BIMI in 2023: Why You Need It and How To Implement It

BIMI in 2023: Why You Need It and How To Implement It
04 August, 2023 • ... • 5357 views
Kate Shokurova
by Kate Shokurova

BIMI emerged in 2020 and started spreading in 2021. Now, in 2023, its benefits are still up for discussion. In this article, we’ll explore what this acronym means for email security, how to implement it, and answer the most pressing question: do you need BIMI in 2023?

What is BIMI?

BIMI stands for Brand Indicators for Message Identification. It’s a tool that provides a unified way for brands to show their logos in recipients’ mailboxes. Without BIMI, all you can see there are just uniform letters in colored circles. Here’s Yahoo showing how it looks on desktop and mobile:

An opened email from Nike displaying their iconic Swoosh logo next to the sender's name. To the right of it, the mobile version of the Yahoo Mail app lists six emails from different senders. Each email is associated with a brand logo placed next to the sender's name, subject line, and snippet.
In desktop clients, you have to open an email to see the logo. On mobile devices, you see logos straight away. Source: Yahoo

Put another way, BIMI is an email authentication method, part of the set that includes SPF, DKIM, and DMARC. Like the rest of them, it’s basically a record, a TXT file that “lives” on the sender’s Domain Name System (DNS) server.

Their jobs are different, but BIMI is the only one “visual” of them:

  • SPF specifies the mail servers that are allowed to send emails for your domain.
  • DKIM confirms the sender’s identity using a digital signature.
  • DMARC tells email providers what to do with an email depending on SPF and DKIM.
  • BIMI contains the URL to a company’s logo.

Those records interact and depend on each other, so although technically you only need DMARC to have a BIMI, with DMARC being SPF/DKIM-aligned, you cannot have one without the other.

The adoption of SPF started in the early 2010s and BIMI was officially introduced in 2021, with its first formalized spec coming in February 2019, which makes it the latest installment in the “series.” Behind the BIMI movement is the AuthIndicators Working Group that includes companies like Google, Verizon Media, Validity, and others.

All four methods exist to prevent domain owners from being impersonated. Without them, emails would look suspicious to recipients and email services and end up in spam.

How does BIMI record work?

When a person receives an email, their email provider starts the verification process looking for all security records. As BIMI works alongside DKIM, when a bulk email platform checks for DKIM, it also looks for the presence of BIMI. If it’s there, a provider now has the URL leading to the location of a logo. If the records match, it pulls in the image to display alongside your message.

Some email services (Gmail among them) also need your BIMI record to contain a Verified Mark Certificate (VMC). It’s a certificate that provides evidence that you indeed own your logo as a trademark. More on VMC later in this article.

Benefits of BIMI for email marketing

BIMI’s advantages are mainly about security, deliverability, and better marketing.

Avoiding phishing attempts

According to the FBI’s 2022 Internet Crime Report, phishing was the most common crime in digital space last year, with almost all those attacks arriving by email.

BIMI has the potential to make phishing attempts more obvious and raise the awareness about email security among recipients. The standard makes it easier to identify messages that aren’t legitimate which is especially beneficial for commonly impersonated brands and financial organizations like banks. For example, if your bank has been sending you emails with a logo and then suddenly started doing it without it, it’s a good reason to get suspicious.

Can’t a fraudster just copy a BIMI and attach it to their emails? Or else copy a logo?

They can’t. The thing is, since you can’t have BIMI without DMARC, a fraudulent email will come from a domain different from the one specified in the record, and that means spam for an email service.

So, in essence, BIMI means not only good looks but better security by its definition.

Making your emails stand out among others

But what about those good looks? BIMI has them, too.

There’s much informational noise around us with all the messengers, social networks, and emails. 11 seconds — this is how much time your subscribers are willing to give to your message, according to the 2023 edition of Consumer Email Tracker report by the Data and Marketing Association (DMA). In such a competitive environment, you have to do everything in your power to at least draw their attention to your message.

The same report shows that for 61% of consumers, the top criterion for opening emails is recognition of the sending brand. For another 39% of consumers, it is seeing a brand logo they recognize.

Another feature of BIMI is that it allows you to create a unique logo for each domain and subdomain. This way, you can make separate logos for different departments or products or even change the logo, adapting it for holidays or events.

Two logos that belong to an American retailer, Target. One is for winter holidays and looks like a bauble covered in glitter. Another one is the red-and-white target that the brand uses everyday.
A festive and “ordinary” Target logo. Source: Target

Giving you more control and enhancing your brand value

Last but not the least, with BIMI, your emails and your brand will look more solid and trustworthy which means fewer unsubscribes and spam complaints and better deliverability. BIMI visualizes the efforts put into implementing and optimizing DMARC along with the rest of the security measures.

BIMI also means standardized and easier management of logos. While there are other ways to add logos to your emails, the process is more complicated, since it’s different with every email service and sometimes involves of third-party tools and platforms.

BIMI gives you more control over your brand and increases brand value in the inbox. From the brand awareness perspective, there’s nothing better than showing off your logo one extra time. You might not be able to track it just this time around, but it still does its job even when people don’t open your emails.

Mailbox providers and email clients supporting the standard

By 2023 the support of BIMI has grown, with the major change being in Apple joining the party of supporters. Since Apple Mail constitutes almost 59% of the email client market share, BIMI now has the potential to reach significantly more users than back in 2021. Below you can see the current state of BIMI availability, as shown on the official AuthIndicators Working Group’s website:

The logos of companies are divided into three columns depending on whether they support, consider, or do not support BIMI. Among major brands, Apple, Google, and Yahoo support BIMI, Yahoo Japan considers it, and Microsoft does not support it.
Source: AuthIndicators Working Group

How to implement BIMI

OK, but how to become BIMI compliant?

You need to go through several stages that consist of setting up DMARC compliance, setting up your logo, and updating your DNS.

  1. Be DMARC compliant

First, as we said already, you need additional authentication records set up for BIMI to work, including SPF, DKIM, and DMARC. You can set them up yourself or ask for the help of your system administrator or your email service provider (ESP) of choice. Here’s a manual on how to set up email authentication in Selzy. Even if your ESP is different, the process will be similar enough.

For your logo to display correctly, make sure:

  • The DMARC domain and subdomain policies are either “quarantine” or “reject”.
  • The percentage subdomain policy is set to 100pct and nothing else.

Check the Implementation Guide for more detailed instructions.

  1. Create your BIMI logo

With DMARC done, you’re halfway there. Now choose the logo you want to display.

The main recommendations are that your logo image should be:

  • SVG file type
  • Square
  • Free of interactive elements
  • Less than 32KB
  • With solid color background.

Once you’ve got your SVG file, store it in a publicly accessible server hosted via HTTPS and enter the URL in the BIMI DNS record.

  1. Acquire a VMC

Now, what’s a VMC?

A Verified Mark Certificate is a digital certificate that confirms your rights to use a certain logo as an officially registered trademark. In other words, this is how you ensure that an email comes from you and not from someone else pretending to be you.

For now, not all email services require the presence of VMC for BIMI compliance. For example, Yahoo shows BIMI logos in their applications without VMC, but Gmail is among those who insist on having one.

VMC is perhaps the only BIMI’s catch: it’s not free. Currently, only 2 certification authorities have the right to issue it:

What’s more, if you want to use several logo variations, you have to provide separate VMCs for each one of them. Many entrepreneurs and marketers agree that the steep price on VMC certificates prevents the majority of small businesses from obtaining BIMI in the first place..

  1. Update DNS

Now comes the moment when you publish a BIMI record for your domain in DNS.

Here’s how you format a BIMI record:

default._bimi.[domain] IN TXT “v=BIMI1; l=[SVG URL]; a=[PEM URL]

Better yet, you can use the BIMI Lookup & Generator to generate a BIMI record for your domain.

  1. Check for BIMI

After updating your DNS settings, give it about a day and then go to the same BIMI Lookup & Generator. It also lets you check whether a domain has a BIMI record set up.

For example, CNN is one of the real-life examples of BIMI’s use. So if you check cnn.com in the BIMI Lookup & Generator tool, you’ll see that CNN’s domain is indeed BIMI compliant:

CNN has all three green checkmarks in place - BIMI Record, BIMI SVG Image, and VMV Certificate, which makes the brand 100% compliant
Source: BIMI Lookup & Generator

Groupon, Visa, Ikea are other examples of top brands that use BIMI.

Note that, you can still can add a logo to your emails without BIMI, and since only about 3% of apex domains globally are BIMI ready and 0,002% have VMC certificates, it means that the majority of brands displaying logos in your inbox do it some other way. For example, messages from Canva come with a colorful logo, but if you check canva.com, the lookup tool will tell you that “BIMI record not found for canva.com”. Yet, BIMI is the only way that can bring any security benefits.

  1. Troubleshooting

If you’ve done everything and it’s still not working, you might want to get help from your IT specialists, ESP, or reach folks at the BIMI Working group.

Some ideas to help you with possible difficulties:

Building upon BIMI

In 2020-2021, when BIMI was a hot topic, the hopes for its applications were high, and its creators contemplated the idea of outgrowing email boxes:

Fast forward to 2023, BIMI use is still reserved to email. However, the developments didn’t stop altogether. In November 2022, Yahoo introduced verified checkmarks as an additional visual cue to help users identify trustworthy brands. Google followed the lead in May 2023, although not without complications.

Yahoo displays a purple checkmark for verified senders and mentions the use of the BIMI standard for verification
Source:Postmaster @ Yahoo&AOL
Google displays a blue checkmark for verified senders and confirms that the sender owns both logo and domain
Source: Google Workspace Updates

While Amazon is not on the list of supporters, their very own email platform called Amazon Simple Email Service (SES) supports BIMI, and in March 2023, they launched the feature that allows companies to spot missing or misconfigured BIMI configuration for all of their email sending domains in SES.

However, the main question remains:

Do I need BIMI in 2023?

While the main argument against BIMI implementation is the high cost of a VMC certificate, it’s important to remember what stands behind BIMI in the first place: security, not looks.

BIMI might make the most sense for big-name brands or industries where a fraudulent email can cause major damage. However, the unpleasant truth is that business of any size could be spoofed. Since SMBs often lack even basic authentication (SPF and DKIM), they become an easy target, meaning they risk losing a good reputation and facing disastrous financial consequences if their subscriber’s money gets stolen. 

If you consider potential losses due to the lack of security protocols, going all the way to become BIMI-ready might save you enough money to soon afford a VMC certificate.

The bottom line

The advantages of BIMI:

  • It protects senders and recipients from phishing attacks and promises better security and deliverability.
  • It makes your messages more visible to your target audience which has the potential to improve your email metrics.
  • It gives you better control of how your brand looks.

Once you’ve implemented BIMI, we advise you to measure success and compare the “before” and “after” metrics.

This article was originally published in December 2021 and has been updated in August 2023 to include the latest industry developments and new data.

04 August, 2023
Article by
Kate Shokurova
Out and about, exploring the world and its marvels. A writer and editor with 10+ years of experience, I also dabbled in all kinds of marketing and am happy to use this experience to make quality content, useful for the readers and effective for brands. I feel really passionate about helping people understand about marketing and design through easily digestible materials. Outside of working hours, I enjoy hiking, dancing, watching movies and reading books.
Visit Kate's
Selzy
Selzy
Selzy
Selzy
Selzy

Latest Articles

Selzy Selzy Selzy Selzy