Verifying that a logo is authorized for use by a specific domain has been at the center of the debate since the idea for BIMI was first discussed. In fact, that very issue is why it has taken the past 7 years to develop the specification. Since this was such a difficult problem to solve, we developed two different types of BIMI records to get where we are today:
- Self-Asserted Records – In the first case, there is no verification of the logo at all. It was left up to the mailbox providers to decide whether or not to display the logo.
- Records with Evidence Documents – As many pointed out, there needed to be some form of evaluation such that a logo could be verified as being authorized for use by a domain.
Up until recently, the most broadly deployed BIMI records were “self-asserted”. Only a couple of mailbox providers accepted them, and those that did (e.g. Yahoo) carefully considered which domains they allowed to display logos. Then on July 12th, Gmail announced support for BIMI which required an evidence document in the form of a Verified Mark Certificate (VMC).
In order to obtain a VMC, a company must provide evidence that their logo is a registered trademark (i.e. that a government agency recognizes its legitimate use). The VMC also attests to the use of that logo in relation to identified domains. Mailbox providers can now retrieve and verify the VMC to ensure that the logo is authorized for use.
Regardless of which BIMI record is used, the situation collapses into a single requirement: reputational trust. While a self-asserted record requires that the mailbox provider trusts the domain (e.g. relying on their own reputation data about the domain), a VMC moves the trust model from the domain to the VMC issuer. At this time, there are two Certificate Authorities (CAs) that are accepted as Mark Verifying Authorities (MVAs) who can issue VMCs for use with BIMI:
So, it’s essentially the job of the MVA to verify that the logos are authorized for use with BIMI. Then it’s up to the mailbox providers to decide what MVAs they trust to issue VMCs.
And if you’re curious about the steps the MVAs perform when evaluating a request for a VMC, here’s the current process the CAs are following: https://bimigroup.org/resources/VMC_Guidelines_latest.pdf
If you’ve gone through the entire 94 pages (congratulations… it’s pretty dense), you’ll see that the evaluation process is reasonably thorough. The CAs are trying very hard to ensure that their VMCs can be trusted. As a checksum, if the email security community finds the CA has improperly issued a VMC, mailbox providers will no longer accept VMCs from that CA (which would essentially neutralize the CA’s VMC business).