Email Account Threats

How to Use BIMI in Email for Brand Logos

Share with your network!

Do you want your company’s logo displayed alongside the emails you send to your customers?

Brand Indicators for Message Identification (BIMI) is an emerging set of technical specifications that provides that ability.

Until BIMI, there wasn’t a standardised way for a company to designate what logo they’d like a mailbox provider to use in conjunction with their authorised email. Now using BIMI, participating email clients can display brand logos authorised for use with specified domains.

If a domain fully authenticates its email using Domain-based Message Authentication Reporting and Conformance (DMARC), a mailbox provider can associate the BIMI logo with the email.

UPS BIMI logo example in email

Figure 1: In order to associate the BIMI logo with the email, a domain has to be fully authenticated (DMARC-level authentication on the domain’s DNS).

Why do you need BIMI for email?

The primary driver of BIMI adoption is the desire for brands to engage with their customers within the email inbox. Once the domain sending the email on behalf of the brand is fully authenticated by DMARC, the company’s logo displayed next to the email reinforces the marketing value of the brand. Some companies have stated they've seen an increase in engagement with email that include logos, though BIMI logos are too new to know for certain, yet.

Nonetheless, BIMI is clearly not a security solution. Instead, it gives you some measure of control over your logos displayed within your email marketing campaigns. In order to achieve that control, though, you will have to fully authenticate your legitimate senders. So, that aspect can be considered a security measure as it protects against some forms of identity deception.

How does BIMI in email work?

To take advantage of BIMI, the domain must start by fully authenticating all the email it sends (or that is sent on its behalf). Domains do this by publishing Sender Policy Framework (SPF) records that identify authorised senders and signing the email they send using DomainKeys Identified Mail (DKIM).

Once the domain publishes a DMARC record that protects against spoofing attacks, the domain can publish a BIMI record that identifies the logo an email client can display for fully authenticated email from that domain.

Some mailbox providers (e.g. Yahoo) will accept a self-asserted logo published directly by a domain, while other mailbox providers (e.g. Gmail) require that a logo be verified as being authorised for use by the specified domain. For a company to get the broadest use of their BIMI logo, they can apply for a Verified Mark Certificate (VMC) from an accepted Mark Verifying Authority (MVA). As of this writing, accepted MVAs include DigiCert or Entrust.

How to get started with BIMI in email

BIMI email deployment steps

Figure 2: Take these steps to deploy BIMI in email

Companies interested in deploying BIMI will need to:

  1. Fully authenticate all email sent by or on behalf of their domains using SPF and/or DKIM.
  2. Publish a DMARC “reject” (or 100% “quarantine”) policy.
  3. Create a BIMI logo in the required Scaled Vector Graphics (SVG) Portable/Secure format.
  4. Obtain a VMC for their logo, which must be a trademark registered with an accepted agency, such as the U.S. Patent and Trademark Office (USPTO).
  5. Publish a BIMI record pointing to the logo and VMC files they host on a secure web server.

After a participating mailbox provider authenticates the email, that provider can then display the associated logo.

How long does it take to deploy BIMI?

Deploying BIMI is the short pole in the tent. Usually, it takes about 15 minutes to publish a valid BIMI record. The only potential speed bump in obtaining a VMC for use with BIMI is that it requires the logo be a trademark registered with an acknowledged agency in specific jurisdictions. Registration with the USPTO, as an example, can take upwards of 8 months. There is little you can do to accelerate that.<

While it doesn’t take long to deploy a BIMI logo, going from no DMARC record to a “reject” policy takes significantly longer than publishing a BIMI record. Proofpoint Email Fraud Defense can help accelerate that DMARC implementation process and get organisations to DMARC reject more efficiently.

As you can expect, there’s a bit more to it than that, but these are the basic steps to begin using BIMI in your email. Join our on-demand webinar, to learn how to insert brand logos into email using BIMI. Hear from our experts as they walk you through what BIMI is, how it works, and what steps brands deploying BIMI need to take.

You can also find more information about BIMI, including detailed deployment instructions, on the BIMI Working Group website. Proofpoint customers may also contact their Email Fraud Defense professional services support agent for assistance in deploying BIMI.<