Brand Indicators for Message Identification (BIMI) is an emerging email specification that allows brand images
such as logos to appear in the inbox and/or
next to the from address in supporting mailbox providers. For the brand's image to be displayed by the
mailbox provider, the domain of the email's from header must have a DMARC policy of quarantine or
reject, a pct value of 100 (which is the implicit default if
pct is not set), and the email must pass DMARC by having an SPF or DKIM check align with the email's
from header domain, ensuring that the sending organization's domain has not been
spoofed by an attacker. Many mailbox providers support
BIMI, including Google, Yahoo, Apple, Fastmail, Comcast, and others making BIMI a "nice to have" feature for marketers and other newsletter senders once the
organization's domain has an enforced DMARC policy. However,
it does have a cost, and Microsoft
does not currently support displaying BIMI images in its Outlook app or webmail products, so BIMI might not be useful for every
organization right now.
BIMI is a draft standard (draft-brand-indicators-for-message-identification) maintained by the
BIMI Group, which consists of Fastmail, Google, Mailchimp, Proofpoint,
SendGrid, Validity. Valimail, and Yahoo.
Image format
The BIMI image must be in a specialized format
called SVG Portable/Secure (SVG P/S).
BIMI certificates
Many mailbox providers (including Google) require the domain using BIMI to have a BIMI certificate issued by a Mark Verifying Authority to prove that a domain has the right to
use an image. That way, an attacker cannot abuse BIMI to show a brand image on a lookalike domain. These
certificates currently cost around $1,200/year for a Common Mark Certificate (CMC) without a registered trademark,
and around $1,600 per year for a Verified Mark Certificate (VMC) for registered trademarks or government seals.
Costs may be lower through resellers and/or with multi-year discounts.
Benefits
- Instant brand recognition in the inbox
- Stronger visual assurance that you are who you say you are
- Supported by many consumer mailbox providers
- Support by Google includes Gmail for consumers and Google Workspace business users
Drawbacks
- Certificates must be purchased
- Current lack of support by Microsoft leaves out a large market, especially B2B
DNS records
The BIMI Assertion Record is a DNS TXT record that tells mailbox providers an HTTPS URL of the image to display
and
optionally, an HTTPS URL to the certificate for the image. By default, the BIMI Assertion DNS record is located at
the default._bimi subdomain. The default portion is a selector,
so that organizations can choose to have a different image for specific emails using the BIMI-Selector
email header. or Local-Part
Selectors.
Note: BIMI Assertion Records can also be used to brand specific subdomains by placing a record at that subdomain.
For example, default._bimi.marketing.example.com
The value of the BIMI Assertion Record is made up of
tag=value pairs separated by semicolons.
BIMI Assertion Record tag descriptions
| Tag |
Description |
| v |
Version (Required) This must have a value of BIMI1. |
| l |
Location (Required) The HTTPS URL to the image. |
| a |
Authority Evidence Location (Optional) The HTTPS URL to the BIMI certificate. |
| lps |
Local-Part-Selectors (Optional) A comma separated list of allowed Local-Part
Selectors. |
| avp |
Avatar Preference (Optional)
For mail sent to those mailbox providers that participate in BIMI and support the display of
personal avatars (e.g., address book or directory images), this flag is a way for the Domain Owner to
express its preference as to whether to show the BIMI logo or the personal avatar.
Possible values: avatar and brand (Default: brand)
|
A domain can explicitly decline to participate in BIMI by publishing a BIMI Assertion Record with empty
l and a values (e.g., v=BIMI1; l=; a=;) at the default BIMI selector
`default`.