What is a BIMI Record, and How do You Create One

Email authentication comes with many strange terms. We have already known and mastered SPF, DKIM, and DMARC – well-established and time-proven safety protocols that underlie the modern strategy against malicious actors’ activities like spoofing and phishing.

However, one more standard has been introduced quite recently. Brand Indicator Messaging Identification is the new kid in the squad. Although it is not a traditional safety protocol but rather an addition to DMARC, it still contributes a lot to safeguarding digital correspondence, making the email ecosystem safe, and proving to ISPs and mailbox providers the sender’s validity, credibility, and trustworthiness.

What is a BIMI Record, and How do You Create One

Many popular ESPs, like Google and Apple, have already recognized its ability to strengthen authentication and security measures and have even rolled out mechanisms to support it. At the same time, regular users agree that it helps them detect cyberattacks better, according to some recent surveys.

So, what is a BIMI record, why is it important, and how do you create one and check to ensure it works as intended? Follow our guide.

Table of Contents
What Is BIMI Record?
Requirements for BIMI Record
Email Providers Supporting BIMI
Importance of BIMI Record
How Does BIMI Record Work?
Security Considerations
How Do You Create a BIMI Record?
Step 1 – DMARC authentication.
Step 2 – Certification.
Step 3 – Add data to your domain.
Step 5 – Test and troubleshoot.
How To Check BIMI Validity?
Conclusion

What Is BIMI Record?

Brand Indicator Messaging Identification, known as BIMI, is one of the fundamental authentication standards established by the AuthIndicators Working Group and largely approved by email service providers, ISPs, and key participants in the email ecosystem.

In a nutshell, it is a DNS TXT record in your domain server that displays the sender’s logo inside a recipient’s email inbox folder right before the name and subject line of the digital newsletter. It includes four main parts: subdomain, Verified Mark Certificate, branded logo, and version.

As it is not included as a part of the digital newsletter but instead kept safe and sound in your mail server, it stays protected from malicious actors who do not have direct access to it during the transmission. Therefore, it is difficult to compromise this information, making it a serious label trust that protects digital correspondence from phishing.

BIMI record is not a traditional authentication approach with a safety protocol at the core. It is an additional solution that strengthens popular safety measures like SPF, DMARC, and DKIM. Only if the message passes the authentication check and the mailbox provider believes the company’s reputation qualifies may ESP query the DNS to get the corresponding BIMI record and demonstrate it in the mail client’s message view.

Although many inbox providers have already agreed on BIMI’s importance and even rolled out mechanisms to support it, each still chooses whether to display and where to display the record. For instance, Apple and Gmail display it in webmail and mobile applications next to the sender’s name. On the other hand, La Poste and Zone display it by the subject line, whereas Yahoo! shows a company’s actual brand logo only on their mobile applications.

Requirements for BIMI Record

Unlike other email authentication protocols, using a BIMI record comes with certain requirements. Working as an extension of DMARC and a tool to reinforce safety measures, it demands companies meet certain criteria to be qualified to demonstrate it in the recipient’s inbox.

First and foremost, companies must ensure DMARC authentication is correctly configured on the sender’s domain with the policy set up either to ‘reject’ or ‘quarantine.’ If their DMARC check fails, mailbox providers will not demonstrate a BIMI record.

Second, the company should have a good reputation for sending and a good sending history for domains and IP addresses.

Third, the company must obtain the Verified Mark Certificate. VMC serves as an additional security level that proves the company’s ownership of the domain. For that, they must have a registered trademark in a competent jurisdiction and a BIMI logo matching the trademark.

Finally, the company must meet logo specifications. For starters, brands should create logotypes for BIMI records that are aligned with the trademark, easily recognizable, and include characteristics that support verification. They must look consistent and seamless across various resolutions without sacrificing quality.

As for the technical side, the BIMI logo must be squared and presented in Scaled Vector Graphic format without any <script> tags or external links. It also must follow the restrictions defined by the BIMI Working Group and requirements set by mailbox providers.

Email Providers Supporting BIMI

As with every new email standard, not all mailbox providers support it. However, its adoption is growing, especially after Google committed to it in 2021 and encouraged other ESPs to introduce this extra safety measure.

For the time being, BIMI records are supported by Gmail with a Verification Machine Certificate and Certificate Management Certificate, Yahoo without requiring a VMC, Apple Mail starting from iOS 16 and Ventura 13, Fastmail, La Poste, AOL/Netscape, and Cloudmark. Comcast, Seznam, and BT are planning to support this feature. In summary, BIMI adoption is huge, with several major mailbox providers already on board, and only Microsoft is ignoring it completely.

Look at the picture below for the visual breakdown of the current BIMI support.

Email Providers Supporting BIMI

Importance of BIMI Record

Although originally not a traditional security protocol like SPF or DMARC, the BIMI record is still one of the fundamental approaches to protecting the email ecosystem and proving the sender’s trustworthiness and validity. Working as an extension to DMARC and reinforcement for email authentication it is important for many reasons.

First, it is another security layer crucial for keeping recipients away from malicious activity and providing a safe connection by minimizing the risks of phishing and spoofing attacks. The best thing is, even if the technical side is compromised and mailbox providers fail to see that, users still have a chance to detect malicious activity, as missing BIMI (the brand’s logotype next to the sender’s name and subject line) raises suspicion for those used to seeing the branding displayed for each email.

Second, it encourages companies to take authentication seriously. Wide popularization and support from the leading mailbox providers compel businesses to introduce SPF and DKIM and, most importantly, DMARC, strengthening their authentication. This brings numerous benefits to the company and the email ecosystem, helping participants fight malicious actors efficiently and providing users with a safe connection.

Third, it helps standardize logo display for businesses. Companies are in charge of BIMI, so they control how their messages are displayed in the inbox. Like the subject line and sender name, they might avoid confusion and frustration caused by automatically generated icons.

Fourth, it positively impacts the brand’s marketing endeavors. Recent studies showed that BIMI records are a label of trust and an integral part of brand identity. Regularly displayed along with the digital message, it strengthens the company’s credibility, increasing open rates and brand recall and partially influencing conversions.

Finally, it improves the sender’s score and reputation. As part of the authentication squad and widely accepted trust label, the BIMI record positively changes the sender’s score and reputation. It makes the company look trustworthy in mailboxes and ISPs’ eyes and effectively passes rigorous inspections and spam filters.

How Does BIMI Record Work?

BIMI record builds on existing authentication standards, to be more precise on DMARC. Therefore, it is created and added to the DNS when the company successfully implements SPF, DKIM, and DMARC protocols.

The checking process is relatively straightforward. First, the mailbox provider authenticates a digital newsletter by checking it against the main security protocols.

Then, if the message passes rigorous inspection, it queries the DNS for a corresponding BIMI record. It gets all the crucial information and checks whether it meets its criteria. For instance, Google requires a Verification Machine Certificate, a cryptographic file proving the company’s brand logo ownership.

Finally, it retrieves an SVG image file containing the company’s branded logo from the specified location and displays it according to its preferences.

This procedure requires certain criteria to be met and involves several services to coordinate activities, making it difficult to compromise authentication. 

Security Considerations

When introducing the BIMI record, it is crucial to consider several security considerations, as the standard is still prone to malicious actors’ exploitations. The following safeguard measures must be taken:

  • Any metadata must be eliminated.
  • Large file sizes must be prevented or minimized.
  • Key indicators must be of a defined size and pass security checks.
  • A proper reputation with the MTA (Message Transfer Agent) must be ensured.
  • A reliable caching system must be implemented.

How Do You Create a BIMI Record?

BIMI might be just one record covering some short spec and a link to your trademark logotype, but like all authentication standards, it requires proper setup. Here is a step-by-step guide to creating a BIMI record for your organization.

Step 1 – DMARC authentication.

As BIMI builds on existing authentication protocols, reinforcing their security measures, it must be adopted right after a company has successfully set up and validated main standards, such as SPF, DMARC, and DKIM.

While creating a digital signature and key for encryption, make sure your DMARC record meets these criteria to qualify for BIMI:

  • DMARC policy is in alignment with the email domain.
  • DMARC policy (p=) is set to “quarantine” (at 100%) or “reject” (at any %)

Note that a check of DMARC validity will be performed every time a message reaches the mailbox provider; therefore, it is crucial to ensure everything is valid and works correctly.

Step 2 – Certification.

This stage is perhaps one of the most time-consuming, but it is critical to ensure a solid foundation that meets all the vital requirements established by the protocol and mailbox providers.

Start by creating the logo. It must be high-quality, square, weigh no more than 32 KB, present in SVG format, and, most importantly, aligned with the trademark recognized by an intellectual property office. For more technical specifications, check the mailbox vendors’ requirements. Also note that if the logo is not trademarked, the company might use a logo that has a CMC.

Then, obtain a Verified Mark Certificate. Bodies governing BIMI will ask for proof of domain ownership, which can be obtained from DigiCert and Entrust Datacard. To get it, companies must submit the logo and all their information (including the registration number and organization information) to Mark Certificate Issuers that:

  • Prove the ownership of the registered trademark.
  • Prove that the owner of a trademark is also a registrant of a given domain
  • Ensure the logo matches the trademark.

Step 3 – Add data to your domain.

After successfully proving your ownership and receiving the certificate chain file, the latter must be placed on a publicly accessible server with HTTPS protocol. Upload it to your domain’s public web server and copy the link as you need it in your BIMI assertion TXT record.

Step 4 – BIMI record creation. Once your DMARC authentication is set up and the PEM file is uploaded to your domain’s public server, the time has come to create and add a BIMI record to your DNS. Copy the PEM file URL and set the correct parameters of a BIMI assertion TXT record.

There are three parameters: version, logo, and assertion.

The version indicates the current protocol. For now, it is “one,” so the declaration looks like “BIMI1.”

Logo and assertion specify a URL to the logotype. It depends on whether you have obtained the certification or not. If you have a PEM file, “l” remains empty, and the assertion parameter features the link to the PEM file. If you use an SVG logo without a certificate file, the assertion parameter is omitted, and the logo parameter contains the link to the logo. Here are some examples:

v=BIMI1; l= https://unspam.email/BIMIlogo.svg;  

or

v=BIMI1;l=;a= https://unspam.email/certificate.pem

Afterward, add a TXT record for default.bimi.DomainAddress.

Step 5 – Test and troubleshoot.

Testing and validating are crucial to ensure everything works correctly. Use the services listed below to perform a free online BIMI check to see whether it is fully in line with the latest specifications and works as intended. These professional instruments will verify published records, surface issues, and areas for improvement. Also, check out possible troubleshooting scenarios Google provides to their clients.

How To Check BIMI Validity?

The last but not least step in adopting BIMI is to check whether it is valid and meets the specifications and requirements. For that, you need a professional diagnostic tool that will retrieve your record from the DNS, find its setting, and validate your logo and VMC to spot if anything is missing. Some might even show how the logo looks in different operating systems and platforms and provide recommendations for improvement.

Start with Unspam. It provides a comprehensive technical check of the email side, including SPF, DKIM, DMARC, Domain suffix, and age and list-unsubscribe header. This check underlies the correct authentication work, which is critical for mailbox vendors to consider your BIMI in the first place. Therefore, get a full report from Unspam that discovers all possible issues to eliminate them right away.

How To Check BIMI Validity?

Unspam – email spam checker and deliverability test tool

Afterward, check your BIMI record through these popular online services:

  • MxToolbox is a free and trusted worldwide instrument that checks BIMI records for errors.
  • DNSChecker is another great tool for checking and generating the correct BIMI record.
  • EasyDmarc is originally a test tool for DMARC validity, but it also provides free access to check BIMI records.

Please enter your domain name and test whether it is qualified to show a BIMI record.

Conclusion

Although Brand Indicator Messaging Identification is at an early stage of adoption and wide recognition, it has already emerged as quite a promising addition to well-established security protocols. Building on DMARC work, it reinforces authentication, provides an extra layer of protection, and helps companies fight malicious actors proactively and efficiently.

Recent studies showed that BIMI might work as a trust label for a certain market segment, increasing a company’s credibility, authority, and reputation in the email channel, elevating its sender’s score, and positively influencing conversions and ROI.

Gradually, BIMI is becoming critical for companies that want to capitalize on email marketing and build a strong brand identity in email channels; therefore, it is important to adopt it in your email routine.

Avatar photo
Andrian Valeanu

Andrian Valeanu is a highly respected and recognized expert in email marketing and deliverability with over 20 years of experience in the industry. As the founder of Designmodo, a leading company in email building, Andrian has established a solid reputation for his expertise and guidance, catering to businesses of all sizes.

Related Posts