With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing their distribution channels, thus moving all (or a large part) of their business online. This, in turn, has resulted in phishing becoming one of the most common forms of cybercrime.
Today it goes beyond fake websites only – although we mainly hear about them in the context of recent attempts to impersonate the biggest Polish banks. Phishing is also a practice of sending fraudulent emails under the guise of recognizable and reputable brands. This aim is to persuade recipients to share personal information, such as user passwords or bank details – e.g., credit card numbers.
The simplest example of an attempted scam is the well-known messages asking for an urgent transfer as a necessary payment to receive an inheritance from a foreign prince. Most of us will probably smile politely and say that we would never fall for this type of scam.
However, it is important to be aware that current forms of phishing are more advanced, far better prepared, and more difficult to detect – many imitate 1:1 communication of real brands, which makes it so easy to fall victim to them.
Gone are the days when it was enough to look at the content of a message to recognize at first glance a fraud attempt due to a poorly prepared email with “scattered” HTML elements.
One solution for reducing the risk of becoming a victim of phishing scams is implementing authentication protocols and BIMI – an emerging email specification that allows you to verify the authenticity of an email sender.
Below, we explore this and other ways you can use for anti-phishing shield in greater detail.
Maximize your email deliverability and security with EmailLabs!
An email address is one of the easiest pieces of information to find out about another person online. Everyone has used it many times to subscribe to a newsletter, create an account on a website, complete an online purchase or send a resume.
Along with the coming into force of the GDPR, we have acquired many rights to know how someone came into possession of our data and how it is processed, giving us more control over its use. However, not everyone is aware that due to various hacking attacks, databases can be stolen and, once leaked, illegally sold.
The Darknet is full of offers concerning the sale of confidential information that comes from hacks into IT systems. It is a good practice to check from time to time whether your email address was involved in the security incident and the disclosure of data. For instance, you can do this via the Have I Been Pwned website.
What should you do if you have already received a suspicious email? There are several things you need to check to see if the message you have received is a fraudulent attempt:
A more advanced method of verifying the credibility of a received email is to check its headers, which allows it to confirm the real sender of the message and assess whether it is properly authenticated via SPF, DKIM, and DMARC.
Mailboxes often automatically move messages that fail validation of the above email authentication protocols to the spam folder, but many still end up in other tabs due to their less restrictive policy settings.
It’s important to note that until now, DMARC was the highest level of domain security – the only one that (thanks to its reporting feature) allowed us to verify who else was sending messages via our domain, thus alerting us to fraud attempts.
However, nowadays, very similar domain names are often used to impersonate the sender – a change of letters or replacement of one of them with another sign makes it more challenging to distinguish them at first glance.
Many brands have set their sights on helping an “average” recipient differentiate real email messages from fake ones. Very interesting articles, podcasts, or webinars are created for this purpose as well. Unfortunately, despite the energy and involvement in educational campaigns, information about phishing reaches only a narrow group of recipients.
The e-commerce industry has been waiting for a long time for a solution that would enable the recognition of a trusted, verified sender who has properly secured his domain at first glance. After all, not every recipient reads the detailed information contained in the header.
The answer to this need is BIMI.
BIMI stands for Brand Indicators for Message Identification, which describes a new security standard that allows sender logos, i.e., a brand’s logo, to be displayed in emails within supporting email clients.
The aim of this solution is twofold: on the one hand, it is meant to protect users from phishing attempts, and on the other hand, it allows legitimate brands to confirm their identity.
At the moment, several major mailbox providers support BIMI: Gmail (which requires an additional verified mark certificate, or VMC), Fastmail, and Yahoo! Several other email providers have expressed their willingness to join the program soon and, considering the predictions of marketers and trends described by them for 2022, it has a chance to become an extremely popular standard.
Admittedly, there are other ways to add a logo, such as our native Boost from Interia, the logo in Google Workspace (formerly G Suite), the Avatar in the Postmaster Mail.ru tool, and Bing for Microsoft. However, these are solutions that can be changed or withdrawn at any time, and, above all – they do not provide any confirmation of the implementation of security and possession of relevant rights (like Trademark) to a given brand logo.
It is also worth noting that BIMI ensures control over the use of our registered trademark and the appearance of the brand logos in a place where we did not quite have control before – in the mailbox, directly next to the name of the sender.
The standard allows you to verify the authenticity of the sender in two ways:
And speaking of brand recognition – initial research in foreign markets indicates that recipients are much more likely to open those messages that have the sender’s logo highlighted, as they are more likely to trust them.
Maximize your email deliverability and security with EmailLabs!
The process of implementing BIMI is very simple, provided that we have access to the DNS management console. You need to create a special BIMI TXT record in DNS containing the URL address of the image logo file and, optionally, a VMC URL. This entry should be published in the Organizational Domain.
The file type must be saved as a version of the Scaled Vector Graphic (SVG) format. The logo should also be properly scaled and should have a solid background (rather than transparent). The recommended size of the file should not exceed 32 kilobytes, but it can also be significantly smaller.
You can also use an online BIMI record generator to simplify this process.
It is worth noting that to make BIMI work, the domain name must be properly authenticated with SPF, DKIM, and DMARC. Otherwise, BIMI implementation will fail.
When it comes to DMARC, it is necessary to set an enforcement policy (quarantine or reject), which defines what to do in case an email fails both SPF and DKIM checks. Many senders still use a none policy (that will not affect email delivery but will still provide DMARC reports) or do not set it at all.
[Updated on September 26, 2024]
This post has been updated to reflect Google’s support for Common Mark Certificates (CMC), allowing brands to use BIMI in Gmail without needing a trademark. Learn how these updates expand BIMI’s accessibility and what they mean for your email marketing strategy.
The AuthIndicators Working Group (aka. the BIMI Group) has announced the introduction of Common Mark Certificates (CMC), a new addition to Brand Indicators for Message Identification (BIMI), now supported by Google in Gmail. Previously, brands needed a Verified Mark Certificate (VMC), requiring a trademarked logo, to use BIMI. This trademark requirement was often too costly and time-consuming for smaller businesses. However, with the introduction of CMCs, brands can now display their logos in Gmail without needing a trademark, making BIMI more accessible to a wider range of companies.
Alongside this update, Google has introduced several other BIMI changes. The CMC allows brands to display their logos without the verified blue checkmark that comes with VMCs. Additionally, Gmail will now display BIMI’s verified checkmarks on Android and iOS apps, not just on the web version, for brands using VMCs. This rollout will occur over the next few weeks.
Key updates include:
For businesses considering whether to choose a VMC or a CMC, the main distinction lies in the verified checkmark. VMC requires a trademarked logo and provides Google’s blue checkmark, while CMC offers a more affordable and flexible option without trademark requirements but without the checkmark.
These changes, spearheaded by Google, make BIMI more accessible to businesses of all sizes, enhancing brand visibility and trust in email marketing campaigns.
More information about the changes can be found on the BIMI Group and Google Workspace Updates websites.
Considering how easy it is for fraudsters to find and exploit email addresses, appropriate precautions should be taken in order to make your customers feel safe opening our messages. After all, it’s the only effective way to maintain an ongoing relationship with them.
By choosing to implement BIMI, you are signaling that you care about the safety of your recipients and being proactive by providing the highest standard of security to make it effortless to identify the safe sender. There is no need to further educate customers on this issue – instead of podcasts, webinars, or articles that don’t always reach the “average” recipient, you simply point out the authenticated messages with verified, brand-controlled logos.
Notably, such practices can effectively discourage potential fraudsters from trying to impersonate your brand while boosting the sender’s reputation. Now, it will be easy to distinguish emails that are fully protected with a displayed logo from fraudulent ones – i.e., without BIMI implemented. There’s also the added benefit of a higher Open Rate, so you can count on increased conversions.
EmailLabs specialists will be happy to assist you in its implementation, so the whole process is quick and efficient. Do you have any questions? Please contact our Support Team.
We are proud to announce that Vercom S.A., the company behind the EmailLabs project, successfully passed an audit for compliance with the latest ISO/IEC 27001:2022 and ISO/IEC 27018:2019 standards....
Gmail has announced significant changes in the requirements for email senders to maintain a good reputation and proper classification of messages in user inboxes starting from February 1, 2024....
The increasing number of phishing attacks each year, and the projection that this trend will continue to escalate, aren’t likely to astonish anyone. This can be attributed, in part,...
Out of all the things that can go wrong when sending out marketing emails, having your emails end up in the recipient’s spam folder is arguably the most dreaded...
Email Authentication, Security
DMARC is an email authentication protocol that is designed to give domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Spoofing occurs...
With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing...
Are you frustrated with the constant struggle of your emails getting blocked by Gmail? Have you ever wondered about the reasons behind this issue and, more importantly, how to...
In the ever-evolving landscape of email management, Google has announced an exciting upgrade to Gmail’s summary cards, aimed at improving user experience and streamlining inbox navigation. The latest enhancements,...
Antispam, Best practices, Dobre praktyki
Entering the world of email communication, you’ll encounter many terms that initially seem straightforward and intuitive. However, some of these can be pretty challenging. Accurately distinguishing between them is...
Are you frustrated with the constant struggle of your emails getting blocked by Gmail? Have you ever wondered about the reasons behind this issue and, more importantly, how to...
In the ever-evolving landscape of email management, Google has announced an exciting upgrade to Gmail’s summary cards, aimed at improving user experience and streamlining inbox navigation. The latest enhancements,...
Antispam, Best practices, Dobre praktyki
Entering the world of email communication, you’ll encounter many terms that initially seem straightforward and intuitive. However, some of these can be pretty challenging. Accurately distinguishing between them is...
Attaching a folder to an email may seem complicated at first glance, especially if you’re trying to send multiple files or an entire project’s documents to a colleague or...
Best practices, Deliverability
In today’s digital age, email has become an integral part of our personal and professional communication. We rely heavily on emails to send important messages, documents, and updates. But...
We are proud to announce that Vercom S.A., the company behind the EmailLabs project, successfully passed an audit for compliance with the latest ISO/IEC 27001:2022 and ISO/IEC 27018:2019 standards....
Best practices, Deliverability
Are you struggling to improve the deliverability and engagement of your email marketing campaigns? Look no further than email subdomains. You can protect your root domain and effectively manage...
What is the darknet? Shrouded in mystery for many years and often associated with ominous connotations, the darknet is a part of the internet that evokes curiosity, fascination, and...
A few weeks ago, at Vercom, we began the process of implementing the NIS2 Directive and preparing to meet the requirements of the Digital Operational Resilience Act (DORA). What...