top of page
Writer's pictureAllison Sanders

What You Need to Know About BIMI and Email Authentication

Updated: Oct 24

Email authentication and technical solutions to verify the origin or ownership of email messages have been topics of conversation in how to achieve ideal deliverability and security in the email marketing universe for the last 20 years. Over the years that conversation evolved and continues to create new opportunity for marketers.


Evolution of Email Authentication


In the early 2000's we started with Sender Policy Framework (SPF), which specifies what mail servers (IP addresses) are allowed to send mail from your domain. SPF helps to identify and prevent "spoofed" mail from being delivered. While SPF helps to ensure the message came from the right place, it does not ensure that a message was not altered during sending. Several years later DKIM, DomainKeys identified mail, was developed to further protect message integrity by providing a unique private digital signature in each sent message that matches a public encryption key for the sending domain. When the private/public keys match, a message is authenticated and more likely to reach its intended audience.

BIMI Timeline 1990's to present
BIMI timeline

So, what happens when a message is sent that does not pass authentication or is unauthorized? With SPF and DKIM, the handling of the message is up to the receiving mail system. Messages could land in a spam or junk folder. They could be delivered to the inbox with warnings to the recipient of possible fraud or could be blocked entirely and not delivered.


In 2012 domain owners and marketers were finally empowered to determine how unauthorized messages should be handled universally with the inception of DMARC. DMARC, Domain-based Message Authentication, Reporting & Conformance, builds on SPF and DKIM best practices and provides instructions to reject, quarantine, or take no action to messages that fail both SPF and DKIM authentication. For the first time organizations had visibility and reporting on email phishing and spoofing attacks.


What is BIMI?

BIMI, which stands for Brand Indicators for Message Identification, is a standard that shows authorized brand logo images alongside authenticated marketing emails in the inbox. BIMI add a "click free" visual component to email security and was developed by email industry leaders to encourage and incentivize email marketers to adopt implement DMARC authentication.


In 2020 major consumer ESPs like Verizon, Yahoo, and AOL began piloting BIMI, but a major announcement by Google that BIMI will be supported in users Gmail experience made really opened the possibilities for adoption by email marketers.


97% of all email is commercial. Almost three-quarters of consumers (72%) prefer email for brand-to-consumer (B2C) communication. According to Marcel Becker, Director Product at Verizon Media, and Christian Schäfer-Lorenz, Head of Product Management Applications for 1&1 Mail & Media GmbH

How to Implement BIMI


Step 1: Authentication


Most marketers sending email from digital platforms have already met many of the prerequisites for BIMI implementation by keeping up with email authentication best practices and setting up SPF, SenderID, and DKIM for all sending domains. Having a DMARC policy for your domain is also required to get started with BIMI. The adoption rate for DMARC has had a dramatic increase since late 2019 according to dmarc.org.


Creating a DMARC policy is a process that impacts all mail being sent by a company from a domain from all sources, not just email marketing campaigns, so the implementation can be more complex and a broader effort. The DMARC policy also needs to be set to quarantine or reject for non-compliant messages and that can take time to reach. Google has a very detailed article on DMARC rollout and advice to best achieve enforcement seamlessly.


Of the domains with DMARC policies, 65.9% are set to "p-none" which indicates messages are still being delivered when failing authentication. 22.8 % of policies are set to "p=reject" and 11.3% to "p=quarantine." What these statics from dmarc.org shows is that 66% of business who have implemented DMARC still have additional work to do to adopt BIMI.


Step 2: Create Logo Image


High-level image requirements for BIMI support per bimigroup.org say the logo should be:

  • SVG (Scaled Vector Graphic) format 32 kb or less

  • Square in shape

  • Securely published (https)

  • Solid color background


Step 3: Publish DNS record for BIMI image


The next step to implementing BIMI is to publish a DNS TXT record with your domain provider that defines the URL of the published SVG image. It is also recommended (though optional) to get a Verified Mark Certificate (VMC) which further validates logo authenticity and may be required by certain mail providers for BIMI support. VMCs are issued by Entrust DataCard and DigiCert.


Example of BIMI DNS record without VMC:
default._bimi.yourdomain.com TXT v=BIMI1; l=https://yourdomain.com/logo.svg;
Example of BIMI DNS record with VMC:
default._bimi.yourdomain.com TXT v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/certificate.pem;


BIMI: What are you waiting for?


The value and benefits of email authentication to business and marketing campaigns has been widely understood for 20+ years. Following best practices leads to more inboxing and campaign engagement as well as builds customer confidence in the legitimacy of a message. With the evolution of SPF to BIMI customers will now see familiar business logos in their inboxes to help when deciding to engage with your message.

It's a win-win for marketers and an opportunity for increased brand awareness.

To understand your current email domain's SPF, DKIM, and DMARC status you can use this tool from MX Toolbox or connect with your Covalent Marketing Consultant for more information on how to take advantage of BIMI.


Resources

Check current SPF/DKIM/DMARC status: https://mxtoolbox.com/SuperTool.aspx

Overview of DMARC: https://dmarc.org/overview/

Tutorial on recommended DMARC rollout by Google: https://support.google.com/a/answer/10032473?hl=en




bottom of page