Everything marketers need to know about BIMI: The latest email standard
The latest update to email authentication being called “DMARC 2.0”. Here’s what you need to know to get your email program in shape for BIMI.
For email marketers, fraud remains a persistent and serious threat to their businesses, brands and their customers.
That’s what the new Brand Indicators for Message Identification (BIMI) standard aims to help fix by giving brands a way to both stand out in the inbox while ensuring fraudsters aren’t masquerading as your brand.
But as with anything new, marketers have a lot of questions about just how this new standard works. That’s why we’ve compiled the following guide.
The inundation of malicious spam reaching the inbox is not just a business problem — it’s a serious risk for anybody using email. According to reports from the Federal Bureau of Investigation (FBI), sophisticated email scams successfully target millions of victims, bringing in close to $3.5 billion in losses to businesses and individuals in 2019 alone.
“Criminals are getting so sophisticated,” states chief of the FBI’s Internet Crime Complaint Center (IC3) Donna Gregory in IC3’s annual report. “It is getting harder and harder for victims to spot the red flags and tell real from fake.”
Enter the BIMI Group. Seth Blank, who currently serves as chairman of the AuthIndicators Working Group — also known as BIMI group — explained that BIMI initiative came to fruition in response to two distinctly different questions:
How can the email industry protect email systems (and people using them) from malicious email tactics, including phishing, malware attempts and business email compromise (BEC)?
How can inbox providers (i.e. Yahoo!) display richer content in the inbox — and how can brands up-level that as a B2C channel?
BIMI serves as a highly visibly tactic for authenticating emails by indicating to the recipient that a message is from who it says it is and safe to open. It allows companies to leverage their existing DMARC enforcement policies to increase brand value by displaying logos to your customers. “DMARC is the switch,” said Blank.
So, what is BIMI?
The BIMI standard validates email senders through a multi-step process, verifying that the sender’s data is aligned with the sender’s owned brand domain. If the email passes each step, the brand’s logo will appear in the recipients’ inbox — next to the sender’s name. The recipient can be assured upon seeing the logo that the message is safe to open and isn’t from someone impersonating your brand.
BIMI is a way for brands to publish their logos in their customers’ inboxes and allows logos to be easily incorporated into messaging. BIMI does this with built-in protections that safeguard the brand, application providers and consumers from impersonation attempts.
“By increasing consumer confidence in the authenticity of our messages, we believe brand indicators will increase response rates, magnifying the power and reach of our marketing efforts,” said Torsten Reinert, senior manager messaging delivery at Groupon.
Inbox provider Yahoo! is currently piloting BIMI with a number of brands, including Groupon, Aetna and The Home Depot, among others.
How does BIMI work?
For a BIMI logo to be displayed, the sender needs to have DMARC, SPF and DKIM set in place so that the source can be marked as trusted. The brand also needs to publish its logo in the DNS (Domain Name System) record.
BIMI is a text file that resides on your sending server and follows a specific format similar to other email authentication formats like SPF, DKIM, and DMARC. Once the recipient receives the email, the email service (inbox provider) locates the BIMI file to verify the message. Once authenticated, the BIMI file points the recipient’s email service to the brand logo and displays it in the inbox.
Pre-requirements for BIMI: While this list of required standards isn’t overwhelmingly long, it is critical to recognize that verifying your email authentication to publish an enforcement-level DMARC record will take time, effort and investment to get right.
The following email authentication standards are required:
- Emails are authenticated with SPF, DKIM, and DMARC
- DMARC policy is at enforcement; set to either “p=quarantine” or “p=reject”
- Publish a BIMI record for the domain in DNS
Logo verification. The next step is to select a logo and work with a Mark Verifying Authority (MVA), an organization that can provide evidence of verification of certain indicators standards, including size, trademark and content, to receive a Verified Mark Certificate (VMC). It is important to note that while obtaining a VMC is not explicitly required for BIMI at this time, the AuthIndicators Working Group anticipates that VMC will become a requirement in the relatively near future.
“The problem this certificate solves is, you have to prove you own the rights to the logo,” Blank said. Last October, CNN became one of the first brands to receive a VMC after working with identity and encryption provider DigiCert to validate the authenticity of the brand’s logo.
Companies (email senders) receive free added value to their email programs by increasing brand visibility in the inbox by implementing BIMI. It is critical to note, however, that BIMI does not guarantee inbox placement — you still need to follow email best practices and maintain a stellar sender reputation.
BIMI in action
Financial institutions — banks, for example — can use BIMI to display their logo next to its email message, assuring recipients that the message really was sent by that institution.
Pilot program: initial results
Initial results from the pilot program are encouraging — but the BIMI group reminds us that these results are still earlier. The group is hopeful that increased pilot programs with brands and inbox providers will continue to yield positive results.
“Early data from the pilot with Yahoo! show increased engagement with emails that display a BIMI logo, on average yielding a 10% increase in open rates,” said Blank.
With widespread use of VMC, BIMI, and DMARC — in addition to existing SPF and DKIM policies — companies will be able to amplify and protect their online presence through authenticated messages to consumers that are instantly recognizable by their known, protected brand marks.