BIMI: IT Director at EmailLabs answers 6 key questions

BIMI, a new standard offered by Apple Mail, Google, Verizon Media Group (Yahoo, AOL), Netscape and Fastmail, that allows mailboxes to display logos, providing secure email authentication as well as helping to achieve better brand identity. Currently, there are worldwide pilot implementations of BIMI underway, so we decided to ask Marcin Kujawski, IT Director at EmailLabs, to clear some doubts by explaining 6 basic questions about BIMI.

1. What is BIMI?

MK: BIMI is a new standard developed by the BIMI Group association that aims to make email communications more secure, essentially extending the standards which are already in place by adding visual identification. One of the best ways to verify how your message will look in providers eyes is offered by mailchecker.net, which also lets you test your readiness for the implementation of BIMI.

2. Why should companies implement the BIMI standard as soon as possible?

MK: First of all, it is worth noting that providers such as Gmail and Yahoo have already decided to implement this standard. Since it is only in the testing phase, we are not yet sure what impact BIMI will have on deliverability. However, given the technical specifications, it will certainly be a key element in the spam filters used by the major providers. Yet another argument for implementing BIMI is the fact that it makes it easier for recipients to recognize emails from trusted senders, which increases the CTR (click-through rate) and OR (open rate) of our messages.

3. What conditions must be met to implement BIMI?

MK: The first and probably the most important requirement will be DMARC (a protocol used to determine the authenticity of an email message), but the policy we need to set is “reject” or “quarantine” at the level of 100% of rejected emails in case of DMARC error. Additionally, there must be a special record in the DNS system that indicates from which location the sender logo (and certificate) is to be retrieved. Additionally, different logos can be used e.g. for separate departments of our organization.

4. Is VMC certification required?

MK: The specification published by the BIMI Group says that a VMC (a protocol used to determine the authenticity of an email message) is not required, however, it can be expected that most major postal services will require this certificate to prove identity, especially since obtaining it involves a multistage verification of the applicant – during the process, it will be checked, among other things, whether the logo which the future sender wants to use is his intellectual property (e.g. a registered).

5. What is the stage of implementation for Polish/global companies?

MK: The first BIMI users can already access BIMI as part of a closed partnership program offered by Gmail and Yahoo. It is also worth mentioning that CNN was one of the first brands to have its logo displayed next to an email. The pace of introducing new security measures by Czechs is also noteworthy – Seznam.cz is very interested in implementing an additional security layer for its users’ mailboxes. In Poland, however, everything indicates that we will have to wait a bit longer, which does not mean our local providers are not prepared for such an eventuality. In fact, recently we had an interesting discussion with one of the largest Polish providers and it turned out that the operator is interested in implementing BIMI.

6. How can BIMI improve security?

MK: The implementation of BIMI by ISPs will certainly have a very positive impact on improving the security of emails. It is worth noting here that the DMARC, which was created due to the ease of bypassing email-authentication protocols such as SPF and DKIM, theoretically cannot be broken when an attack is carried out via our domain. However, if an attacker decides to use a different domain, phishing (a type of social engineering where an attacker sends a fraudulent message designed to trick a human victim) will be much harder to detect and DMARC itself will not work. This is where the BIMI protocol comes into play – because it displays a logo, it can turn out to be a “phishing killer”. So if a user sees a logo of e.g. his bank in a message, which will be signed with a certificate that guarantees that it is a symbol of a given organization, he or she can be certain that the message does not come from a person assuming a false identity but a trusted sender.

Are you interested in implementing BIMI or need any further recommendations for improving your email security? Contact EmailLabs, and our specialists will provide you with all the necessary information. Please also check our first publication “BIMI – why does your company need it?” where we thoroughly describe the new standard and the benefits of its implementation.