Brand Indicators for Message Identification (BIMI) is an email specification that allows brands to display their verified logos next to authenticated email messages in a recipient's inbox. This visual cue significantly enhances brand recognition and helps build trust with your audience. However, BIMI isn't just about putting a logo in front of recipients, it's about ensuring that logo is legitimate and tied to a verified sender.
The entire system hinges on a crucial element: an 'authority'. This authority plays a pivotal role in confirming the legitimacy of the brand's logo and its association with the sending domain. Without this verification step, BIMI would lose its core value of trust and could potentially be exploited by bad actors.
Understanding the function of this authority is key to successfully implementing BIMI and reaping its benefits for email deliverability and brand reputation. It's the mechanism that assures email clients that the logo they're displaying is indeed the official one for the brand sending the email.
The Mark Verifying Authority (MVA)
The Mark Verifying Authority (MVA)
At the heart of the BIMI framework, the 'authority' is most commonly embodied by a Mark Verifying Authority (MVA). An MVA is a trusted entity responsible for verifying that a brand legitimately owns the logo it wants to display via BIMI. This verification process ensures that only authenticated brands can use their logos, preventing imposters from leveraging brand imagery for phishing or spam campaigns.
The MVA acts as an independent third party, much like a certificate authority for SSL/TLS certificates, to confirm the ownership and authenticity of a brand's visual identity. When an email receiver processes a BIMI record, it looks to the MVA to confirm the validity of the associated Verified Mark Certificate (VMC), which, in turn, links the logo to the brand. You can learn more about what kind of organization issues these certificates.
This rigorous verification process is fundamental to BIMI's integrity. Without MVAs, any domain could claim to represent a brand and display its logo, undermining the trust that BIMI is designed to establish. The MVA's stamp of approval is essentially a guarantee that the sender is who they claim to be, offering an additional layer of visual authentication for email recipients.
Key role of the MVA
Verification process: MVAs perform due diligence to confirm a brand's ownership of a logo and its associated domain.
Trust anchor: They act as a trusted third party, giving email clients confidence in the authenticity of the displayed logo.
Phishing prevention: By verifying logo ownership, MVAs help combat brand impersonation and improve email security.
Verified Mark Certificates (VMCs)
Verified Mark Certificates (VMCs)
The verification provided by an MVA is typically encapsulated in a Verified Mark Certificate (VMC). A VMC is a digital certificate that proves the authenticity of your brand's logo and its legal ownership. This certificate is issued by a recognized MVA after they have thoroughly vetted your brand and its trademarked logo. The VMC is then referenced in your BIMI DNS record.
For your brand logo to display in supporting email clients like Gmail and Yahoo, a VMC is almost always a requirement. The process of obtaining a VMC involves several steps, including proving ownership of your trademarked logo and ensuring your domain has a DMARC policy at enforcement (p=quarantine or p=reject).
While VMCs are the standard, there's also the concept of a Common Mark Certificate (CMC) which was an earlier, less stringent form of verification. However, VMCs offer the highest level of assurance because they explicitly link a trademarked logo to a verified sender. For a deeper understanding of the differences, it's worth exploring the nuances between VMC versus CMC certificates.
BIMI without a VMC
Limited display: Many major inbox providers may not display your logo.
Lower trust: Recipients and email clients lack full assurance of logo authenticity.
Brand risk: Increased potential for logo impersonation if not properly secured.
BIMI with a VMC
Guaranteed display: Ensures your logo appears in participating inboxes.
High trust: Validated by a trusted authority, boosting recipient confidence.
Enhanced security: Strong protection against brand spoofing and phishing attacks.
The BIMI DNS record and authority connection
The BIMI DNS record and authority connection
The connection to the authority is explicitly defined within your BIMI DNS TXT record. This record, published in your domain's DNS, contains various tags that instruct receiving email servers on how to retrieve and display your logo. One critical tag is the 'a=' tag, which points to the URL of your VMC, hosted by the MVA.
When an email provider receives an email from your domain, it performs a DNS lookup for your BIMI record. If a BIMI record is found, it then uses the 'l=' tag to find your SVG logo file and the 'a=' tag to locate your VMC. The email provider then contacts the MVA (the authority) at the URL specified by the 'a=' tag to verify the VMC. This handshake between the email provider and the MVA confirms that your logo is indeed authenticated.
Example BIMI DNS recordDNS
default._bimi.yourdomain.com IN TXT "v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://assets.markverifyingauthority.com/certs/yourdomain.pem;"
The MVA's role, therefore, isn't just a one-time verification. It remains an active participant in the BIMI validation chain, with its certificate server being queried whenever an email client needs to confirm the authenticity of your brand's VMC. This continuous verification process adds a robust layer of security and trust to your email communications.
DMARC's foundational role for BIMI
DMARC's foundational role for BIMI
While the MVA is the direct 'authority' for logo verification, it's essential to remember that BIMI critically relies on a strong DMARC policy set to quarantine or reject. DMARC (Domain-based Message Authentication, Reporting, and Conformance) ensures that your emails are properly authenticated using SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
Before you can even consider obtaining a VMC or deploying a BIMI record, your domain must have a DMARC policy at an enforcement level. This means your domain is actively telling receiving mail servers what to do with unauthenticated emails originating from your domain. This foundational security measure prevents unauthorized use of your domain and, consequently, your brand's identity.
Effectively managing your DMARC implementation is crucial for BIMI. Our platform, Suped, offers the most generous free plan for DMARC monitoring, providing AI-powered recommendations to quickly identify and fix authentication issues. This ensures your DMARC policy is robust enough to support BIMI, helping you unlock higher email engagement and protect your brand.
By unifying DMARC, SPF, and DKIM monitoring with blocklist and deliverability insights, Suped provides a comprehensive view of your email ecosystem. This ensures that the essential email authentication protocols are correctly configured and maintained, which is a prerequisite for a successful BIMI deployment.
Enhancing brand trust and recognition
Enhancing brand trust and recognition
The authority in BIMI, primarily the MVA and its issuance of VMCs, plays a critical role in fostering trust and enhancing brand recognition in the digital communication landscape. This system allows your logo to be displayed prominently in email inboxes, creating an immediate visual connection with your audience and reinforcing brand presence. This helps to make your emails stand out in crowded inboxes.
Beyond aesthetics, the verification by a trusted authority signals to recipients that your emails are authentic and not a phishing attempt. This increased trust can lead to higher open rates and engagement, as recipients are more likely to interact with emails they perceive as legitimate. It also helps to differentiate your brand from potential imposters, protecting your reputation.
Implementing BIMI, with the authority's verification, is a strategic step for any brand serious about email security and marketing effectiveness. It aligns with best practices for email authentication, demonstrating a commitment to protecting both your brand and your recipients from email-based threats.
