Security Experts:

BIMI: Emerging Standard Aims to Address DMARC Shortcomings

BIMI is an emerging email specification that enables the use of brand logos within supported email clients

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a proven method to prevent sender identity fraud widely used in phishing attacks. But it suffers from major drawbacks that have delayed if not prevented its widespread adoption. Brand Indicators for Message Identification (BIMI) is a new and additional standard that could solve this.

DMARC, if fully enforced, will prevent the delivery of email that is not authenticated to have come from the enforcing domain. It protects the brand of the service provider, and protects the service user from phishing attacks.

BIMI Email Authentication But it is expensive and difficult to implement. To be fully effective, the service provider needs to register and implement DMARC for every domain that could be confused – and used by criminals – with its primary domain or domains. Anything missed could provide a route for the phishers to carry on phishing.

For the service user, there is no immediately apparent method of knowing whether the provider is using DMARC. If the user believes the provider is using DMARC, it could lead to a false and relaxed sense of security. A look-alike domain could be assumed to be protected when it isn’t; and the content of what is really a phishing email could be assumed to be safe when it isn’t.

BIMI solves this by allowing a DMARC authenticated provider to insert an authenticated logo next to genuine emails in the email inbox. Since look-alike domains will not, in theory, be able to achieve logo certified authentication, the user can see at a glance that the email is genuine.

It is an all-round win situation. The service provider does not suffer from brand dilution by being associated with spam and phishing while the user can be assured that the email is genuine. The service provider achieves a marketing benefit from achieving thousands – eventually millions – of additional logo impressions, while DMARC benefits from the providers’ additional incentive to implement the DMARC enforced standard across potentially fewer domains.

BIMI was conceived and founded by Valimail. “The team at Valimail founded, named, and resourced the BIMI standard. We’ve been an avid supporter of BIMI since Valimail’s founding in 2015,” said Seth Blank, chair of the AuthIndicators Working Group (BIMI’s creators) and chief product officer at Valimail. “With a goal to improve the ecosystem for everyone, BIMI enables brands to deliver their logos alongside email messages to billions of inboxes worldwide, increasing customer engagement with those messages and boosting brand trust.”

Email recipients can see BIMI as an immediate and visual confirmation that the email has come from the official source protected by DMARC. Since 89% of all phishing attacks start with sender identity fraud, DMARC is an essential safeguard against one of the most pernicious and successful cyberattacks experienced today.

At its inception, BIMI was only available on mobile devices. But on Monday July 12, 2021, Valimail announced a new product called Amplify that brings BIMI to the wider world of email, enabling users of Gmail, AOL, Yahoo Mail, Fastmail and other mailbox providers to display logos next to an email message, indicating it has been authenticated.

Two steps are required for a service provider to implement BIMI. Firstly, it must implement DMARC. Secondly, it must obtain a Verified Mark Certificate (VMC), associated with the DMARC implementation, for the logo that will be used. For the latter, Valimail has partnered with leading certificate providers DigiCert and Entrust to establish a process for providers to acquire a VMC. VMCs are currently tied to registered trademarks from select jurisdictions, but plans seek to expand access to include both additional jurisdictions and options for unregistered trademark logos.

“DigiCert’s partnership with Valimail simplifies BIMI compliance with VMCs and DMARC enforcement — a strategy designed to deliver more consistent, secure email for businesses and consumers,” comments DigiCert senior director of business development, Dean Coclin. “We anticipate growing demand for digital certificates displaying verified logos in email and are developing scalable solutions to help companies be ready on day one.”

“We are now seeing growing momentum for BIMI standards as brands recognize the opportunity to strengthen authentication and verified brand recognition in critical email communications,” adds Chris Bailey, VP of trust services at Entrust.

BIMI can be viewed as a visual email certificate. Certificates, however, have a history of being abused by criminals. The long-term success of BIMI will depend upon Valimail and its partners being better able to protect its use than the industry has been able to protect certificates in the past.

Related: Under New Ownership, DigiCert Expands into Verified Mark Certificates

Related: Nearly 1 Million Domains Use DMARC, but Only 13% Prevent Email Spoofing

Related: Threat from Spoofed Emails Grows, While DMARC Implementation Lags

Related: Verizon DBIR 2021: Ransomware, Web App and Phishing Attacks Dominate

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.