain names
3) Reference to the registered trademark and the ISO country code of the associated jurisdiction
4) Secure links (including hashes) of the vetted media matching the mark(s)
5) Optionally, the image file itself, as an embedded object
Q: Are there any Mark Verifying Authorities yet?
A: Not yet, as the standard hasn’t been completed. But we expect the business opportunity will bring companies into this market. An existing EV TLS Certificate Authority already does much of what is needed to issue a Brand Indicators for Message Identification certificate. These certificate authorities have established trust models with browsers and receivers. MVAs must be audited and approved by CA/Browser Forum.We are actively working with members of the CAB Forum, the governing body of certificate authorities, to define the vetting requirements and the specifics of the BIMI Certificate. Existing CAs are very likely to enter the market and provide BIMI Certificate-related products to new and existing customer bases.
Q: If there aren’t any Mark Verifying Authorities yet, how is the Oath / Yahoo pilot working?
A: The brand logos and associated domain names of the pilot participants are being hand-audited by Oath analysts. All participants are directly known by one or more members of the Working Group. The domain names of trial participants will be whitelisted, so that BIMI-published logos will not be eligible for display unless the associated domain is explicitly on the white list. While this will not scale to thousands of brands, it is sufficient for the early stage trial.
Q: What will be the cost to a company that wants to use its logos with BIMI?
A: Because Brand Indicators for Message Identification is expected to be an open standard, no payment will be required by the standard’s developers.
The Mark Verifying Authorities will charge for their vetting and issuance services, and a brand owner will also likely need to use legal or other staff to provide the necessary proof of ownership for the domain and the their brand logo.
Q: Where can I get more information?
A working draft of the specification, which may not be fully up-to-date, is available at https://authindicators.github.io/rfc-brand-indicators-for-message-identification/#rfc.authors