Get ready for BIMI at Gmail

Let’s start with the basics - Brand logos and BIMI records. The logos are a very important part of the user experience. It helps recipients identify the sender of the message. Whether it’s a photo of the contact or a logo of the brand, the image next to the sender’s name just makes the user experience better and easier to identify the sender.

Up until now the brands had little to no control over the logo that was being displayed. The logo that got displayed for the brand was different depending on a multitude of factors such as mailbox provider, email client, device used, etc. Some email clients would pull the logo from the website’s favicon, others would use logos from social networks (especially on mobile) and others would have their own list of curated brand logos. This resulted in an inconsistent user experience and more importantly affects the brand experience as well.

Brand Indicators for Message Identification is an emerging standard design to overcome this problem. It puts the brands in control of their brand indicator by setting up a simple domain record. Brands are now able to designate a specific logo to be used across all mailbox providers, email clients and devices providing unified brand experience.

The BIMI resides in a so-called “BIMI record” in the DNS of your domain. This record provides a location of the Brand logo as well as the optional authentication of the logo.

Example BIMI record could like something like:

This record tells the receiving servers that the sending domain has published a logo at a location specified by the l= attribute and has been certified and the certificate is in the location set by a= attribute.

To make sure users are protected from brand-impersonation the BIMI display is conditional on multiple factors. The main protection lies with the requirement of having deployed DMARC at the organizational level domain (DKIM-signed Message Authentication, Reporting and Conformance) with an enforcement policy. DMARC is a standard that allows domain owners to enforce email authentication and protects domains from abuse. By deploying DMARC the receiving servers can easily identify whether the email is authentic or not. If your domain is not protected by DMARC, you should check out our post about the most common DMARC deployment problems.

Companies that have done their work in protecting their domain from abuse and phishing are eligible to have their BIMI logo to be displayed. Whilst DMARC is a requirement it does not guarantee the BIMI logo will be displayed - domain reputation, email volume and other factors are at play as well. The decision whether to display or not to display the logo lies with individual mailbox providers.

Yahoo.com as the only major mailbox provider supporting BIMI has been a BIMI testbed for many brands. Some were really excited to see the right logo showing up, others had questions because theirs did not. In 99% of cases this came down to getting the BIMI setup correctly and understanding the other factors at play.

Early adopters often forgot that BIMI is intended for brand messages and not one-to-one messages. BIMI should not display for jane.doe@domain.com as Jane is not the brand but a human. BIMI should display for info@domain.com, orders@domain.com, news@domain.com, etc. - messages that represent brand communication. The volume of messages is also important as receiving servers need to have sufficient amounts of data to establish reputation. If your email volume is in thousands per week you are not likely to meet the threshold.

All of these security measures focus on identifying the sender of the message but none of them can guarantee that the logo in the BIMI DNS record is legitimate. Since the domain owner is in control of the BIMI DNS record he can change it at any time which is one of the key advantages. At the same time nothing prevents a bad sender to build up a good reputation for a domain and then swapping out the logo in the BIMI DNS record for a bank’s logo and start a phishing campaign. Yes, it would not last for long but the damage to both recipients and the brand would have been already done. To fight such abuse BIMI has its own logo authentication mechanism called Verified Mark Certificate which Gmail will require.

Verified Mark Certificate

A Verified Mark Certificate or VMC in short is similar to SSL certificates used for websites. It is issued by a Certification Authority that verifies the brand logo ownership. The process of obtaining a VMC is very similar to the one of obtaining an Extended Validation (EV) SSL certificate for a website.

As a first step the company information provided needs to be validated. This is usually done against corporate registries and making calls to the phone numbers confirmed against third party databases. During the validation the contact person must prove his or her identity and authority, and a higher-authority in the company must confirm the information. Once company validation is performed, a Subscriber can obtain as many EV certificates as it wants, but most of the validation must be repeated by the CA every year.

In the second step the domain ownership is being validated. This is done by adding a domain record, posting a file on a website or by clicking a link in an email sent to one of the role emails for the domain (postmaster, abuse, webmaster). Domain validation has to be done individually for every single domain and subdomain and must be reconfirmed annually.

Whilst these two steps are similar to the EV process and validates the company and domain ownership, the VMC validation goes a step further. As the logo in the BIMI record needs to be validated, the certification authorities will rely on existing trademark validations. That means that every brand that will be looking at getting a VMC will need to have a figurative (visual) or word trademark matching the requested logo (or a combined logo of figure and word).

To give you a better example, let’s look at our logo. We do own a wordmark for the word “Mailkit” and could use that for a VMC in any font or color we choose (but not in form of a logo).

We also have a figurative trademark for our logo which we could use in a VMC and use in our BIMI record in it’s visual form.

If we wanted to get a VMC for the envelope symbol part of the logo that we currently use in our BIMI record, we would have to apply for a separate trademark though. This is a reasonable requirement as it would be nearly impossible for certification authorities to validate whether a part of the logo is unique enough or not.

The process of obtaining a new trademark is not too difficult and it is not even too expensive (as low as $300 in the US, and €850 in the EU), but it takes about 6 months to process as the application can go through internal screening and public comments. At the moment there is a special subsidy programme in the EU for SMEs to get trademarks in an amount of up to €1500 per company. If you are interested in obtaining a trademark and taking advantage of these subsidies, get in touch with us and we’d be happy to refer you to our trademark office.

As the VMC verification takes a while to process we have prepared a Pre-registration for where you can get your brand pre-validated and ready to apply for VMC and Gmail general availability.

BIMI at Gmail

Gmail is already in the second stage of the pilot. The purpose of the pilot is to test out all the aspects of BIMI and VMC. The validation during the pilot is done using different methods of validating contact information (notary, videocall), logos are being checked against various trademark offices around the world, etc. The BIMI display itself is subject to testing in Gmail to make sure the user experience doesn’t fall short. That applies to both the desktop gmail.com as well as the Gmail mobile apps.

Whilst working with our clients who participate in the pilot program we realized that the VMC process is something very foreign to marketers. Even though the process is similar to obtaining an EV SSL, those are usually done by IT departments. VMCs were the first validation experience for most marketers and require guidance and support. In addition the VMC process often requires the cooperation of multiple departments - Marketing, IT & ITsec, Brand, Legal and possibly others depending on company structure. We’ve had large multinational companies getting through the process in days, while other companies would take weeks. The best you could do is to relay as much information to the other departments about BIMI and VMC as possible as it might help them understand better what is needed.

So when can we expect BIMI to go live? There is no official date for general availability yet but rumors point to a summer 2021 release. Whether you are an early adopter of BIMI or your brand intends to join BIMI once Gmail support goes live we strongly suggest you start working on your trademarks. The Verified Mark Certificate will be a hard requirement by Gmail and we hear that Yahoo! will require VMCs in the future as well.