BIMI piloting

BIMI stands for Brand Indicators for Message Identification and is an email authentication standard that allows you to display a verified company logo in your recipients' inboxes when sending a properly authenticated email. They can immediately trust that it is an actual email from you and not a dangerous phishing attempt. BIMI does not guarantee 100% deliverability, but it can help you achieve more brand recognition and trust, a higher sender reputation and ultimately better email KPIsStands for "key performance indicator" (also known as a conversion goal); the measurement of actions on web pages. The actions can be completed purchases, pages visited, time spent on site and so on..

Current state of adoption

The BIMI standard is relatively new and still in the piloting phase at many Internet Service Providers (ISPs). The distribution and further development are being driven by the AuthIndicators Working Group, which offers further information on the current status at Bimigroup.org.

State of adoption as of October 2020:

Image: BIMI implementation

A full implementation is already possible with the mobile and web clients from Yahoo and AOL as well as Google. To send authenticated emails with BIMI, see Implementing BIMI.

Functionality and requirements

To set up BIMI, the basic authentication standards must be in place, including Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-Based Message Authentication Reporting and Conformance (DMARC). See Email authentication and encryption.

The BIMI standard expects a DMARC setup on the organizational domain. Many ISPsStands for "internet service provider" who are implementing BIMI or who are considering BIMI support in the future recommend that senders start to prepare now and implement DMARC. See DMARC implementation.

The BIMI setup itself is done by creating a BIMI text record on the domain which is to be authenticated with the company logo in the future. The record will contain a reference to the company logo and possibly a so-called Verified Mark Certificate (VMC) that officially validates the logo. The logo itself must be delivered as a Scalable Vector Graphic (SVG Tiny 1.2 Portable/Secure) with further specific format requirements. VMCs are required to use BIMI with Google and can currently be purchased from Entrust or Digicert. At Yahoo and AOL they are not currently required.

When attempting to deliver an email, the participating ISPs will verify the DMARC setup on the one hand and the BIMI setup on the other. If both checks are successful, the ISPs will pull the logo from the URL in the BIMI record to display the BIMI image in the inbox next to your email. ISPs state that a good sender reputation is essential for this.

Technical specifications

BIMI record

To use BIMI, a BIMI record must be created for your sending domain which should benefit from the verified logo display in the end. This can be a subdomain or an organizational domain.

Example BIMI record:

Example domain. example.com
BIMI domain. default._bimi.example.com
Record type. TXT
BIMI record. v=BIMI1; l=https://www.example.com/logo.svg;

Available BIMI tags

The following table provides an overview of the possible BIMI tags and the implementation options.

Tag	Definition	Implementation
v	Version	The v tag is required and must be set with v=BIMI1.
l	Location	The l tag is required and indicates the location of the logo you want to display. It is specified as a URL with HTTPS. HTTP will not work.
a	Trust authorities	The a tag is required for the BIMI setup with Google and is used to validate domain ownership using a Verified Mark Certificate. The accepted values are: self. No validation option, similar to not having an a tag. cert. Provides an HTTPS URL to a Verified Mark Certificate that can be used to validate the logo in the l tag. mva. Specifies an HTTPS URL to an API endpoint that can be queried for validation.

Image requirements

The BIMI standard requires the creation of a logo in the image format SVG Tiny 1.2 Portable/Secure, in short SVG P/S.

The SVG P/S format is stricter than SVG Tiny 1.2 and requires the image to be a centered, square image of your official company logo without any additional text on a background of solid colour. Additionally, the image should be as small as possible, not exceed 32 KB and further resources like external links, scripts or interactive elements must not be included. You can find a full list of the required elements at Bimigroup.org.

BIMI selector

The BIMI domain default._bimi.example.com in this example, starts with the BIMI selector. It serves the mailbox provider to identify and look up the associated BIMI record and logo. The standard selector name is called default and is the only one that is currently accepted by the supporting ISPs, Yahoo & AOL in particular.

Theoretically, if you plan on rolling out BIMI to multiple brands using the same sending domain, there is also the option to work with several selectors. However, different selectors would also make a technical adjustment to the email itself necessary. Since this option is still under development and is currently not supported anyway, you should work with different sender domains and thus separate BIMI records to differentiate between brands.

Implementing BIMI

To implement BIMI, do the following:

Authenticating emails
Creating an SVG logo
Acquiring a VMC
Setting up the BIMI record
Analyzing the results

Authenticating emails

BIMI requires the authentication of your emails with SPF, DKIM and DMARC. If you are unsure, you can send a test email and check in the email header whether the authentication requirements are met or simply ask your IT administrator. For further information on the required DNS setup, see Setting up your domain on Optimizely World. For information on how to implement DMARC, see DMARC implementation.

The BIMI standard requires DMARC on the organizational domain with a DMARC policy set to either p=quarantine or p=reject. Optimizely strongly recommends the p=reject policy.

Additionally, parameters that weaken the DMARC application such as sp=none or any percentage below 100 pct<100 are not allowed.

The BIMI implementation can currently be implemented with the web and mobile clients of Yahoo, AOL and Gmail. For Yahoo and AOL, the DMARC record on the sending domain, even though it is sub domain, is currently sufficient. Gmail, on the other hand, requires the DMARC record on the organizational domain, as is generally defined for the BIMI standard. So that you are on the safe side with future developments, you should implement DMARC on the organizational domain.

Creating an SVG logo

To implement BIMI, you need to create a company logo as a Scalable Vector Graphic. The exact version supported by BIMI is SVG Tiny 1.2 Portable/Secure (SVG P/S). The SVG BIMI logo must

be squared and centered
only include your logo without text and the background should be of a solid color
should be as small as possible and not exceed 32 KB
not include external links, scripts, animation, or other interactive elements

Once created, store the SVG image in HTTPS and it is ready to be added to your BIMI record.

At Bimigroup.org you can find further information on creating SVG BIMI logos and SVG conversion tools.

Acquiring a VMC

The BIMI standard generally provides for the BIMI logo to be validated by a certification body so that its authenticity can be guaranteed. With a Verified Mark Certificate (VMC) they certify the logo owner and make the proof of the certification in the DNS of the sender domain accessible.

A VMC is currently only required for using BIMI at Google, Yahoo and AOL do not require a certificate. So far, the following certification authorities are available:

The BIMI Working Group expects that the acquisition of VMCs will also be possible with other partners in the future.

Setting up the BIMI record

A TXT record with the prefix default._bimi must be created for the sender domain for which BIMI is ultimately to be used. The Optimizely recommended entry is as follows:

Example domain. example.com
BIMI domain. default._bimi.example.com
Record type. TXT
BIMI record. v=BIMI1; l=https://www.example.com/logo.svg; a=https://www.example.com/vmc/logo.pem;

Replace example.com with your sender domain and l=https//www.example.com/logo.svg with the image URL of your SVG image. Note that the URL must be based on HTTPS.

If you do not want to use a certificate and only want to implement BIMI with AOL and Yahoo, the parameter a=https://www.example.com/vmc/logo.pem can be omitted.

Analyzing the results

There are tools that you can use to create your BIMI record and/or to verify it afterwards. One of them is the BIMI Inspector provided by Bimigroup.org.

After the successful implementation of the BIMI record, your SVG logo should now be displayed in the participating email clients. Check over time whether the implementation has reduced phishing attempts and improved your email KPIs.

In this topic