Summary
Experts and marketers generally agree that BIMI (Brand Indicators for Message Identification) is difficult to spoof due to the stringent checks by Certificate Authorities and the expense associated with obtaining a valid Verified Mark Certificate (VMC). However, BIMI implementation is not without drawbacks. The cost of obtaining a VMC can be prohibitive, especially for smaller businesses. Even with a valid VMC, mailbox providers are not obligated to display the logo, and may choose not to if the sender has a poor reputation. BIMI adoption is not universal across all email clients and ISPs, limiting its reach. While BIMI enhances brand recognition, it doesn't guarantee improved deliverability, which still depends on content quality and sender reputation. Technical complexities exist in setting up BIMI, including DMARC compliance, DNS record configuration, and VMC acquisition. There's also a risk of trademark disputes if the logo is too similar to existing trademarks. Ongoing maintenance of DMARC, SPF, and DKIM records is crucial to ensure continued effectiveness.
Key findings
- Spoofing Difficulty: BIMI is difficult to spoof due to stringent CA checks and VMC requirements.
- VMC Cost & Complexity: Obtaining and maintaining a VMC can be costly and complex, especially for small businesses.
- No Display Guarantee: Mailbox providers are not obligated to display the BIMI logo.
- Limited Adoption: BIMI is not universally supported across all email clients and ISPs.
- No Deliverability Guarantee: BIMI doesn't guarantee improved deliverability; content and reputation remain key.
- Technical Challenges: Setting up BIMI involves technical complexities like DMARC and DNS configuration.
Key considerations
- Cost Budgeting: Factor in the cost of the VMC and ongoing maintenance when budgeting for BIMI.
- Technical Expertise: Ensure adequate technical expertise for DMARC, DNS, and VMC implementation.
- Trademark Clearance: Verify trademark status to avoid potential disputes related to logo usage.
- DMARC Compliance: Ensure DMARC policies are strictly enforced (p=quarantine or p=reject).
- Ongoing Maintenance: Commit to ongoing maintenance of DMARC, SPF, and DKIM records.
- Limited Reach Awareness: Be aware that not all recipients will see the BIMI logo due to limited adoption.
What email marketers say
12 marketer opinions
While BIMI (Brand Indicators for Message Identification) enhances brand recognition in email inboxes, it's not without its drawbacks and potential complexities. Spoofing is considered difficult due to stringent Certificate Authority checks. However, mailbox providers aren't obligated to display BIMI logos, negating the investment for bad actors or those with poor reputations. Implementation requires a Verified Mark Certificate (VMC), which adds cost and complexity, particularly for smaller businesses. BIMI adoption is not universal, limiting the visual impact across all recipients. It doesn't guarantee higher deliverability, as content quality and sender reputation remain crucial. There's also the risk of trademark disputes and the technical challenges of setting up BIMI, including DMARC compliance. Ongoing maintenance of authentication records is necessary to maintain effectiveness.
Key opinions
- Spoofing Difficulty: BIMI spoofing is difficult due to strict checks by Certificate Authorities.
- No Guaranteed Display: Mailbox providers may not display BIMI logos, rendering the investment useless for senders with poor reputations.
- VMC Requirement: BIMI requires a costly and complex Verified Mark Certificate (VMC).
- Limited Adoption: BIMI is not universally adopted across all email providers and clients.
- No Deliverability Guarantee: BIMI does not guarantee improved email deliverability; content and sender reputation are still critical.
Key considerations
- Cost: The cost of obtaining and maintaining a VMC can be a barrier, especially for smaller businesses.
- Technical Complexity: Setting up BIMI involves technical complexities, including DMARC, DNS records, and VMC acquisition.
- Trademark Risk: There is a risk of trademark disputes if your logo is similar to existing trademarks.
- Ongoing Maintenance: BIMI requires ongoing maintenance of DMARC, SPF, and DKIM records to remain effective.
- Limited Reach: Due to limited adoption, not all recipients will see the BIMI logo.
Marketer view
Email marketer from Reddit explains the risk of trademark disputes with BIMI, if your logo is too similar to an existing trademark, even if unintentional, you might face legal challenges and have to discontinue using the logo for BIMI.
21 Oct 2022 - Reddit
Marketer view
Marketer from Email Geeks reminds that mailbox providers don’t HAVE to show your logo and that if you are a bad actor, they can just not show your BIMI logo so now you’ve paid money for no reason.
20 Nov 2024 - Email Geeks
What the experts say
4 expert opinions
Experts generally agree that BIMI spoofing is not easily achieved due to the expense and effort required for forgery, including obtaining valid certificates. While BIMI is seen as a worthwhile investment for enhancing brand presence and protecting against spoofing, implementing it correctly involves technical challenges, especially for smaller organizations lacking expertise in DMARC, VMC acquisition, and DNS setup.
Key opinions
- Spoofing Not Easy: BIMI spoofing is not easy due to the cost and complexity of forging certificates.
- Worthwhile Investment: BIMI is considered a worthwhile investment for brand enhancement and anti-spoofing.
- Technical Challenges: Implementing BIMI correctly involves significant technical challenges.
Key considerations
- Expertise Required: Smaller organizations may lack the expertise needed for proper BIMI implementation.
- DMARC Compliance: Careful attention to DMARC compliance is crucial for BIMI implementation.
- VMC Acquisition: The process of acquiring a VMC requires specific steps and can be complex.
- DNS Setup: Proper DNS record setup is essential for BIMI to function correctly.
Expert view
Expert from Email Geeks shares they have not seen any BIMI spoofing in action, and they talk to the Cert providers frequently.
2 Nov 2021 - Email Geeks
Expert view
Expert from Spamresource explains that although BIMI has some drawbacks like cost and technical implementation, it's generally considered worthwhile for companies wanting to enhance their brand presence in the inbox and protect against spoofing.
19 Aug 2022 - Spamresource
What the documentation says
5 technical articles
BIMI relies on a multi-layered security approach, demanding a Verified Mark Certificate (VMC) from an authorized certification authority, and strict enforcement of a DMARC policy (p=quarantine or p=reject). Strong email authentication standards (SPF, DKIM, DMARC) are foundational to BIMI, ensuring only legitimate senders can display their logos and reducing spoofing risks. Precise adherence to technical specifications for SVG logos, DNS records, and VMC implementation is crucial for proper display. The cost of obtaining a VMC can be a considerable investment, particularly impacting smaller organizations and complicating budget planning.
Key findings
- VMC Requirement: BIMI mandates a Verified Mark Certificate (VMC) from an authorized CA.
- DMARC Enforcement: A strict DMARC policy (p=quarantine or p=reject) is required for BIMI.
- Strong Authentication: BIMI relies on robust email authentication protocols: SPF, DKIM, and DMARC.
- Technical Specifications: Precise technical specifications for logos and DNS records are essential for BIMI.
- Costly VMC: The cost of a VMC can be a significant investment.
Key considerations
- VMC Acquisition: Budget for the cost of obtaining a Verified Mark Certificate from an authorized provider.
- DMARC Compliance: Ensure DMARC policy is set to quarantine or reject before implementing BIMI.
- Technical Expertise: Address the technical requirements for SVG logos and DNS records setup.
- Budgeting: Factor in the VMC cost, which can vary and affect budget planning.
- Adherence to Standards: Adhere strictly to BIMI technical specifications for optimal display.
Technical article
Documentation from Entrust explains that to display a logo with BIMI, a Verified Mark Certificate (VMC) issued by an authorized certification authority is required, adding a layer of validation and cost.
17 Sep 2021 - Entrust
Technical article
Documentation from dmarcian explains that BIMI requires a DMARC policy to be enforced (p=quarantine or p=reject), which can be a hurdle for organizations still working on DMARC implementation. This is a requirement, not optional, for BIMI.
19 Jul 2021 - dmarcian
Do DMARC and BIMI require p=reject to be present on the organizational domain?
Do I need a VMC for BIMI to work with Google and Gmail?
Does BIMI impact email deliverability?
Does BIMI improve email deliverability and engagement?
Does BIMI require strict alignment between From and return-path domains?
How do I implement BIMI and get my logo to show in Gmail and Yahoo Mail?
