BIMI adds an exciting layer to email authentication
One of the most frustrating things for an email marketer is the shadow of doubt and mistrust that phishing casts on an otherwise highly effective marketing tool.
Phishing emails that claim to be from recognizable brands, trick unsuspecting victims into sharing their personal or banking information. This is bad for email marketers because it makes people suspicious of legitimate emails, affecting click rates and impacting conversions.
It makes sense then that technology companies are constantly looking for ways to better establish trust and in doing so, make life harder for phishers.
A working group called the BIMI Group has developed what promises to be another layer in the fight to protect legitimate commercial emails.
Brand Indicator Message Identification, known as BIMI, enables legitimate senders to display their branding in the email inbox. As an addition to SPF, DKIM and DMARC, BIMI makes it harder for cyber scammers to make their phishing emails look legitimate.
The 5 standards of email authentication
How does BIMI work?
It’s important to note that it’s another layer, not a silver bullet. BIMI only works alongside the other four authentication standards – SPF, DKIM, DMARC and ARC.
BIMI is specifically an extension of DMARC that the Bimi Group defines as enhancing a “brand’s value within participating mailboxes, connecting the display of verified logos to the increased protection provided by DMARC enforcement”.
To implement BIMI, a specifically formatted text file is hosted on your email servers. When an email arrives in the recipient’s inbox, the receiving server looks for the BIMI text file and uses it to verify the sender.
As an added bonus to email marketers (because who doesn’t love a bit of branding) the receiving server uses information in the text file to find the sender’s logo, which is then displayed in the inbox.
In an article entitled What is BIMI and why should marketers care? Litmus providers this image from Yahoo! Mail to show how it looks:
Can’t phishers just create the same text file?
They could create a text file, but what they can’t do is successfully validate the BIMI record relative to the sending domain.
Some mail providers will require a certificate to validate the logo against the sender. For BIMI to work, the sender would need a Verified Mark Certificate (VMC), which connects the company, the domain and the trademarked logo, and authenticates them as a package.
What happens now?
BIMI has been trialed by one webmail provider – Yahoo! Mail – so far. In mid-2019, Google announced that it had joined the working group, and is planning a trial in 2020.
We can expect that as BIMI becomes more mainstream, it will help to build the trust relationship that email marketers so desperately need. It will also positively impact deliverability, as getting an email successfully delivered is very much based on sender reputation.