FAQs For Marketers and ESPs
- What is BIMI?
- How does BIMI technically work?
- What is DMARC?
- What is DMARC Enforcement?
- What does BIMI have to do with anti-abuse?
- Does BIMI use any technical means to validate the published logo?
- What will my experience as a “Brand” and my customers be?
- Does BIMI allow me to support multiple domains and logos?
- What do I need to do to operationalize BIMI on my end?
- Does the display of a logo promote user trust?
- We have published our BIMI record; how do we verify it’s working?
- My ESP doesn’t provide the ability for us to modify the SMTP.from (ex: bounce.esp.com, RFC 5321) domain
- I want to participate in the Google pilot, how can I get my brand/client involved?
- Should I only publish BIMI on my organizational domain or each subdomain?
- Does BIMI use my DKIM (d=; i=) or my SPF domain?
- Does my policy need to be at quarantine/reject pct=100 to be considered enforcement?
- Why is “Brand” logo showing while they don’t have a BIMI record?
- Who is currently displaying BIMI records in their UI?
- How do I obtain a VMC?
- Is it a problem if I want to have BIMI on myemaildomain.com but the images (the image path) is myimagehost.com?
- Why is a mailbox provider or testing tool reporting issues retrieving my SVG/VMC file?
- Where should I publish the BIMI Record?
- What are the different attributes of a BIMI Record?
- What Marks are Supported by VMCs?
- How can I get a VMC?
- How will BIMI impact Annotations?
- How is Yahoo different from other BIMI implementations?
- I represent a government agency which has a logo that is not a registered trademark, how do we get a Verified Mark Certificate (VMC)?
- Do we have to publish a DMARC enforcement policy at the Organizational Level, even if we’re only using the subdomain?
Brand Indicators for Message Identification or BIMI (pronounced: Bih-mee) is an emerging email specification that enables the use of brand-controlled logos within supporting email clients. BIMI leverages the work an organization has put into deploying DMARC protection, by bringing brand logos to the customer’s inbox. For the brand’s logo to be displayed, the email must pass DMARC authentication checks, ensuring that the organization’s domain has not been impersonated.
BIMI allows an organization to publish a new, standardized DNS record for a domain they own. This record contains a URL to a logo that may require proof that the logo has been validated with a VMC. An organization will publish a BIMI record containing these URLs. A supporting mailbox provider (MBP) will check the sending domain’s DMARC policy and verify that it is included in the BIMI validation. If both checks are successful, the MBP may use the logo from the URL in the BIMI record to populate the BIMI image of the qualifying email sent from that domain to the MBP.
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance,” is an email authentication policy and reporting protocol. DMARC defends against unauthorized use of domains by preventing direct domain impersonation within email. It protects brands by ensuring participating mailboxes only receive email actually sent by or on behalf of a domain. More information about DMARC.
DMARC enforcement represents a particular attribute of a DMARC record “p=”. This attribute indicates how the record holder authorizes the mail receiver to handle mail that fails DMARC and authentication checks. Enforcement can be “p=quarantine” which indicates failed messages should be quarantined, or “p=reject” which indicates failed messages should be rejected. The policy must be either “p=quarantine” or “p=reject” on the organizational domain, without gaps such as sp=none or pct<100.
BIMI enhances your brand’s value within participating mailboxes, connecting the display of verified logos to the increased protection provided by DMARC enforcement. BIMI builds on improved authentication against domain impersonation, with the additional value of brand identification.
To correctly assert logo association to a given message, the current BIMI specification relies on a successful validation of the BIMI record, relative to a sending domain. It is up to the domain and mark owner to reference the correct logo to use in a BIMI record for a domain.
Compared to senders who do not implement BIMI, your brand logo may appear with your messages. Recipients may better recognize and interact with your messaging by making a visual connection to your brand logo and increase your brand’s engagement through direct customer response. BIMI may potentially improve email opens or clicks, as compared to messages sent without logo impressions in the user’s mailbox.
Senders will need an email sending domain with a DMARC policy of at least quarantine or reject. Some mailbox providers may require senders to obtain a verified mark certificate (VMC). Senders will need a logo, for which they own the mark, hosted on a URL that follows the specification parameters requirements. The final step is to build a simple BIMI DNS record and publish it to DNS.
BIMI’s strong authentication requirement – DMARC at enforcement – provides brands the opportunity to prevent their domain(s) from abuse, therefore potentially improving trust with their customers. BIMI builds on this foundation of trust and authentication.
BIMI relies upon DMARC alignment passing (via SPF or DKIM). As long as DKIM alignment passes, your BIMI record will be retrieved and evaluated. Please check with your email service provider for options.
Good news the Google pilot is officially over, read our announcement here
A default BIMI record should be published at the Organizational Domain, allowing it to be inherited by all subdomains. The domain administrator may publish a BIMI record on a subdomain. If a BIMI record is found at that subdomain, the mailbox provider can use it (even if it differs from the BIMI record published at the Organizational Domain).
Receivers will attempt to retrieve a BIMI record from the domain identified by DMARC alignment for the RFC5322.From Author Domain. In the case of DKIM alignment, the BIMI record would be retrieved from the domain identified within the DKIM “d=” value.
In essence BIMI is an attempt at standardizing how logos are displayed and verified within email clients. The numerous processes that were mostly manual or relied on profiles in other applications and platforms are being harmonized and verified through aligned email authentication and DMARC enforcement. Certain Mailbox providers, such as Microsoft, have different mechanisms which will show logos, but this is not BIMI.
BIMI – is there a certain recommended logo size?
BIMI relies on a scale vector format, specifically described as an SVG profile (currently defined as SVG Tiny PS). As such, BIMI logos are not defined by pixel size, please consult your graphic designer for help in creating a proper vector graphic. Please review the specific requirements for logos in our other FAQs.
The BIMI group has published an infographic here showing the current status of BIMI in use by a number of large Mailbox Providers. Some mailbox providers may be publishing logos using proprietary image hosting mechanisms which will have their own requirements. The intention of BIMI is to centralize and streamline the support of logos in these providers by implementing strong authentication and validation of ownership with a VMC.
Read more about VMCs and how to get them here.
Retrieving an SVG, or VMC, file is done via an HTTPS transaction, the same mechanism used by a browser when loading a web page. The retrieving process contacts a web server, asks for the file, and then displays it if the request is granted.
Many web servers are configured to make the requester prove that it’s not a robot, with the most common technique for this being use of “CAPTCHA”. The processes used by mailbox providers and test tools are automated, not manual, and so they typically fail the test to prove they’re not robots, because they basically are.
The best solution for you as the owner of the SVG/VMC file is to remove the “prove you’re not a robot” test from the URL that points to these files, while leaving it in place for the rest of the content served by your webserver. This allows your files to be retrieved by these automated processes while still leaving in place the abuse protection that “captcha” provides for the rest of your site. There are multiple ways to accomplish this, so consult your hosting provider for more details on how best to do it with minimal disruption to your business practices.
BIMI records are published to DNS for each domain you have created a record. BIMI was designed to function similarly to DMARC meaning that you can publish a single global BIMI Record for your organization domain that will cascade down to other subdomains, or you can publish a specific record for a subdomain. Like DKIM, BIMI also supports selectors allowing the same domain to publish multiple but separate records. The base selector is ‘default‘ and the DNS txt records should look similar to this ‘default._bimi.example.com‘ and could be used to segment different logos.
A BIMI record has three attributes:
- v=bimi1 – the record declaration indicating that this is a BIMI record
- l=URL – the hosting location of the SVG image.
- a=URL – the hosting location of the VMC/Assertion record
Each attribute is separated by a semicolon (;) and the final record will look similar to this:
default._bimi.example.com in txt
"v=BIMI1; l=https://www.example.com/path/to/logo/example.svg; a=https://www.example.com/path/to/vmc/VMC.pem;"
You can read about which types of Mark are acceptable in Appendix B of the VMC Guidelines document. Currently VMCs are available from Digicert, and Entrust DataCard. More providers are expected to be added in the future.
VMCs are available through authorized Certificate Authorities and their partners. At this time there are two authorized CAs who may issue VMCs on your behalf:
Verizon Media (Yahoo) will display your BIMI logo if :
- A BIMI record exists which points to a valid logo in SVG format
- A DMARC policy of quarantine or reject is in place
- The mailing is sent to large number of recipients (bulk mail)
- And Verizon Media sees sufficient reputation and engagement for the email address
If you think all of those requirements are met but still no logo is displayed, please read the Yahoo developer documentation for BIMI help.
I represent a government agency which has a logo that is not a registered trademark, how do we get a Verified Mark Certificate (VMC)?
If you have a logo authorized by government fiat (e.g. by legislation) then you should qualify for a BIMI VMC. Review the guidance in the VMC requirement document to be sure you qualify and talk with one of the MVAs that supply VMCs.