Social Network For Security Executives: Network, Learn & Collaborate
After reading my article on the importance of implementing DMARC, a representative of a reputed technology services company in India approached me to help them in implementing BIMI. This inquiry gave me an excellent opportunity to read about BIMI and implement it for our email domain rediffmail.com.
Here in this article, I will explain the unwritten rules which I have discovered while implementing BIMI that will help you in implementing BIMI. But mind you, BIMI is still in the nascent stage, and whatever I have written here may change in the future. Currently, Yahoo! Mail is the only email provider who has implemented this, and Gmail has announced that it will support BIMI by 2020. We at Rediff.com have also taken notice of the importance of BIMI and working towards the implementation.
While DMARC helps in stopping spoof emails that use organizations exact domain name in the "from" email address, there are many phishing emails with some random "from" email address. Many are falling prey to these phishing emails as they are not tech-savvy to check the authenticity of the email by checking the "from" email address. So comes BIMI to the rescue.
BIMI or Brand Indicators for Message Identification is a standard where the brand's authenticated email has its logo displayed beside the "from" email address in the message and also in the email listing in the inbox. Users can check the authenticity of the email by just a simple visual verification instead of the complicated procedure of checking the "from" email address.
As the inbox has the brand's logo displayed in the email listing, users can now avoid opening phishing emails and only open trusted emails. Because of the trust, the chances of users marking authenticated emails as spam are less. With fewer unsubscriptions and spam markings, the email address's reputation increases, which in turn increases the chances of the marketing email delivered in the inbox.
1. Implement SPF (You can check here if SPF is enabled or not: https://businessemail.rediff.com/spf-analyzer)
2. Implement DKIM (You can check here if DKIM is enabled or not: https://businessemail.rediff.com/dkim-analyzer)
3. Implement DMARC with the "policy" "p" as "quarantine" or "reject." (You can check here if proper DMARC policy set correctly or not: https://businessemail.rediff.com/dmarc-analyzer). (Have "policy" "p" as "reject" to stop spoof emails reaching your customers)
4. Make an SVG (.svg) image of your logo. It should be square and centered.
5. This image should be hosted on a web server and should be accessible using HTTPS. The logo will be displayed if the URL is HTTPS and not HTTP.
6. Make sure that you change this logo if you rebranded and change the DNS records if the location is changed.
7. Obtain a Verified Mark Certificate. This Verified Mark Certificate is optional now, but it may be mandatory in the future. It is issued by invitation only by Digicert and Entrust Datacard.
8. Create a DNS TXT (text) record for the domain used for sending emails.
9. By using a "Default" selector, the BIMI record should be like this
a. Without Verified Mark Certificate: default._bimi.brandwebsite.com IN TXT "v=BIMI1; l=https://subdomain.brandwebsite.com/image/logo.svg; a=;"
b. With Verified Mark Certificate: default._bimi.brandwebsite.com IN TXT "v=BIMI1; l=https://subdomain.brandwebsite.com/image/logo.svg; a= https://subdomain.brandwebsite.com/vmc/logo.pem;"
10. Verify if you have implemented the BIMI record properly here: https://mxtoolbox.com/bimi.aspx
I have discovered these while implementing BIMI for our email domain Rediffmail.com
1. BIMI will not work for individual email addresses like email@example.com or firstname.lastname@example.org
2. BIMI will work only for email addresses used for mass communication and having high volume like email@example.com. They are used to send transaction messages like bank statements or bank transaction alerts or OTPs etc.
3. BIMI will work only for email addresses with a good reputation and are not used to send spam.
4. BIMI will not work if the DMARC "policy" "p" is "none."
5. We still do not know the number of emails that should be sent using the brand email address to be qualified for BIMI.