BIMI piloting

BIMI stands for Brand Indicators for Message Identification and is an email authentication standard that allows you to display a verified company logo in your recipients' inboxes when sending a properly authenticated email. They can immediately trust that it is an actual email from you and not a dangerous phishing attempt. BIMI does not guarantee 100% deliverability, but it can help you achieve more brand recognition and trust, a higher sender reputation and ultimately better email KPIsStands for "key performance indicator" (also known as a conversion goal); the measurement of actions on web pages. The actions can be completed purchases, pages visited, time spent on site and so on..

Current state of adoption

The BIMI standard is relatively new and still in the piloting phase at many Internet Service Providers (ISPs). The distribution and further development are being driven by the AuthIndicators Working Group, which offers further information on the current status at Bimigroup.org.

State of adoption as of October 2020:

BIMI piloting with Google is currently only available to selected participants. However, a full implementation is already possible with the Yahoo and AOL mobile and web clients. For information on how to send emails authenticated with BIMI to Yahoo and AOL, see Implementing BIMI.

Functionality and requirements

To set up BIMI, the basic authentication standards must be in place, including Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-Based Message Authentication Reporting and Conformance (DMARC). See Email authentication and encryption.

The BIMI standard expects a DMARC setup on the organizational domain. Many ISPsStands for "internet service provider" who are implementing BIMI or who are considering BIMI support in the future recommend that senders start to prepare now and implement DMARC. See DMARC implementation.

The BIMI setup itself is done by creating a BIMI text record on the domain which is to be authenticated with the company logo in the future. The record will contain a reference to the company logo and possibly a so-called Verified Mark Certificate (VMC) that officially validates the logo. The logo itself must be delivered as a Scalable Vector Graphic (SVG Tiny 1.2 Portable/Secure) with further specific format requirements. The VMCs are currently only being issued to domains invited to participate in the BIMI pilot run by Google. They are currently not required for the piloting with Yahoo and AOL.

When attempting to deliver an email, the participating ISPs will verify the DMARC setup on the one hand and the BIMI setup on the other. If both checks are successful, the ISPs will pull the logo from the URL in the BIMI record to display the BIMI image in the inbox next to your email. ISPs state that a good sender reputation is essential for this.

Technical specifications

BIMI record

To use BIMI, a BIMI record must be created for your sending domain which should benefit from the verified logo display in the end. This can be a subdomain or an organizational domain.

Example BIMI record:

• Example domain. example.com
• BIMI domain. default._bimi.example.com
• Record type. TXT
• BIMI record. v=BIMI1; l=https//www.example.com/logo.svg; a=https://www.example.com/vmc/logo.pem;

Available BIMI tags

The following table provides an overview of the possible BIMI tags and the implementation options.

Tag	Definition	Implementation
v	Version	The v tag is required and must be set with v=BIMI1.
l	Location	The l tag is required and indicates the location of the logo you want to display. It is specified as a URL with HTTPS. HTTP will not work.
a	Trust authorities	The a tag is currently optional and is used to validate domain ownership using a Verified Mark Certificate. The accepted values are: self. No validation option, similar to not having an a tag. cert. Provides an HTTPS URL to a Verified Mark Certificate that can be used to validate the logo in the l tag. mva. Specifies an HTTPS URL to an API endpoint that can be queried for validation.

Image requirements

The BIMI standard requires the creation of a logo in the image format SVG Tiny 1.2 Portable/Secure, in short SVG P/S.

The SVG P/S format is stricter than SVG Tiny 1.2 and requires the image to be a centered, square image of your official company logo without any additional text on a background of solid colour. Additionally, the image should be as small as possible, not exceed 32 KB and further resources like external links, scripts or interactive elements must not be included. You can find a full list of the required elements at Bimigroup.org.

BIMI selector

The BIMI domain default._bimi.example.com in this example, starts with the BIMI selector. It serves the mailbox provider to identify and look up the associated BIMI record and logo. The standard selector name is called default and is the only one that is currently accepted by the supporting ISPs, Yahoo & AOL in particular.

Theoretically, if you plan on rolling out BIMI to multiple brands using the same sending domain, there is also the option to work with several selectors. However, different selectors would also make a technical adjustment to the email itself necessary. Since this option is still under development and is currently not supported anyway, you should work with different sender domains and thus separate BIMI records to differentiate between brands.

Implementing BIMI

To implement BIMI, do the following:

1. Authenticating emails
2. Creating an SVG logo
3. Setting up the BIMI record
4. Analyzing the results

Authenticating emails

BIMI requires the authentication of your emails with SPF, DKIM and DMARC. If you are unsure, you can send a test email and check in the email header whether the authentication requirements are met or simply ask your IT administrator. For further information on the required DNS setup, see Setting up your domain on Optimizely World. For information on how to implement DMARC, see DMARC implementation.

The BIMI standard requires DMARC on the organizational domain with a DMARC policy set to either p=quarantine or p=reject. Optimizely strongly recommends the p=reject policy.

Additionally, parameters that weaken the DMARC application such as sp=none or any percentage below 100 pct<100 are not allowed.

Creating an SVG logo

To implement BIMI, you need to create a company logo as a Scalable Vector Graphic. The exact version supported by BIMI is SVG Tiny 1.2 Portable/Secure (SVG P/S). The SVG BIMI logo must

• be squared and centered
• only include your logo without text and the background should be of a solid color
• should be as small as possible and not exceed 32 KB
• not include external links, scripts, animation, or other interactive elements

Once created, store the SVG image in HTTPS and it is ready to be added to your BIMI record.

Setting up the BIMI record

A TXT record with the prefix default._bimi must be created for the sender domain for which BIMI is ultimately to be used. The Optimizely recommended entry is as follows:

• Example domain. example.com
• BIMI domain. default._bimi.example.com
• Record type. TXT
• BIMI record. v=BIMI1; l=https//www.example.com/logo.svg;

Replace example.com with your sender domain and l=https//www.example.com/logo.svg with the image URL of your SVG image. Note that the URL must be based on HTTPS.

The parameter a=https://www.example.com/vmc/logo.pem; which refers to a Verified Mark Certificate is currently optional and can be omitted.

Analyzing the results

There are tools that you can use to create your BIMI record and/or to verify it afterwards. One of them is the BIMI Inspector provided by Bimigroup.org.

After the successful implementation of the BIMI record, your SVG logo should now be displayed in the participating email clients. Check over time whether the implementation has reduced phishing attempts and improved your email KPIs.