Why do CDNs and bot protection sometimes block BIMI assets?

CDNs and bot protection systems are designed to identify and block automated traffic they perceive as malicious. Email clients fetching BIMI SVG logos often make programmatic requests that can be misinterpreted as bot activity, leading to unintentional blocking and failed logo display.

How can I check if my BIMI SVG is accessible?

You can check accessibility by attempting to access your BIMI SVG URL directly in a web browser from various locations, or by using command-line tools like curl or wget . Ensure the file downloads successfully and quickly without timeouts or access denied errors. Also, check that BIMI requires publicly accessible SVG .

What is the primary requirement for BIMI logo hosting?

The primary requirement is that your BIMI SVG logo file must be hosted on a publicly accessible HTTPS endpoint. This means it should be reachable by any Mail Transfer Agent (MTA) or email client over a secure connection without any authentication or aggressive bot detection mechanisms.

Does a strong DMARC policy help with BIMI display?

Yes, a strong DMARC policy is fundamental for BIMI. BIMI requires your domain to have a DMARC policy of p=quarantine or p=reject . Without this, BIMI will not function. Setting up DMARC for BIMI ensures your emails are authenticated, which is a prerequisite for logo display.

What if my BIMI logo isn't displaying even after fixing asset protection?

If your logo isn't displaying despite correct asset hosting, check your DMARC record and policy examples to ensure proper configuration, confirm your SVG file is in the correct format, and verify your BIMI DNS TXT record is published correctly. Also, consider the specific email clients which support BIMI , as not all of them do.

Should BIMI assets be protected by CDN or bot protection? - DMARC - Email authentication - Knowledge base

Brand Indicators for Message Identification (BIMI) is an email standard that allows organizations to display their verified brand logo next to their sender information in the inbox. It's a powerful tool for increasing brand recognition and trust, giving customers immediate visual confirmation of an email's legitimacy. However, the successful implementation of BIMI hinges on careful configuration, particularly concerning where and how your BIMI logo assets are hosted.

A common pitfall that I've observed is when companies inadvertently place their BIMI SVG logo files behind Content Delivery Networks (CDNs) or aggressive bot protection systems. While CDNs and bot protection are essential for website security and performance, they can unintentionally interfere with how email clients retrieve and display your BIMI logo. This creates a scenario where the very systems meant to protect your brand online end up preventing your logo from appearing in recipient inboxes.

When BIMI assets are hosted behind such protective layers, the automated systems of Mail Transfer Agents (MTAs) and email clients, which are responsible for fetching the SVG logo, can be mistaken for malicious bots and subsequently blocked. This results in the BIMI logo failing to display, undermining the entire purpose of implementing the standard. Understanding the delicate balance between asset security and accessibility is crucial for a successful BIMI rollout.

Why BIMI assets need to be accessible

BIMI's primary function is to boost brand trust and recognition by displaying a verified logo in the inbox. This visual confirmation helps recipients quickly identify legitimate emails and differentiate them from phishing attempts. For this to work, your email domain must have robust authentication in place, specifically DMARC configured with a policy of at least quarantine or reject. This ensures that only authorized emails are delivered, strengthening your sender reputation.

Once DMARC is properly set up, the BIMI record specifies the URL where the SVG logo is hosted. Email clients then attempt to retrieve this logo from the specified HTTPS endpoint. If the logo isn't accessible, it won't be displayed, negating the benefits of BIMI. The goal is to make the logo universally available for fetching, without compromising security.

Many ask, does BIMI offer protection against brand impersonation? The answer is yes, indirectly. By requiring strong email authentication, BIMI makes it harder for malicious actors to spoof your domain successfully, as their emails won't pass DMARC and therefore won't display your logo. This visible sign of authenticity reinforces consumer trust and helps combat phishing attacks, as outlined by the BIMI Group's insights.

The pitfall of CDN and bot protection

Content Delivery Networks (CDNs) and bot protection services are crucial for modern web infrastructure. CDNs improve website speed and reliability by distributing content geographically, while bot protection shields against automated threats like scraping, credential stuffing, and DDoS attacks. These systems are designed to scrutinize incoming traffic and block anything that appears suspicious or non-human.

The issue arises because the automated processes that email clients use to fetch BIMI SVG files can sometimes be flagged as bot-like behavior. These are not human users browsing a website but rather server-side systems making programmatic requests. In such cases, the CDN or bot protection might block the request, preventing the BIMI logo from being successfully retrieved. I've encountered instances where major companies like UPS and REI, both using Akamai, faced this exact problem, leading to curl or wget timeouts for BIMI validators.

Unintended consequences of over-protection: While protecting your website assets is critical, applying the same aggressive bot protection to your BIMI SVG file can ironically harm your brand's visibility. Email clients need unrestricted access to this specific asset to display your logo.

The core of the issue is that BIMI requires the SVG to be publicly accessible via HTTPS. If your CDN or bot protection system blocks the fetching attempts, your logo simply won't appear. This can be particularly frustrating when you've invested in validating your BIMI SVG and certificate, only to find the display is still inconsistent due to an external blocking mechanism.

Purpose of CDN & Bot Protection

CDNs primarily enhance website performance and availability by distributing content across multiple servers. Bot protection shields against automated threats.

Traffic management: Optimizing content delivery for speed and reliability.
DDoS mitigation: Protecting against denial-of-service attacks.
Bot filtering: Blocking malicious or unwanted automated traffic.
Security: Shielding web servers from various cyber threats.

BIMI asset requirements

For BIMI to function correctly, the SVG logo file must be readily accessible to all Mail Transfer Agents and email clients.

Public accessibility: SVG files must be retrievable from any internet location.
No authentication: MTAs typically do not perform authentication for logo retrieval.
Uninterrupted fetching: Automated systems must be able to fetch the image without being flagged.
HTTPS requirement: All BIMI assets must be hosted securely via HTTPS.

Best practices for hosting BIMI SVG files

The most crucial best practice for hosting your BIMI SVG file is to ensure it is hosted on a publicly accessible HTTPS endpoint, free from any aggressive bot protection or authentication layers. Think of it as a public signpost for your brand that needs to be visible to everyone, everywhere, without obstacles. The Email on Acid guide on creating a BIMI logo also highlights this essential requirement.

While a CDN can be used, ensure that the specific URL for your BIMI SVG is whitelisted or excluded from any bot detection or rate-limiting rules. The SVG should be served as a static asset, accessible directly via its HTTPS URL. You can verify its accessibility by attempting to access the URL from various locations or by using simple command-line tools like curl or wget, confirming that BIMI requires the SVG to be publicly accessible.

Example BIMI DNS TXT record

default._bimi.yourdomain.com IN TXT "v=BIMI1;l=https://cdn.yourdomain.com/yourlogo.svg;a=https://yourdomain.com/vmc.pem;"

The example above shows how the l= tag points to your logo's URL. If this URL is protected, BIMI will fail. When setting up DMARC for BIMI, it is important to focus on these key considerations.

Requirement	Description	Impact of non-compliance
Public accessibility	SVG file must be fetchable by any email system globally.	Logo will not display, hurting brand presence.
HTTPS hosting	The SVG must be served over a secure HTTPS connection.	BIMI will fail to validate and logo won't show.
No bot protection	Aggressive bot filtering can block legitimate email clients.	Logo retrieval attempts will time out or be denied.
Static URL	The SVG file's URL should be stable and unchanging.	Inconsistent logo display if the URL changes.

Views from the trenches

Best practices

Always host BIMI SVG files on a simple, dedicated HTTPS endpoint with minimal security layers.

Regularly test the accessibility of your BIMI SVG URL from various network locations using tools like curl.

Ensure that any CDN or bot protection rules have explicit exclusions for your BIMI SVG asset's URL.

Verify that your DMARC policy is set to p=quarantine or p=reject for consistent BIMI display.

Common pitfalls

Placing BIMI assets behind aggressive bot protection systems that block automated fetching attempts.

Assuming a CDN will automatically make BIMI assets accessible without specific configuration for email client access.

Not regularly monitoring BIMI logo display, leading to unnoticed issues with asset accessibility.

Using a non-HTTPS URL for the BIMI SVG, which will cause BIMI to fail validation.

Expert tips

Use a subdomain specifically for static assets like BIMI logos to isolate them from main website traffic and security policies.

Consult with your CDN provider to understand how to whitelist specific paths or file types for unhindered access.

Implement robust DMARC monitoring to catch any issues related to BIMI alignment or asset fetching.

Keep your BIMI SVG file size optimized to ensure quick loading for email clients.

Expert view

Expert from Email Geeks says hosting BIMI assets behind CDN or bot protection makes retrieval problematic, leading to timeouts.

2024-09-27 - Email Geeks

Marketer view

Marketer from Email Geeks says they have seen BIMI logos fail to load on their mini-website because a CDN aggressively blocked perceived bot traffic.

2024-09-27 - Email Geeks

Ensuring your brand's visibility

Achieving consistent BIMI logo display is a critical step in leveraging this standard for brand visibility and trust. The key takeaway is that while CDNs and bot protection are vital for overall web security and performance, they require specific configuration to ensure your BIMI SVG assets remain publicly accessible to email clients. Over-protection can inadvertently hinder your brand's presence where it matters most: the inbox.

For a successful BIMI implementation, a robust DMARC foundation is non-negotiable. This is where a comprehensive DMARC monitoring solution becomes invaluable. With Suped's DMARC monitoring, you get AI-powered recommendations to fix issues, real-time alerts, and a unified platform that brings together DMARC, SPF, and DKIM monitoring with deliverability insights. Suped also offers SPF flattening to keep your SPF records within limits, essential for many senders.

By actively monitoring your DMARC reports and ensuring your BIMI assets are correctly configured for public access, you can unlock the full potential of brand visibility in the inbox. Suped makes managing DMARC accessible for everyone, from SMBs to large enterprises and MSPs, with a feature-rich free plan designed to simplify your email security journey. Take control of your email authentication and brand presence today.