Our way to BIMIMore security for the inbox
Spam and phishing e-mails are a constant problem for many e-mail recipients and are sometimes difficult to identify. For this reason, various standards have been established which, for example, allow the sender to be identified. The latest procedure is called BIMI and enables the recipient to check the authenticity of the e-mail in the inbox on the basis of the sender’s brand logo. Besides the security aspect, the additional branding is attractive to the sender. But how do you get BIMI? We at AGNITAS have tried it ourselves and described the process to you below. This will give you an overview of the process and help you decide if this sender authentication is right for you.
What is BIMI?
BIMI (Brand Indicators for Message Identification) is an open standard that consistently builds on SPF, DKIM and DMARC. BIMI was developed by several companies such as Google, Microsoft and Verizon, in particular to unmask phishing emails.
Verification is based on the already established authentication method DMARC. In this process, the receiving server checks whether the respective e-mail comes from an authorized sender – in other words, the authenticity of the sender. If this is the case, the brand logo appears directly next to the sender line. The basic prerequisite for displaying the logo is, of course, that the receiving e-mail client supports BIMI.
In addition to protecting recipients, BIMI also improves a company’s reputation as a reputable sender, both among providers of e-mail inboxes and among recipients themselves. It makes sending companies aware that cybercrime measures not only protect recipients, but also have a positive impact on brand perception. Domain owners can also publish multiple logos and use them with BIMI.
Incidentally, the BIMI process is not limited to e-mail alone; other services can also obtain logos this way. Support for the BIMI standard is still new and just establishing itself. With Gmail and Yahoo, worldwide marketshare of 38 %, two very large providers of e-mail inboxes are already on board and it can be assumed that other providers will follow suit here.
Implementation of BIMI
We at AGNITAS have gone through the process of using BIMI in summer/fall 2021. You can therefore benefit from our experience. We will show you the whole process so that your logo is clearly visible in your email inbox.
Technical requirements
Technical requirements include that all other e-mail standards have already been implemented:
- SPF must have been implemented
- DKIM must be enabled in the EMM* as well as for all other systems that send emails under your domain, e.g. your office mails, website, etc.
- DMARC has at least the policy “quarantine”, which means that unauthenticated emails end up in the spam folder or in another designated folder. Better still is the policy “reject”, these e-mails are bounced.
* or a comparable e-mail sending tool
Organizational requirements
BIMI requires a registration of the own logo at the German Patent and Trademark Office (DPMA) or an equivalent organization abroad. The deposit at the DPMA has a validity of 10 years. After that, it must be renewed.
If you have already legally protected your logo and filed it with the DPMA, this step is not necessary. Please note, however, that the logo must be exactly the same as the one you want to use for BIMI. Otherwise, an adjustment must first be made at the DPMA. Keep in mind that the logo will be scaled very small and square shapes are most advantageous.
In our case, the registration – from application to publication – took about two weeks. The cost was about 300 euros. Note that the cost may vary depending on how many classes/industries you want to protect your logo/trademark for.
Get a certificate
In order for BIMI to be accepted by large providers such as Google or Yahoo, certification of the trademark and logo is necessary, this is called VMC – Verified Mark Certificate.
We have done our certification through Digicert. Therefore, our experience refers to this provider. However, it can be assumed that the process is similar for other providers.
The certificate is valid for one year.
Preparation
To obtain the certificate, the following steps must be performed before applying. You can also read about these at Digicert.
1.Create logo in SVG format
As mentioned above, the logo to be used for BIMI must be registered with the Patent and Trademark Office beforehand. For the certificate, the logo is required in SVG format. For the logo to be accepted, certain minimum requirements must be met, as described here. During the conversion, there are also tools that adapt the own logo according to the specifications for BIMI . In addition, the logo must still be available in the global trademark database WIPO, as Digicert relies on this for verification.
When uploading to Digicert, one of our colleague also found that it is best to use an editor for the logo that makes UNIX-compliant wraps. Uploading to Digicert via Windows was not possible because line breaks were inserted under Windows. How it behaves with iOS, we can not say.
2. Data input
Now the organization has to be added and additional data has to be entered at Digicert. Furthermore, at least one personal contact person is required.
Tip: Due to the extra effort involved, we recommend naming only one contact person if possible.
3. Add domain
There are four options here:
3.1 By e-mail with confirmation link
3.2 By DNS as CNAME: By clicking on the domain to be validated in the order overview, a token is generated. This token is then inserted into the DNS with the CNAME
Destination: dcv.digicert.com
3.3 Via DNS as TXT: The procedure is the same as for 3.2, except that a TXT entry is set here that contains the generated token.
3.4 By http: This sets a file on the web server, which is accessible under the A-record of the domain, with the token as content. However, this solution is not always possible.
We have chosen the 3.2 CNAME option.
Application
1. Now the actual application takes place. The first step is to upload the logo via Digicert.
2. The previously verified domain is now selected so that it is included in the certificate. For the verification type, it is best to use the same as before.
3. Now only the organization and the contact are selected.
4. Finally, the credit card data must be entered. The prices are already displayed in the domain and certificate selection and can be read in the Costs and Effort section below.
Verification by Digicert
Digicert will now verify the following items:
- Verify organization details
- Blocklist/Fraud
- Operational existence
- Confirmation of the location of the company
- Confirmation of telephone number
- Approver Confirmation
- Approver Blocklist
- Logo Trademark Registration
- Verify all contacts
For this purpose, it is necessary that all contacts documented in the application send their ID card and a recent photo to Digicert via e-mail. This is done upon request by a Digicert representative. In addition, there is a web conference where the ID card is held up to the camera and it is verified that it is indeed the person previously indicated. Some are probably already familiar with this procedure from telephone companies or similar providers. In addition, the telephone number is still checked by a control call.
In addition, the organization and the contact persons are verified by a notary. For this purpose, a notary is commissioned by Digicert. However, the appointment with the notary must still be made by the organization or the employee in question.
At the notary itself, the prefabricated text from Digicert was still adapted by the notary in the case of our colleague, since the template from Digicert is probably not completely legally secure. The notarized document is then sent to Digicert by the notary or by you.
Now only an e-mail comes, in which the inputs must be checked once again. After that, you finally receive your certificate.
Set up BIMI
As a sender, you now only need to make the DNS entry, Digicert will do the rest for you.
DNS entry without VMC:
default._bimi.agnitas.de IN TXT “v=BIMI1;l=https://www.agnitas.de/bimi/icon.svg;”
DNS entry with VMC:
default._bimi.agnitas.de IN TXT “v=BIMI1; l=https://www.agnitas.de/bimi/icon.svg; a=https://www.agnitas.de/bimi/vmc-agn.pem;”
If you only want to add logos to certain mails or use different logos, it is still possible to use a selector. The use of a selector is also necessary when sending via two servers.
Checking
Just send an email to a Gmail account and see if your logo is included. However, it may take a few days for this to actually show up. Also note that BIMI is currently only displayed in the Gmail and Yahoo app. However, it can be assumed that other providers will follow suit in the near future.
Costs and effort
The cost of the certificate at Digicert is $1,500 base cost and $500 per domain. For the notary, the cost is €25 per certification. If the trademark and logo are not already protected, there are also the costs for the Patent and Trademark Office.
In our experience, the biggest expense is the creation of the certificate. Processes and procedures have not yet been 100 percent tested and adapted, and some of them seem superfluous, e.g., multiple identification. However, we can assume that Digicert will do something about this in the coming months.
Alternative or addition - Trusted Dialog
An alternative or supplement to BIMI on the German market is currently Trusted Dialog. This is an initiative of the German mailbox operators WEB.DE, GMX, 1&1, freenet and T-Online, which reach around 40 million mailboxes. Here, too, authentication takes place and the logo is displayed in the inbox. However, this is a private, fee-based initiative of the mailbox providers mentioned and not an open standard like BIMI. We do not know the exact costs for Trusted Dialog.
Conclusion
Especially because the processes for the certificate are not yet running optimally, the path to BIMI can currently prove to be a laborious and longer process. Nevertheless, it is worth considering BIMI in the long term and relying on this authentication procedure. On the one hand, such standards usually prevail sooner or later, and on the other hand, you give recipients a certain level of security in their own mailboxes. Since Gmail mailboxes are also becoming increasingly popular in Germany, a not inconsiderable number of users are also benefiting. An additional advantage at present is certainly also that BIMI is not yet so often used and you therefore generate all the more attention.
For those who send predominantly in German-speaking countries, however, Trusted Dialog is currently probably still the better option, as it achieves a large coverage of German-speaking mailboxes. In addition, many major brands in this country use the process. Internationally and in the long term, however, we recommend using BIMI.
If you would like to learn more about professional email marketing and internal newsletters, why not make an appointment for an individual online demo?.
Online Demo
About AGNITAS
With the E-Marketing Manager (EMM) AGNITAS offers intuitive marketing automation software for creative multi-channel campaigns via e-mail, web push, SMS, fax and print. The award-winning software meets individual data protection requirements as an in-house or SaaS solution and flexibly adapts to customer needs. From open source to high-end, there is a suitable variant for every budget.
When Martin Aschoff founded the company in 1999, AGNITAS was a pioneer of email marketing in Germany. Today, AGNITAS is one of the most renowned and innovative providers of high-quality marketing automation software, which is used around the world for customer-oriented communication.
Shape the Customer Experience with EMM – at the right time and in the right place!