How BIMI will facilitate trust in electronic messages

AFANASEV IVAN/Shutterstock.com

The vast majority of online scams are conducted via email because the support is easily accessible and easy to abuse. A new form of message authentication known as BIMI should help you understand which messages are genuine and which are trying to trick you.

What is BIMI?

BIMI stands for Brand Indicator for Message Identification, a vendor-neutral messaging specification developed by an organization called the Authentication Indicators Working Group. BIMI is designed to make email more reliable.

When implemented correctly, BIMI allows brands to display a logo next to email messages in supported services and email clients. This logo verifies that an email is genuine, providing an easy visual indicator that the message is not spam or fraud.

BIMI is still classified as an emerging specification, which means that some brands, email providers and software platforms do not yet support it.

Why is BIMI necessary?

A Deloitte report published in 2020 claims that 91% of all cyberattacks start with a phishing email. The email inbox makes it easy for scammers to expand their network, sending as many messages as needed to trick a single victim. These scams often target payment processors like PayPal or modern peer-to-peer services like Zelle using email as their preferred means of communication.

While much of the working world is slowly moving away from email with services like Slack and Microsoft Teams, most people still rely heavily on the service. Password reset notifications are emailed, more retailers than ever are going paperless with emailed receipts and invoices, and even your bank emails you tell when your statement is ready.

Spam message in Gmail

Email hasn’t changed much since it was introduced. While there are smarter ways to sift through your inbox, a renewed focus on healthier email habitsand even improved privacy and anti-spam controlsthe mechanics behind the emails remain largely the same.

BIMI is a step forward in making email a more reliable platform. If you can verify that an email is authentic at a glance, you can also identify those that are not. The standard is still a few years away from that point, but brands, email providers and other tech companies are now laying the groundwork.

How does BIMI work?

The good news is that BIMI doesn’t require any work on the part of an email recipient to work. The technology relies heavily on domain-based message authentication, reporting, and compliance, or DMARC. This email authentication protocol was designed to prevent unauthorized use of domain names.

For BIMI to work, a brand must authenticate email using Sender Policy Framework (SPF), which effectively whitelists email servers that can send email from specific domains. Additionally, the technology known as DomainKeys Identified Mail adds digital signatures to each message to authenticate outgoing emails.

Brand logo using BIMI in Gmail
Google

The last step is for DMARC to confirm these records and point to the .SVG file which will appear next to the email. In addition to this, a Verified Trademark Certificate (VMC) acts as a form of digital record to further protect the logo used, although BIMI does not require this upon deployment.

Again, only brands need to concern themselves with this infrastructure and integrate these steps.

Which services support BIMI?

As BIMI is still being rolled out, support is far from universal at this stage. Fortunately, some of the larger services have already implemented BIMI support, including Gmail, Yahoo! Mail, AOL, Fastmail and Apple Mail on iOS 16 and macOS Ventura.

Whether you see evidence of BIMI in your inbox is another matter altogether. Many brands are yet to be on board, although the influence of companies like Google and Apple in accelerating adoption and introducing the technology to consumers cannot be underestimated.

Much of the buzz surrounding BIMI has (so far) been aimed at brands, marketers, and IT pros involved in implementing the standard. Google produced a explanatory to learn how BIMI deployment works in Gmail within Google Workspace.

Even though early support is limited to Google Workspace, the release gives a good indication of what BIMI looks like in Gmail in terms of desktop and mobile implementation.

BIMI logo mobile inbox view in Gmail
Google

Google used Bank of America as an example, with a view that shows how brand logos are automatically displayed in inbox and message views. Note that Google allows senders to display images alongside their emails as part of their profile, but this is not the same as BIMI.

Gmail desktop inbox view with BIMI implemented
Google

Even though Apple apparently also launched BIMI with the release of iOS 16, iPadOS 16, and macOS 13 Ventura, we couldn’t see BIMI-verified brand logos in Apple Mail (even from Apple when using an iCloud Mail account).

Yahoo! Mail is also on the BIMI train, having supported the standard since 2018. In November 2022, the company announcement that it makes its implementation more robust with “verification checkmarks” next to the sending address and logo to indicate that Yahoo has verified that the email was sent by the brand owner of the displayed logo “.

Yahoo!  Implementation of Mail BIMI in mobile applications
Yahoo! Mail

More ways to stay safe online

There are too many email scams for anyone to track. Whether it be Amazon seeks to “confirm” an order Where Netflix threatens to suspend your accountstay on the lookout for anything fishy (especially when it comes to money).

More sophisticated scams may involve Phishing Where whalinga form of social engineering.

As email scams become more prevalent, scammers are turning to phone, texting and instant messaging platforms. Be on the lookout calls from numbers which look strangely like yours, SMS or “smishing” scammersand so-called close relatives ask you to pay a bill or borrow money.

Comments are closed.