Humanity vs. Email Spoofing: The Endless Battle - BIMI Edition

Hello,
my home LAN cable is Cat.3
. This is Kawai from the System Solutions Department.

Recently, my mailbox has been flooded with flyers, and the shared trash can is overflowing (I imagine many apartment buildings are experiencing this).
Regardless of the effectiveness or merits of this marketing method, the situation with email is quite similar.

Speaking of email, a recent and memorable development was Google'sits email guidelines, which garnered attention when it announced that, starting in February 2024, any company sending more than 5,000 emails per day would need to properly configure authentication settings such as SPF, DKIM, and DMARC.

published in February of this year by the Anti-Phishing CouncilStatus of DMARC Implementation," the DMARC implementation rate in Japan is 83%, meaning that most companies have already implemented it (according to a Proofpoint survey).
However, since authentication methods such as DMARC can be misused depending on policy settings, spam and phishing emails continue to be rampant, even among personal users.

In this article,BIMII would like to share a technology called

What is BIMI?

BIMI (Brand Indicators for Message Identification)isdisplays the sender's brand logo in the recipient's email client, enhancing email credibility and brand recognition.
It worksDMARCby displaying a sender-specified logo for emails that successfully undergo
However, as of March 2025, it has not been formalized as an RFC andthe draft stage at the IETFis still in
*A quick search revealed thatPayPay Bankhas issued a news release regarding this.
*Google's 2021 announcementherefound

Benefits of BIMI Implementation

It is said that there are three main benefits to implementing BIMI

1. Prevention of spoofed emails
: The official logo will be displayed on the email, allowing recipients to determine that it is from a legitimate sender.
This is expected to reduce the damage caused by phishing and spoofed emails.

2. Improved Brand Awareness and Trust
Displaying your logo in emails makes them more visible to recipients, improving brand awareness and trust.

3. Improving email open rates:
Similar to the trust level mentioned in point 2, but because the brand is visually recognizable, recipients are more likely to open the email.

However, as a drawback or loophole, it's important to note that if the DMARC policy is not set to "p=quarantine" or "p=reject," there is a non-zero possibility that a fake logo could be used.

Overview of BIMI implementation steps

Implementing BIMI mainly involves the following steps. To be honest, it might be a bit challenging from a technical standpoint.
Reference:Gmail procedure

1. Setting up sender domain authentication:
First, configure the basic SPF, DKIM, and DMARC settings to ensure the legitimacy of the sender domain.
*DMARC authentication is required for BIMI.

2. Logo Preparation
Create the brand logo to be displayed in the email in SVG format.
It must meet security requirements.
*Security requirementsRFC6170, section 5.2 SVG.are described separately in

3. Obtain a VMC (Verified Mark Certificate):
Obtain a VMC, which is a certificate that proves the legitimacy of the logo.

4. Adding DNS Records
: Add a TXT record for BIMI to your company's DNS, specifying the logo location and VMC information.
Reference:Adding a BIMI TXT Record with Your Domain Provider

BIMI Summary

As mentioned earlier, implementing BIMI involves certain technical hurdles, such as configuring DMARC and preparing SVG logos.
However, overcoming these challenges can be expected to improve both email security and brand value, especially for businesses.
(It may become more widespread once it is formalized as an RFC.)
I hope more email clients will support this standard.

complete