BIMI steht für „Brand Indicators for Message Identification“ und ist ein recht neuer Standard, welcher Benutzern helfen soll, legitime Mails von Spam und Phishing Mails zu unterscheiden. BIMI soll Unternehmen die Möglichkeit bieten, das Firmenlogo im Posteingang des Empfängers anzuzeigen. Ein recht ähnliches Verfahren, werden Outlook Benutzer kennen, wo das Foto des Absenders in Outlook angezeigt wird. Hier mal ein Beispiel für eine Mail von CNN wo „Brand Indicators for Message Identification“ zum Einsatz kommt:
After opening the mail, the CNN logo is displayed, so in this case a user can recognize that this mail very likely actually comes from CNN. For BIMI to work, SPF, DKIM and DMARC must be configured for the sender domain. The DMARC Policy muss dabei auf „Reject“ oder auf „100% Quarantäne“ konfiguriert werden. Bei vielen Domains sollte dies aber schon der Fall sein, sodass man eigentlich auch BIMI einsetzen könnte. Leider ist es aber nicht ganz so einfach, wie der folgende Artikel zeigt.
Configure BIMI
To configure BIMI, you first need an appropriate logo. The logo itself is the first challenge, because the logo must be available as a vector graphic (SVG). In principle, this would be easy if it were not for the SVG Portable / Secure (SVG P/S) format. It seems that this format can only be created by Adobe Illustrator or via detours. At first I simply created an SVG file using Inkscape, but unfortunately this is not compatible. Finally, I found a YouTube video here, where an SVG P/S is created from a PNG using Inkscape:
Here is my logo which I used for testing:
As you can see from the link above, I have uploaded the logo to my web server so that it is also publicly available. The rest is actually trivial, because according to the BIMI Group, only 3 steps are actually required:
Step 1 is already fulfilled for my domain and should generally already be widespread: SPF, DKIM and DMARC. This is actually also quick to set up. Step 2 is the logo, logically, you can't do without it, even if you might have preferred to use standard SVG here. Step 3 is marked as recommended but optional. Unfortunately this is not the case, more on this in a moment. Step 4 is a simple DNS TXT record, in my case this one:
default._bimi.frankysweb.de IN TXT "v=BIMI1; l=https://www.frankysweb.de/frankysweb_tiny_ps.svg
Finally, the BIMI Inspector can be used to check the status. The tool checks MX, SPF, DKIM, DMARC settings, as well as the BIMI SVG logo, the BIMI DNS EIntrag and the Verified Mark Certificate (the optional Step 3):
For my domain, only the missing Verified Mark Certificate is displayed here, which may be required by some mail providers:
BIMI is actually already set up, if it weren't for this optional Step 3.
Who supports BIMI?
Auf der BIMI Group Webseite findet sich eine Übersicht der Anbieter, welche BIMI unterstützen. Microsoft spielt nicht mit, in Deutschland weit verbreitete Anbieter wie GMX und web.de ziehen die Unterstützung scheinbar in Betracht. Der Status „Considering“ ist da aber auch schon länger so (Ich meine mich an 2022 zu erinnern):
I tried it with my configuration, which is displayed as valid, with GMail, Yahoo and AOL. I read in this article that at least Yahoo and AOL offer BIMI without VMC, hence the test:
I was hoping that my logo would now be displayed on Yahoo and AOL, but unfortunately this was not the case. It seems that all providers now require the Verified Mark Certificate (VMC):
And in my opinion, this is precisely where the problem lies.
What is a Verified Mark Certificate (VMC) and why is BIMI widely used?
A Verified Mark Certificate (VMC) is a digital signature for the BIMI logo. Similar to an S/MIME or SSL server certificate, the VMC confirms the authenticity of the BIMI logo. Technically speaking, the VMC also works in a similar way to a normal SSL certificate. You submit your logo to a public certification authority (self-signed does not work) and receive a certificate. The certificate is then stored as a PEM file on a web server and is included in the BIMI DNS entry. Here is an example from CNN:
v=BIMI1; l=https://amplify.valimail.com/bimi/time-warner/LFMoxJPK5xh-cable_news_network_inc2.svg; a=https://amplify.valimail.com/bimi/time-warner/LFMoxJPK5xh-cable_news_network_inc2.pem
In the case of CNN, the certificate comes from DigiCert and you can also view it under Windows:
Incidentally, it is not entirely clear to me why this VMC is required for all providers. The logo is on my web server, the BIMI DNS entry is in my domain and the logo is transmitted via HTTPS. The mails where the logo is to be displayed must have successfully passed SPF, DKIM and DMARC. It is not clear to me why a signature or certificate is required for the logo.
Incidentally, there are exactly two public certification bodies listed on the BIMI Group website that issue VMCs:
DigiCert wants 1416.00 EUR per certificate, Entrust 1299.00 USD. Per year. So this small logo costs 1416 EUR per year:
Conclusion
In my opinion, this also explains why I had to register with CNN in order to see a BIMI mail at all. I don't think this will really change the spread of BIMI. Over 100 EUR per month for a small logo, which is displayed when viewing the mail with some mail providers? It probably won't spread very far this way.