Why did BIMI disappear from Gmail and when will it be restored?

Key findings

• Temporary pause: Gmail temporarily disabled BIMI visibility due to a bug exploit by scammers, impacting logos and checkmarks for some senders.
• Impact on senders: While initially appearing to affect emails with multiple DKIM signatures, the pause also impacted a fair number of single-signed emails.
• Security measure: The action was a necessary step by Google to fix an issue that allowed scammers to impersonate brands convincingly using BIMI.
• Gradual restoration: BIMI display and blue checkmarks began to return for affected senders, indicating a slow, phased restoration of the feature.
• Underscores authentication: The incident highlights the critical importance of robust email authentication protocols such as DMARC, SPF, and DKIM, as they are foundational for BIMI and overall email deliverability.

Key considerations

• Monitor your BIMI status: While Google works on a permanent fix, continue to monitor your BIMI display status, especially if you were affected by the pause.
• Ensure proper configuration: Double-check your BIMI records and DMARC policy to ensure they are correctly set up and enforced to prevent future display issues.
• Understand Google's actions: Recognize that temporary service adjustments by major email providers like Google are sometimes necessary to maintain ecosystem security.
• Stay updated: Follow official announcements and community discussions, like those on Twitter, regarding BIMI status and any further changes.

Key opinions

• Sudden disappearance: Many marketers reported that their BIMI logos and checkmarks simply vanished from Gmail inboxes without warning.
• Double DKIM focus: Some initially believed the problem was confined to emails with multiple DKIM signatures, a configuration often associated with using ESPs.
• Broader impact: Later observations revealed that single-signed emails were also affected, indicating the issue wasn't solely tied to double DKIM.
• Gradual return: Marketers noted a slow return of BIMI logos, with some seeing them reappear after a day or two.
• Brand visibility concern: The disappearance caused concern about maintaining brand trust and recognition within the inbox.

Key considerations

• Anticipate temporary issues: Marketers should be prepared for occasional, temporary disruptions to visual inbox features as email providers adjust security protocols.
• Verify BIMI requirements: Ensure your BIMI setup (including VMC and DMARC policy) is always compliant, minimizing risks of non-display from your end.
• Maintain strong fundamentals: Focus on overall email deliverability health, as BIMI is an enhancement, not a replacement, for core authentication.
• Communicate internally: If BIMI disappears, inform your marketing and brand teams that it's likely a temporary provider issue and not a problem with your configuration.

Key opinions

• Scammer exploitation: The primary reason for BIMI's pause was a bug in Gmail that allowed scammers to effectively impersonate brands.
• Google's response: Gmail's temporary disabling of BIMI was a proactive and sensible step to mitigate the vulnerability.
• Focus on double DKIM: Initially, the issue was highlighted as impacting emails with multiple DKIM signatures, which are common for ESPs, as shared by Keith Kouzmanoff on Twitter.
• Bug resolution: Google quickly reopened and addressed the bug request after public attention, leading to BIMI's return.
• System integrity: Such temporary service adjustments are critical for maintaining the security and reliability of the email ecosystem.

Key considerations

• Understand security dynamics: Recognize that email security is an ongoing battle against evolving threats, requiring providers to make real-time adjustments.
• Beyond visual cues: While BIMI offers visual trust, true email security and deliverability rely on the underlying authentication protocols.
• Review implementation: Even if your BIMI appeared to be working, this incident is a good prompt to review your setup and ensure best practices.
• Monitor reports: Pay close attention to DMARC reports for insights into authentication failures or issues affecting your email streams.

Key findings

• Purpose of BIMI: BIMI is designed to display verified brand logos in the recipient's inbox, enhancing trust and brand recognition.
• Authentication prerequisites: Consistent BIMI display requires a robust DMARC policy (at 'quarantine' or 'reject') and properly configured SPF and DKIM records.
• VMC requirement: For some providers, a Verified Mark Certificate (VMC) from an accredited certificate authority is essential for BIMI validation.
• Client-side dependency: The actual display of BIMI logos can vary between email clients based on their implementation of the standard.
• Trademark necessity: The logo used for BIMI must be a registered trademark to be eligible for a VMC.

Key considerations

• Adhere to standards: Strict adherence to BIMI, DMARC, SPF, and DKIM standards is crucial for consistent logo display.
• Validate assets: Ensure your SVG logo and VMC are correctly formatted and validated according to specifications.
• Monitor DMARC reports: Regularly analyze DMARC reports to identify any authentication failures that could impede BIMI display.
• Understand client support: Be aware that not all email clients support BIMI equally, and display can vary.