Brand Indicators for Message Identification, or BIMI, is an email standard that allows you to display your company's logo directly in your customers' inboxes. At its core, it’s about visual verification. When a recipient sees your logo next to your email, it provides an immediate sense of trust and authenticity. However, this system would be meaningless without a strict process of verification. This is where the concept of 'authority' becomes critical.
For BIMI to work, mailbox providers like Gmail and Apple Mail need to be certain that the logo being displayed genuinely belongs to the sender. They can't just take your word for it. Instead, BIMI relies on a chain of trust built upon verification from several trusted authorities. These authorities are responsible for ensuring that your organization is legitimate and that you have the legal right to use the logo you’re presenting. Without them, anyone could impersonate a brand, defeating the entire purpose of BIMI.
The different types of authority in BIMI
The BIMI ecosystem involves a few key players who act as the authorities in the verification process. The primary authorities you will interact with are Certificate Authorities (CAs) and, by extension, Mark Verifying Authorities (MVAs). Each has a distinct but related role in validating your brand and logo.
Certificate authorities (CAs)
If you're familiar with SSL/TLS certificates for websites, you already know what a Certificate Authority does. In the context of BIMI, CAs issue a special type of digital certificate called a Verified Mark Certificate (VMC). This certificate is the linchpin of the BIMI standard.
Before a CA issues a VMC, it performs a rigorous validation process. It verifies your organization's identity to ensure it's a legitimate entity. Crucially, it also verifies that you have the legal right to use the logo you’re associating with your emails. This is typically done by confirming that your logo is a registered trademark. The VMC essentially binds your verified, trademarked logo to your domain.
Mark verifying authorities (MVAs)
To issue a VMC, the Certificate Authority needs proof that your logo is a registered trademark. This verification is handled by what are known as Mark Verifying Authorities. In many cases, the CA and MVA are the same organization or work in close partnership. The MVA's role is to check with the relevant intellectual property offices (like the USPTO in the United States) to confirm that your logo has been officially registered and is legally protected.
This step is what gives BIMI its strength against spoofing and impersonation. It ensures that only the legitimate owner of a trademarked logo can use it in their emails, preventing bad actors from co-opting brand identities.
The foundational authority: DMARC
While CAs and MVAs are external validators, your own DMARC record acts as a foundational layer of authority. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that tells receiving servers what to do with messages that fail SPF and DKIM checks.
To be eligible for BIMI, you must have a DMARC policy set to an enforcement level. This means your policy must be either p=quarantine or p=reject. In doing so, you are making an authoritative statement: you are telling the world that you are actively protecting your domain from impersonation, and that unauthenticated mail should not be trusted. This self-declared authority is a non-negotiable prerequisite for mailbox providers to even consider displaying your BIMI logo.
How it all comes together
The entire BIMI process relies on this chain of authority to create a secure and trustworthy experience. The process looks like this:
- DMARC Enforcement: You first establish your authority by publishing a DMARC record with a policy of p=quarantine or p=reject.
- Trademark Registration: Your logo must be a registered trademark with an intellectual property office recognized by the MVAs.
- Verification: A Certificate Authority and Mark Verifying Authority validate your organization and confirm your trademark.
- VMC Issuance: The CA issues a VMC, which is a file that contains your validated logo.
- BIMI Record Publication: You publish a BIMI TXT record in your DNS, which points to the location of your VMC.
When you send an email, the recipient's mail server performs a series of checks. It validates your DMARC record, finds your BIMI record, fetches the VMC, and verifies the certificate's authenticity with the issuing CA. If everything checks out, your logo is displayed. This system of checks and balances, governed by these authorities, ensures that BIMI plays a role in anti-abuse efforts and makes the inbox a safer place for everyone.
