The AuthIndicators Working Group is aware of recent press reports that have raised concerns regarding BIMI and newly released verification check marks that various mailbox providers are adding to their email clients in concert with display of BIMI logos.
We want to stress that BIMI is working exactly as designed. BIMI relies on the email authentication technologies SPF, DKIM, and DMARC, and was developed in large part as an incentive for domains and brand owners to adopt these technologies. After authentication is validated, mailbox providers perform additional anti-abuse checks before a message is ever delivered to a user or a logo is displayed. The issue which was reported illustrates a long-standing, and well-known, issue with SPF, one that predates BIMI and even DMARC.
BIMI is an incentive for brand owners to implement the strongest authentication for their mail. The continued adoption of BIMI is making visible long-standing edge cases with authentication that still need attention and which the ecosystem must take action to address. We hope the benefits of BIMI and the necessary implementation components create further incentives for mailbox providers who participate in BIMI (and those who define and implement the standards) to address these long-standing gaps in authentication protocols.