Humanity vs. Email Spoofing: The Endless Battle - BIMI Edition

Hello,

I'm Kawai from the System Solutions Department. The LAN cable in my home is Cat.3

Recently, I've been receiving so many flyers in my mailbox that the shared trash can is getting really crowded (I'm sure there are many apartment complexes like this).
Regardless of the effectiveness of this marketing technique, it can be said that email is in the same state.

Speaking of email, last year Google its email guidelines , announcing that from February 2024 onwards, if you send more than 5,000 emails per day, you will need to properly configure authentication settings such as SPF, DKIM, and DMARC, which became a hot topic.

In February of this year, the Anti-Phishing Working Group released titled "Implementation Status of DMARC , a Sender Domain Authentication Technology," which reported that 83% of Japanese companies have implemented DMARC (Proofpoint survey).
However, because authentication such as DMARC can also be abused depending on policy settings, spam and spoofed emails continue to be a problem, even for personal use.

In this article, I would like to share a technology called BIMI

What is BIMI?

BIMI (Brand Indicators for Message Identification) is displays the sender's brand logo in the recipient's email client , enhancing the trustworthiness and brand recognition of emails.
This that displays a logo specified by the sender on emails that have successfully passed DMARC (Domain-based Message Authentication, Reporting & Conformance) authentication.
However , as of March 2025, it has not yet become an RFC and is in
the draft stage at the IETF *After a quick search, I PayPay Bank had issued a news release.
Click here for Google's 2021 announcement.

Benefits of BIMI Implementation

It is said that there are three main benefits to implementing BIMI

1. Prevention of spoofed emails:
The official logo is displayed on emails, so recipients can be sure that the email is from a legitimate sender.
This is expected to reduce the damage caused by phishing and spoofed emails.

2. Increased brand recognition and credibility
Having your logo in your emails makes it more noticeable to recipients, increasing brand recognition and credibility.

3. Increased email open rates:
Similar to trust level 2, but because recipients can visually recognize your brand, they are more likely to open your email.

However, there is a disadvantage, or rather a loophole, that if the DMARC policy setting is not set to " p=quarantine " or " p=reject ", there is a possibility that a fake logo may be used, so caution is required.

Overview of BIMI implementation steps

To implement BIMI, you need to follow the steps below. To be honest, it may be a little technically challenging.
Reference: Gmail procedure

1. Setting up sending domain authentication
First, set up the basics SPF, DKIM, and DMARC to ensure the legitimacy of the sending domain.
*DMARC authentication is required for BIMI.

2. Prepare the logo.
Create the brand logo to be displayed in the email in SVG format.
This must meet security requirements.
*Security requirements are described separately in "5.2 SVG" of RFC6170

3. Obtaining a VMC (Verified Mark Certificate)
Obtain a VMC, a certificate that proves the legitimacy of the logo.

4. Add DNS records
Add a TXT record for BIMI to your company's DNS and specify the logo location and VMC information.
Reference: Adding a BIMI TXT record with your domain provider

BIMI Summary

As mentioned above, there are certain technical hurdles to implementing BIMI, such as setting up DMARC and preparing an SVG logo.
However, overcoming these challenges is expected to improve both email security and brand value, especially for businesses.
(Once it becomes an RFC, it may become more widely used.)
I hope more email clients will support this standard.

complete