BIMI: Show your logo next to GMail and Yahoo e-mails

OVERVIEW

If you have noticed a company logo displayed next to emails in your GMail or Yahoo! Mail account and wondered how to do that for your company; this article will show you how by using BIMI.

WHAT IS BIMI

BIMI (pronounced: Bih-mee), is an abbreviation for: Brand Indicators for Message Identification.  Participating e-mail clients can display a logo next to authenticated e-mails if the sender has specified a BIMI logo. Early trials claim a 10% increase in open rates for e-mails displayed alongside a BIMI image.  The receiver’s trust in the e-mail might increase too.

There are two parts to the standard: a method for domain owners to publish the location of their logo image file, and a means for mail servers to verify the authenticity of that logo.

THE CURRENT STATE OF THE BIMI STANDARD

At the time this article was written, only Google’s GMail, Yahoo! Mail, Verizon Media (including AOL and Netscape Mail), and FastMail support BIMI. A working group made up of several companies and named “BIMI Group” has formed to develop a draft IETF standard for BIMI.

Although the draft standard is currently in use, the standard has not been completely fleshed out yet. For example, the standard still needs to define a way for mail servers to verify that a company logo belongs to the sender of the e-mail. Proposed methods include connecting to an API endpoint on a web site to retrieve validation data, or a VMC (Verified Mark Certificate) which is a resurrection of the failed Extended Validation Certificate standard. An additional proposal allows for BIMI data to be used in generating DKIM signatures for e-mails.

Mail service providers cache BIMI records and images to reduce network traffic and processing time. But, do not expect your logo to starting showing up immediately in e-mail clients that support BIMI.  It may take months to cache your BIMI data, even if tests confirm that your configuration is correct. It could take longer if your domain does not send a lot of e-mail. Caching BIMI data could be the downfall of the standard since cache size could quickly get out of hand.  Worse of all, GMail seems determined to only support large, well-known corporations that send huge amounts of e-mail.

HOW TO IMPLEMENT BIMI

To implement BIMI in its simplest form, you need:

• An SPF record for your domain.
• DKIM e-mail signing must be set up for your domain.
• A valid DMARC DNS record for your domain with a policy of either quarantine or reject. For example:

  _dmarc TXT "v=DMARC1; p=quarantine;"

• An exact square logo for your brand/web-site/company in SVG Tiny Portable/Secure format (a more secure subset of the SVG Tiny 1.2 format, and still a draft standard).
• A DNS TXT record for your domain to provide a BIMI record with the URI location of the SVG file. The only supported transport for the SVG URI is HTTPS. The DNS TXT record is in the following format:

  default._bimi TXT "v=BIMI1; l=https://mydomain.com/logo.svg;"

BIMI SELECTORS

The draft standard has a proposal for BIMI “selectors.”   Selectors allow e-mail campaigns to specify one of several logos for display alongside an e-mail.  You can do this by adding a new DNS TXT record for each new selector name.  For example, adding two additional selectors and the default might look like the following DNS TXT records:

default._bimi TXT "v=BIMI1; l=https://mydomain.com/logo.svg;"
promos._bimi TXT "v=BIMI1; l=https://mydomain.com/promos-logo.svg;"
helpdesk._bimi TXT "v=BIMI1; l=https://mydomain.com/helpdesk-logo.svg;"

Then add a BIMI-Selector: header to your outgoing emails to declare the selector name. For example, to select the helpdesk BIMI image above, add the following header to your outgoing email:

BIMI-Selector: v=BIMI1; s=helpdesk;

Consult the documentation for your email client, mail server, or bulk mail service to find out how to add this header to your outgoing emails.

For example, if you use Thunderbird, find the profile ID of your email account using the Config editor. Then create or edit the user.js file in your Thunderbird profile folder to add the BIMI header automatically. To automatically add the helpdesk selector to all outgoing emails on profile ID 1 in Thunderbird, add this to the user.js file in your profile.

user_pref("mail.identity.id1.headers", "BIMI-Selector"); 
user_pref("mail.identity.id1.header.BIMI-Selector", "BIMI-Selector: v=BIMI1; s=helpdesk;");

Save your edits to the user.js file and restart Thunderbird to start using the new settings.

TRUST AUTHORITY

A Trust Authority can be specified to authenticate the ownership of the logo.  To do this, add the a= parameter to the DNS TXT record, and set a value. This part of the standard is not clear yet, and is currently optional.  It is best to leave it out.

Specifying a=;, or leaving the parameter out of the TXT record, indicates no “BIMI Evidence Document” or VMC or validation is provided. At the time this article was written, Yahoo! Mail, AOL, and Netscape are accepting BIMI logos with no verification. In the future, not providing a trust authority, or self validating, might result in a failure to display your logo.

Google’s GMail, however, is currently only accepting BIMI logos that have a VMC through Entrust Datacard or DigiCert.  This is also an invitation-only program at the moment. Google seems to want to show BIMI logos only for well-known corporations that send a lot of email.  If you are using GMail, you will probably see a logo next to a Bank of America e-mail, but probably never next to a once per year e-mail from mom-and-pop-shop.com.

The a= Trust Authority parameter might specify the URI for a certificate, or the URI for a Trust Authority to retrieve the certificate file.  Trust Authority parameters might look like any of the following TXT records, but the definition isn’t clear yet:

default._bimi TXT "v=BIMI1; l=https://mydomain.com/logo.svg; a=;"
secondary._bimi TXT "v=BIMI1; l=https://mydomain.com/secondary-logo.svg; a=self;"
promos._bimi TXT "v=BIMI1; l=https://mydomain.com/promos-logo.svg; a=https://registar.com/vmc/mydomain/promos.pem;"
helpdesk._bimi TXT "v=BIMI1; l=https://mydomain.com/helpdesk-logo.svg; a=https://mydomain.com/api/get-pem?helpdesk;"

MORE INFORMATION

• More detailed information is available in the BIMI Group Implementation Guide.
• You can test your implementation using the BIMI Group’s LookUp & Generator Tool.
• You can convert your SVG logo to SVG Tiny Portable/Secure format with these free tools.
• Domain Registrars will, no doubt, push for requiring a Verified Mark Certificate. Extended Validation Certificates were a failed standard and web browsers have stopped displaying any special indicators for web sites with an EVC. VMCs have the same verification requirements as EVCs, plus additional requirements, such as your logo being a registered trademark with the US Patent and Trademark Office. However, the standard does not consider trademarks from other countries. US domain registrars and the BIMI Group seem to forget that most of the internet exists outside the United States. The pricey and months-long VMC validation process might slow down e-mail spoofers and spammers.  But it is just as likely to create an unfair advantage for large corporations.  As a result, many businesses might not adopt it due to the time and expense involved.