The AuthIndicators Working Group is thrilled to announce that Gmail is now widely supporting BIMI, making it accessible to nearly 2 billion inboxes and bringing years of efforts and collaboration to fruition. 

Brands’ abilities to control their logos when sending emails, newsletters, receipts and offers is invaluable. Like those using consistent vanity URLs and display names across social media profiles, BIMI’s approach gives control to brands of their own imagery, offering consistency, conveying trust and increasing recognition and reach. 

To use BIMI effectively, domains must implement Domain-based Message Authentication, Reporting & Conformance (DMARC) to ensure proper validation of both emails and logos. Since 89% of all phishing attacks start with sender identity fraud, DMARC is an essential safeguard. It prevents bad actors from using BIMI to sow further confusion. This basic practice also promotes security hygiene and encourages brands to take better precautions against phishing attacks by deploying and enforcing email authentication. 

Organizations who authenticate their emails using SPF or DKIM and deploy DMARC can provide their validated trademarked logos to Google via a Verified Mark Certificate (VMC). BIMI leverages Certification Authorities to verify logo ownership and provide proof of verification in a VMC. Authenticated emails then run through Google’s anti-abuse mechanisms that further help protect users, and after satisfying those checks, Gmail will start displaying the sender’s trademarked logo in the Gmail UI. Currently, an organization’s registered trademark validates a BIMI certificate. While VMCs are currently tied to registered trademarks from select jurisdictions, future plans may expand access to include both additional jurisdictions and options for unregistered trademark logos.

This is just the start for BIMI; the standard expects to expand support across two dimensions: supported logo types and supported validators. For logo validation, BIMI is starting by supporting the validation of trademarked logos, as they are a common target of impersonation. Today, DigiCert and Entrust support BIMI as Certification Authorities, and in the future the BIMI working group expects this list of supporting Certification Authorities to expand further. To learn more about BIMI and the future work, stay tuned on bimigroup.org.

*Source: Advancing email security for Gmail and beyond with BIMI