What is BIMI?
BIMI is short for Brand Indicators for Message Identification, an email authentication standard designed to give brands a way to communicate their visual identity through logos with the recipients through emails they’re sending. Plus, send authenticated emails.
BIMI can be used by anyone with any email service provider. With BIMI, as a domain owner, you can coordinate with email clients to display brand logos beside authenticated email messages.
Here’s a detailed guide regarding how BIMI works.
How does BIMI work?
BIMI builds on authentication standards like SPF, DKIM, and DMARC. To use BIMI, your sending domain must be recognized by all the above standards. You shouldn’t use a policy of p-none for incoming emails on your DMARC record, as BIMI requires a policy of p=quarantine or p=reject.
Once you have that setup, you must create a fresh BIMI TXT record in DNS with an SVG version of your brand’s logo. With this, you’re letting mailbox providers know how and where to find your logo.
Sans BIMI, email service providers only display a placeholder logo using the brand’s initials. The recipient has a hard time understanding where the email is coming from.
With BIMI, the brand logo gets displayed next to the email message. This improves brand awareness. When BIMI is not enabled, all recipients get is a generic placeholder logo. Is that exciting? No. Where BIMI is enabled, a brand logo appears next to the email message boosting trust and getting more people to open the mail.
Make no mistake, BIMI is more than providing visual cues. BIMI helps you develop a larger sense of brand awareness among message recipients and is also one of the smartest security moves to make.
It builds trust and boosts engagement, which plays into email deliverability, open, and engagement rates.
So that’s the lowdown on BIMI.
As you create the BIMI record, mailbox providers will start displaying your brand logo alongside messages you send to customers as long as the message is validated and passes DMARC.
What Changes Once you Implement BIMI
The first change you'll see is that your brand’s logo starts showing up in the inboxes of the recipients you email. This is great for creating first impressions. If there’s no logo, that space is taken up by either question marks or standard filler images next to your company. You have no way to stand out, to look appealing to your customers, and worst of all, this makes you look like a spammer.
BIMI helps you build additional trust with customers. Trust means better relationships and higher open and click-through rates. This is great for your business.
You’ll also get DMARC reports that will tell you more about the traffic to your site. This helps you develop an idea around traffic details and clear up the confusion on DMARC.
Guide for SPF, DMARC, and DKIM
Setting up SPF
SPF uses a DNS TXT record to fetch a list of authorized sending IP addresses for a domain. SPF checks are performed against 532.MailFrom address. The 532.MailFrom address isn’t authenticated when you use SPF on its own.
Step 1: Start by collecting IP addresses used to send emails
To implement SPF, start by identifying servers sending emails from your domain. Most organizations send emails from several places. Make a list of all these servers. Here are a few examples:
- Your web server
- In-office server
- ISP’s mail server
- Mail server of end users’ mailboxes
- Third-party servers
Step 2: Make a list of your sending domains
Again, as a large organization, your brand has several domains. Some of these are used to send emails, and some are not. But you should SPF-proof all domains because the hacker will try to use non-protected domains if other domains are protected.
Step 3: Create your SPF record
SPF authenticates sender identity by comparing the sending mail server’s IP address to the list of authorized sending IP addresses published by you in the DNS record.
- Start with v=spf1 (version 1) and then add the IP addresses authorized to send emails. v=spf1 ip4:220.127.116.11
- Once you add all authorized IP addresses to end the record with either an ~all or -all tag
- Note that SPF records, by default, aren’t allowed to be over 255 characters.
This is how you create your SPF record
Step 4: Publish your SPF to DNS
Using the DNS service, publish the SPF record to the DNS. It’s simple with established DNS providers like GoDaddy.
Once you configure SPF, the recipient server checks the mail from the “from” address. If the message is from a valid source, the SPF check passes. Since the email client displays the From address, the user sees the message from a valid source.
With DMARC, the recipient server also checks against the From address. If a DMARC text record is in place, then the form address check fails.
Setting up DMARC
What is a DMARC TXT record?
Similar to the DNS records for SPF, the record for DMARC is a DNS text that works to prevent spoofing and phishing. You can publish DMARC txt records to DNS. The TXT records validate the source of the email messages by verifying the IP address against the original list of IP addresses on the domain. The TXT record identifies outbound email servers.
Step 1: Identify valid sources of mail for your domain
If you have set up SPF with DMARC, there are a few additional things to take care of. When identifying the main sources for the domain, start by answering two questions first.
- The IP addresses that send messages from the domain.
- Ask this: For mail sent from third parties, will the 5321.MailFrom and 5322.From domains match?
Step 2: Form the DMARC TXT record for your domain
- Go to the DNS of your domain
- Select TXT DNS Record Type
- Add Host value
- Add value information
- Hit the Save button
Setting up DKIM
Now you need to set up DKIM. DKIM lets you add a digital signature to your email messages in the header. DKIM adds a new encrypted signature to all your outgoing mail. Servers that receive signed messages use DKIM to decrypt the message and verify that the message wasn’t changed after being sent.
Here’s how to set up DKIM:
- Generate the domain key for your domain. This key is used to decode the email’s digital signature.
- Add the public key to your domain's DNS records. Email servers can use this key to verify your messages' DKIM signatures.
- Turn on DKIM signing to start adding a DKIM signature to all outgoing messages.
Setting up BIMI
Prerequisites for BIMI
Brand logos are displayed next to authenticated messages. We first saw how you could do the same SPF, DKIM, and DMARC. After meeting these requirements, you can start implementing BIM.
How to implement BIMI?
To implement BIMI, here’s what you can do:
- Upload brand logo
- Create a BIMI record
- Publish the BIMI record to the DNS
- Check the BIMI record to see if it's successful.
Upload your brand logo
Upload the brand logo in SVG format to a server easy to access from any place. You get a URL to the logo visible and accessible from here:
You will need this when you create a BIMI record in step 2.
Create a BIMI record
It’s similar to DMARC records. A BIMI record has multiple tags separated by semicolons. There are two tags in each BIMI record v and 1. The v tag indicates the BIMI version. It’s mandated to be BIMI1. The l tag indicates the logo URL.
Here is an example BIMI record which we got from step 1:
Publish your BIMI record in the DNS
ABIMI record is a TXT record published in the DNS at default._bimi.yourdomain.com.
A complete BIMI record in the DNS looks like this:
Check the BIMI record
It’s always a good idea to check the validity of the BIMI record once you publish the same. Use this BIMI record checker to check if the BIMI record has been published correctly on the domain. Enter the domain and hit the check domain button. If the BIMI set is correct, the checker will pull the logo and display the same. With this, you successfully implemented BIMI on your domain.
Why is my BIMI logo not appearing in emails?
The reason is simple. Publishing a BIMI record is no guarantee that your logo will start displaying. BIMI is a framework for your logo for brand identification. The decision to show a logo or not is with the mailbox provider and email client.
It can be due to one of several reasons:
- The email client has no support for BIMI. To ensure this doesn't happen, ensure the receiving mail server is on the list of BIMI-supported email clients.
- Another possibility is that your sender reputation is low to qualify for the BIMI logo display. Measuring the sender's reputation is subjective. No ISP publishes this information. However, there’s a checklist you can use to know the health of the sender domain.
- If the manner in which you implemented BIMI is incorrect with bad SVG, poor domain reputation, or missing information, then there's a problem.
List of Mailbox Providers and Email Clients Supporting BIMI
BIMI adoption is currently in its starting stages. Yahoo was the first email service provider to support BIMI on web applications and a mobile email application. Gmail announced its support for BIMI in 2020, which is the real thing that attracted plenty of interest to the technology.
Not every email client has support for BIMI. Even if you have a high sender reputation and have implemented the right BIMI records, your brand logo might not yet start appearing in the BIMI records. Some providers only offer support on certain emails, like transaction emails.
List of providers currently in the beta phase of supporting BIMI
- Yahoo, AOL mail
List of providers planning to support BIMI
List of providers with no support for BIMI:
- Yahoo Japan
Why is BIMI so important?
With ever-increasing cases of spoofing, phishing, and email fraud that are causing data breaches and playing with customer trust, it’s important to protect your brand from getting targeted in these cases.
A broken logo or the absence of a logo in the first place will harbor distrust. Email recipients are going to see these emails as spam, and they’re going to get lower open rates from the get-go.
Is it Mandatory to Implement BIMI?
No email authentication is mandatory at this juncture. But it’s highly recommended you start using these. The user-experience benefits of implementing BIMI are far higher than anything else you’d get. Also, you get anti-spam with it.
Will Implementing BIMI Increase Open Rates for your Email?
BIMI is an opportunity for you to market your brand even without getting your email opened by someone. Email users will spend less than a second reading a subject line in the preview. If the subject line isn’t engaging enough, you risk the opportunity to get an open and a click.
Marketers have been relying on the subject line and sender name details to open the email, but with BIMI, users may start seeing the brand logo in the preview panes to open the email. Not all implementations support logos in the list view portion of the email clients.
That's precisely why email marketers worldwide should look to include BIMI in their email programs.
BIMI will also create new opportunities for the designers to innovate with logos or favicons to make their brand stand out in the email preview pane.
Why is BIMI important for Mailbox providers?
SPF, DKIM, and DMARC are the real authentication parameters that protect emails from getting spoofed. The truth is that most average users are not aware of any of these authentication frameworks. You can’t simply expect them to go through email headers to understand the source IP and which authentications seem to be failing.
Gmail and other leaders in the email space have been playing with the visual elements of emails. Other email clients haven’t got the letter yet.
According to a CyberSecurity report, Yahoo reported one of the biggest data breaches of all time, with details of 3 billion user accounts leaking out in 2013.
Cybercrime costs the global economy about 1 trillion annually. This is more than 1 percent of the global GDP.
BIMI is a move towards stronger authentication efforts to help both receivers of emails and mailbox clients to identify if the sender is authentic.
The wide adoption will benefit email clients just like the revolution two-factor authentication ushered in.
Spammers enter your mailboxes using fraudulent identities.
It can be the lure of a lottery or even a fake job internationally. Once the adoption of DMARC with strict rules that either quarantines your emails or rejects them gathers pace, phishing attempts will be a thing of the past. Many others sending brand-impersonated emails won’t be able to deliver it to the inbox or make it out of the spam folder either.
BIMI with DMARC enhances the email security layer for sensitive businesses like banks, payment gateways, social media platforms, donation platforms, and retailers.
How to implement BIMI?
BIMI requires a no-nonsense DMARC configuration that you need to set up on the organization domain. A strict DMARC record lets the receiver decide whatever he wants to do with emails from the brand’s domain that fail to meet the authentication criteria. This lets the receiver test whether it’s ok to display the brand logo or not.
What is DMARC Enforcement?
A DMARC record with no enforcement as in the criteria p=none is like checking for identification and then letting anyone inside, even those who fail to meet the criteria.
It’s a great way to understand who’s entering and use the data to ensure safeguards are in place by not interrupting access and use of the building. It also protects your brand, its employees, and customers by collecting data in areas where it proves useful.
DMARC enforcement refers to the specific parameter in the TXT record indicated by p. The domain owner can set up the mail-handling request for the receiving server. To enable DMARC, start with p=none record and evaluate authentication. They go for a stricter enforcement policy p=quarantine with p=reject in the future.
If there’s an authentication failure, the receiving mail server checks the value of p and requests action none, quarantining or rejecting the message.
BIMI checklist for building sender reputation
- Build and maintain a high sender reputation by sending highly engaging emails with low bounces and low spam complaints.
- The sender domain should not be part of the global DNSBLs or RBLs list. Use the Grademyemail tool to know the blocklist status of the domain.
- Consult with trusted authorities to get a verified mark certificate for your domain. If the sender's reputation is excellent and the BIMI log doesn’t appear, this is worth a shot.
You get higher engagement through better opens and clicks with BIMI. It boosts email marketing efforts. Studies also show that recipients are likelier to engage with messages from senders they can trust. Since you’re improving trust, engagement only goes up with this.
Engagement isn’t the sole benefit of BIMI. Security, too, plays a big role. According to Marcel Becker of Verizon Media Group. It’s a win-win for you. The brand gets better exposure, and you get more control over the brand, plus higher engagement rates, and it’s more secure.
Ultimately as a sender, you get access to a secure email ecosystem. DMARC is a good tool to protect senders against phishing, and the adoption is slower than most would have liked.