BIMI (Brand Indicators for Message Identification) is an email protocol gaining traction that provides visual verification that your organization’s email is legitimate and safe by displaying your company’s logo and mark of certification alongside your email in supported email clients.
Background
The basic protocols for sending and receiving email, solidified in the 1980s, were designed for ease of use and interoperability — not security. Which is why, over four decades later, we are still dealing with so much spammy, phishy, spoofy, and fraudulent email in our inbox.
The largest email providers — Google, Yahoo, Microsoft, and others — have used machine learning for years to analyze incoming email and divert as much spam as possible. (Google, for example, claims that 99% of all incoming spam is removed from its systems even before reaching your spam folder, so you never, ever see it.) But those incoming filters are constantly being challenged, or can be overzealous and tag legitimate email as spam.
Setting outgoing email security policies
The good news is that organizations can create email security policies that give recipient email servers specific instructions about what to do with mail that comes from — or looks like it comes from — their domain.
- SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) domain records validate legitimate mail from a specific domain.
- DMARC (Domain-based Message Authentication Reporting and Conformance) policies give specific instructions to recipient mail servers for how to handle mail that doesn’t validate with SPF or DKIM.
Email providers like Google and Yahoo are pushing hard for organizations to adopt these email security policies and make it easier to smoke out the fraudsters. (Macktez has supported many of our clients’ efforts to maintain up-to-date email security policies and review DMARC deliverability reports to confirm ongoing compliance with our Domain Management subscription.)
Adding message branding
Now organizations can leverage the success of SPF, DKIM, and DMARC to give recipients a clear, visual indication that they are following email security best practices and that their email can’t be spoofed. BIMI allows an email with SPF and DKIM validation and a strong DMARC policy to display visual verification of legitimacy: a brand logo and a certificate checkmark.
With visible marks of authenticity, recipients will know that security policies are being followed behind the scenes, have higher confidence in the messages that reach their inboxes, and be more likely to read and respond.
For organizations that rely on outgoing email for marketing and customer service, that additional visible mark of trust offers a boost to brand identity and online reputation. But even for companies that aren’t running active email marketing campaigns, BIMI sends an important signal to clients, colleagues, and vendors that they take email security seriously.
BIMI verification as it appears in Gmail today.
More and more email clients are supporting these BIMI-verified brand logos in the email list view, not only after opening an email — including Apple Mail in iOS 18 — which will make the benefits of BIMI more visible to more people in 2025.
Example of what an email client can look like with BIMI (credit: Mailhardener).
Implementation of BIMI
Organizations need a few things in place to implement BIMI for their domain:
- SPF and DKIM records that authenticate valid domain emails.
- A strong DMARC policy set to quarantine or reject 100% of email that does not pass SPF or DKIM verification.
- A registered trademark or distinguishable brand logo.
A particular type of domain certificate can then be purchased depending on whether the organization’s logo is registered or not, and additional domain security records set up to tie all these pieces together to deliver the logo to recipients’ inboxes.
BIMI’s key benefits
- Visual indication of security: The logo and checkmark displayed next to emails highlights the legitimacy of the email backed by email security standards.
- Increased brand recognition: BIMI allows businesses to display their verified brand logo alongside their emails instead of generic icons.
- Protection against phishing and spoofing: Hackers can’t impersonate the brand logo that accompanies emails, making their attempts to spoof a domain much less likely to succeed.
Any drawbacks?
Security and branding benefits come with some challenges:
- Complexity: Implementing BIMI requires coordination between multiple teams, including IT, marketing, and security.
- Technical expertise: Getting to the required level of DMARC policy takes time to monitor deliverability reports, adjust domain records, and gradually strengthen email security policies.
- Ongoing maintenance: BIMI requires ongoing maintenance of email security policies to ensure that your brand logo is displayed correctly and that your DNS records are up to date.
- Cost: The required domain certificates cost $1,200 – $1,600 per year. Ongoing DMARC monitoring requires a 3rd party service.
- Email client support: BIMI is not yet supported by all email clients, including, notably, Microsoft Outlook. This means that some recipients may not yet see verified brand logos.
Macktez has extensive experience with domain security records, DMARC policies, and certificate acquisition. Reach out if you are interested in getting this process in motion.