Connect with us

Hi, what are you looking for?


Email Security

BIMI: Emerging Standard Aims to Address DMARC Shortcomings

BIMI is an emerging email specification that enables the use of brand logos within supported email clients

BIMI is an emerging email specification that enables the use of brand logos within supported email clients

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a proven method to prevent sender identity fraud widely used in phishing attacks. But it suffers from major drawbacks that have delayed if not prevented its widespread adoption. Brand Indicators for Message Identification (BIMI) is a new and additional standard that could solve this.

DMARC, if fully enforced, will prevent the delivery of email that is not authenticated to have come from the enforcing domain. It protects the brand of the service provider, and protects the service user from phishing attacks.

BIMI Email Authentication But it is expensive and difficult to implement. To be fully effective, the service provider needs to register and implement DMARC for every domain that could be confused – and used by criminals – with its primary domain or domains. Anything missed could provide a route for the phishers to carry on phishing.

For the service user, there is no immediately apparent method of knowing whether the provider is using DMARC. If the user believes the provider is using DMARC, it could lead to a false and relaxed sense of security. A look-alike domain could be assumed to be protected when it isn’t; and the content of what is really a phishing email could be assumed to be safe when it isn’t.

BIMI solves this by allowing a DMARC authenticated provider to insert an authenticated logo next to genuine emails in the email inbox. Since look-alike domains will not, in theory, be able to achieve logo certified authentication, the user can see at a glance that the email is genuine.

It is an all-round win situation. The service provider does not suffer from brand dilution by being associated with spam and phishing while the user can be assured that the email is genuine. The service provider achieves a marketing benefit from achieving thousands – eventually millions – of additional logo impressions, while DMARC benefits from the providers’ additional incentive to implement the DMARC enforced standard across potentially fewer domains.

BIMI was conceived and founded by Valimail. “The team at Valimail founded, named, and resourced the BIMI standard. We’ve been an avid supporter of BIMI since Valimail’s founding in 2015,” said Seth Blank, chair of the AuthIndicators Working Group (BIMI’s creators) and chief product officer at Valimail. “With a goal to improve the ecosystem for everyone, BIMI enables brands to deliver their logos alongside email messages to billions of inboxes worldwide, increasing customer engagement with those messages and boosting brand trust.”

Advertisement. Scroll to continue reading.

Email recipients can see BIMI as an immediate and visual confirmation that the email has come from the official source protected by DMARC. Since 89% of all phishing attacks start with sender identity fraud, DMARC is an essential safeguard against one of the most pernicious and successful cyberattacks experienced today.

At its inception, BIMI was only available on mobile devices. But on Monday July 12, 2021, Valimail announced a new product called Amplify that brings BIMI to the wider world of email, enabling users of Gmail, AOL, Yahoo Mail, Fastmail and other mailbox providers to display logos next to an email message, indicating it has been authenticated.

Two steps are required for a service provider to implement BIMI. Firstly, it must implement DMARC. Secondly, it must obtain a Verified Mark Certificate (VMC), associated with the DMARC implementation, for the logo that will be used. For the latter, Valimail has partnered with leading certificate providers DigiCert and Entrust to establish a process for providers to acquire a VMC. VMCs are currently tied to registered trademarks from select jurisdictions, but plans seek to expand access to include both additional jurisdictions and options for unregistered trademark logos.

“DigiCert’s partnership with Valimail simplifies BIMI compliance with VMCs and DMARC enforcement — a strategy designed to deliver more consistent, secure email for businesses and consumers,” comments DigiCert senior director of business development, Dean Coclin. “We anticipate growing demand for digital certificates displaying verified logos in email and are developing scalable solutions to help companies be ready on day one.”

“We are now seeing growing momentum for BIMI standards as brands recognize the opportunity to strengthen authentication and verified brand recognition in critical email communications,” adds Chris Bailey, VP of trust services at Entrust.

BIMI can be viewed as a visual email certificate. Certificates, however, have a history of being abused by criminals. The long-term success of BIMI will depend upon Valimail and its partners being better able to protect its use than the industry has been able to protect certificates in the past.

Related: Under New Ownership, DigiCert Expands into Verified Mark Certificates

Related: Nearly 1 Million Domains Use DMARC, but Only 13% Prevent Email Spoofing

Related: Threat from Spoofed Emails Grows, While DMARC Implementation Lags

Related: Verizon DBIR 2021: Ransomware, Web App and Phishing Attacks Dominate

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...