BIMI stands for Brand Indicators for Message Identification. It’s a tool that provides a unified way for brands to show their logos in recipients’ mailboxes. Without BIMI, all you can see there are just uniform letters in colored circles. Here’s Yahoo showing how it looks on desktop and mobile:
Put another way, BIMI is an email authentication method, part of the set that includes SPF, DKIM, and DMARC. Like the rest of them, it’s basically a record, a TXT file that “lives” on the sender’s Domain Name System (DNS) server.
Their jobs are different, but BIMI is the only one “visual” of them:
Those records interact and depend on each other, so although technically you only need DMARC to have a BIMI, with DMARC being SPF/DKIM-aligned, you cannot have one without the other.
The adoption of SPF started in the early 2010s and BIMI was officially introduced in 2021, with its first formalized spec coming in February 2019, which makes it the latest installment in the “series.” Behind the BIMI movement is the AuthIndicators Working Group that includes companies like Google, Verizon Media, Validity, and others.
All four methods exist to prevent domain owners from being impersonated. Without them, emails would look suspicious to recipients and email services and end up in spam.
When a person receives an email, their email provider starts the verification process looking for all security records. As BIMI works alongside DKIM, when a bulk email platform checks for DKIM, it also looks for the presence of BIMI. If it’s there, a provider now has the URL leading to the location of a logo. If the records match, it pulls in the image to display alongside your message.
Some email services (Gmail among them) also need your BIMI record to contain a Verified Mark Certificate (VMC). It’s a certificate that provides evidence that you indeed own your logo as a trademark. More on VMC later in this article.
Why don’t I create my own system to handle logos?#BIMI provides a standard for mailbox providers to display the same logos across platforms. Additionally, it provides verification that logos are approved by a 3rd party.https://t.co/kVwRCQzgQ7
— BIMIgroup (@bimigroup) May 11, 2020
BIMI’s advantages are mainly about security, deliverability, and better marketing.
According to the FBI’s 2022 Internet Crime Report, phishing was the most common crime in digital space last year, with almost all those attacks arriving by email.
BIMI has the potential to make phishing attempts more obvious and raise the awareness about email security among recipients. The standard makes it easier to identify messages that aren’t legitimate which is especially beneficial for commonly impersonated brands and financial organizations like banks. For example, if your bank has been sending you emails with a logo and then suddenly started doing it without it, it’s a good reason to get suspicious.
Can’t a fraudster just copy a BIMI and attach it to their emails? Or else copy a logo?
They can’t. The thing is, since you can’t have BIMI without DMARC, a fraudulent email will come from a domain different from the one specified in the record, and that means spam for an email service.
So, in essence, BIMI means not only good looks but better security by its definition.
But what about those good looks? BIMI has them, too.
There’s much informational noise around us with all the messengers, social networks, and emails. 11 seconds — this is how much time your subscribers are willing to give to your message, according to the 2023 edition of Consumer Email Tracker report by the Data and Marketing Association (DMA). In such a competitive environment, you have to do everything in your power to at least draw their attention to your message.
The same report shows that for 61% of consumers, the top criterion for opening emails is recognition of the sending brand. For another 39% of consumers, it is seeing a brand logo they recognize.
Another feature of BIMI is that it allows you to create a unique logo for each domain and subdomain. This way, you can make separate logos for different departments or products or even change the logo, adapting it for holidays or events.
Does BIMI allow me to support multiple domains and logos?
— BIMIgroup (@bimigroup) April 29, 2020
Currently, #BIMI supports one logo for multiple domains and subdomains.
Read more FAQs here: https://t.co/SsAzaM8Q51
Last but not the least, with BIMI, your emails and your brand will look more solid and trustworthy which means fewer unsubscribes and spam complaints and better deliverability. BIMI visualizes the efforts put into implementing and optimizing DMARC along with the rest of the security measures.
BIMI also means standardized and easier management of logos. While there are other ways to add logos to your emails, the process is more complicated, since it’s different with every email service and sometimes involves of third-party tools and platforms.
BIMI gives you more control over your brand and increases brand value in the inbox. From the brand awareness perspective, there’s nothing better than showing off your logo one extra time. You might not be able to track it just this time around, but it still does its job even when people don’t open your emails.
Q: Tracking brand impressions via the BIMI logo?
— BIMIgroup (@bimigroup) October 9, 2020
A: No - the standard is designed to be privacy friendly and the logos will be cached on the MBPs side. Some aggregate reporting maybe available in the future, like DMARC RUA reporting information. @AntiFreeze @GlobalCyberAlln
By 2023 the support of BIMI has grown, with the major change being in Apple joining the party of supporters. Since Apple Mail constitutes almost 59% of the email client market share, BIMI now has the potential to reach significantly more users than back in 2021. Below you can see the current state of BIMI availability, as shown on the official AuthIndicators Working Group’s website:
OK, but how to become BIMI compliant?
You need to go through several stages that consist of setting up DMARC compliance, setting up your logo, and updating your DNS.
First, as we said already, you need additional authentication records set up for BIMI to work, including SPF, DKIM, and DMARC. You can set them up yourself or ask for the help of your system administrator or your email service provider (ESP) of choice. Here’s a manual on how to set up email authentication in Selzy. Even if your ESP is different, the process will be similar enough.
For your logo to display correctly, make sure:
Check the Implementation Guide for more detailed instructions.
With DMARC done, you’re halfway there. Now choose the logo you want to display.
The main recommendations are that your logo image should be:
We get this question a lot, so we thought we'd make a full article about it!
— BIMIgroup (@bimigroup) June 1, 2021
Q: What dimensions do I use for my #BIMI images?
A: BIMI: Images and resolutions: https://t.co/61jVbduNBT
Once you’ve got your SVG file, store it in a publicly accessible server hosted via HTTPS and enter the URL in the BIMI DNS record.
Now, what’s a VMC?
A Verified Mark Certificate is a digital certificate that confirms your rights to use a certain logo as an officially registered trademark. In other words, this is how you ensure that an email comes from you and not from someone else pretending to be you.
For now, not all email services require the presence of VMC for BIMI compliance. For example, Yahoo shows BIMI logos in their applications without VMC, but Gmail is among those who insist on having one.
VMC is perhaps the only BIMI’s catch: it’s not free. Currently, only 2 certification authorities have the right to issue it:
What’s more, if you want to use several logo variations, you have to provide separate VMCs for each one of them. Many entrepreneurs and marketers agree that the steep price on VMC certificates prevents the majority of small businesses from obtaining BIMI in the first place..
Now comes the moment when you publish a BIMI record for your domain in DNS.
Here’s how you format a BIMI record:
default._bimi.[domain] IN TXT “v=BIMI1; l=[SVG URL]; a=[PEM URL]
Format of a BIMI record: v= validation record format like other tech, l= SVG file location, a= Location of your VCM file.@AntiFreeze @GlobalCyberAlln
— BIMIgroup (@bimigroup) October 9, 2020
Better yet, you can use the BIMI Lookup & Generator to generate a BIMI record for your domain.
After updating your DNS settings, give it about a day and then go to the same BIMI Lookup & Generator. It also lets you check whether a domain has a BIMI record set up.
For example, CNN is one of the real-life examples of BIMI’s use. So if you check cnn.com in the BIMI Lookup & Generator tool, you’ll see that CNN’s domain is indeed BIMI compliant:
Groupon, Visa, Ikea are other examples of top brands that use BIMI.
Note that, you can still can add a logo to your emails without BIMI, and since only about 3% of apex domains globally are BIMI ready and 0,002% have VMC certificates, it means that the majority of brands displaying logos in your inbox do it some other way. For example, messages from Canva come with a colorful logo, but if you check canva.com, the lookup tool will tell you that “BIMI record not found for canva.com”. Yet, BIMI is the only way that can bring any security benefits.
If you’ve done everything and it’s still not working, you might want to get help from your IT specialists, ESP, or reach folks at the BIMI Working group.
Some ideas to help you with possible difficulties:
In 2020-2021, when BIMI was a hot topic, the hopes for its applications were high, and its creators contemplated the idea of outgrowing email boxes:
Q: Are there other use cases for BIMI beyond just email?
— BIMIgroup (@bimigroup) October 9, 2020
A: YES! Email is just the place we are starting, but you could see it appear in other places in the future like search, webstores, social.@AntiFreeze @GlobalCyberAlln
Fast forward to 2023, BIMI use is still reserved to email. However, the developments didn’t stop altogether. In November 2022, Yahoo introduced verified checkmarks as an additional visual cue to help users identify trustworthy brands. Google followed the lead in May 2023, although not without complications.
While Amazon is not on the list of supporters, their very own email platform called Amazon Simple Email Service (SES) supports BIMI, and in March 2023, they launched the feature that allows companies to spot missing or misconfigured BIMI configuration for all of their email sending domains in SES.
However, the main question remains:
While the main argument against BIMI implementation is the high cost of a VMC certificate, it’s important to remember what stands behind BIMI in the first place: security, not looks.
BIMI might make the most sense for big-name brands or industries where a fraudulent email can cause major damage. However, the unpleasant truth is that business of any size could be spoofed. Since SMBs often lack even basic authentication (SPF and DKIM), they become an easy target, meaning they risk losing a good reputation and facing disastrous financial consequences if their subscriber’s money gets stolen.
If you consider potential losses due to the lack of security protocols, going all the way to become BIMI-ready might save you enough money to soon afford a VMC certificate.
The advantages of BIMI:
Once you’ve implemented BIMI, we advise you to measure success and compare the “before” and “after” metrics.
This article was originally published in December 2021 and has been updated in August 2023 to include the latest industry developments and new data.
