Brand Indicators for Message Identification (BIMI) is a new standard in pilot that allows companies to display a logo on authenticated emails. The Gmail pilot is the first actual implementation of BIMI with the use of Verified Mark Certificates (VMCs). This enables Gmail to present logos after checking that Domain-based Message Authentication, Reporting & Conformance (DMARC) security is enabled and verifying the email's authenticity.
It's no secret that email is often used by bad actors as an attack vector and that they are getting more sophisticated in spoofing domains and making valid-looking emails. That's why the main goal of this email standard is to incentivize the adoption of stronger authentication, thereby decreasing email fraud.
Beyond authentication and DMARC; however, it's also important to ensure that the logo being sent alongside the email belongs to the sender. At DigiCert, strong validation is one of the things we do best, and we are excited about participating in the Gmail BIMI pilot. DMARC can provide companies great value, but not enough brands take advantage of its protection. The BIMI working group and DigiCert are collaborating to increase usage of this important security standard while delivering additional value to those increasing security for their users.
BIMI-compliant = DMARC enforcement + VMC
To become fully BIMI-ready with the highest level of validation, organizations will need to adopt DMARC and be vetted to acquire VMCs. DMARC is a key technology in email authentication that gives companies visibility into who is sending emails from their domains and gives them the ability to control which of those services or servers are allowed to do so. A VMC is a digital certificate that cryptographically attests that a trademarked logo and the individual and company requesting a VMC have been validated by DigiCert before an organization's logo will appear next to the "sender" field in Gmail customers' inboxes.
Major brands are participating in this project because they are interested in the importance of email authentication and logo visibility in emails. DigiCert is happy to work alongside these great brands, Gmail and the BIMI Authenticators Working Group to validate trademarked logos and issue VMCs.
Importance of VMCs
VMCs play a major role in providing cryptographic assurance that the trademarked logos have been vetted per BIMI standards and that the individual requesting is who they say they are and from the company they say they represent. This is a high hurdle to pass! VMCs provide the following benefits for organizations:
DigiCert is at the forefront of this work due to our proven ability to verify organizational identities at a large scale for the web. We were the first certificate authority (CA) to demonstrate how logos can be vetted properly and VMCs can be issued according to standards. In 2019, we issued the first VMC to a domain that sends out emails at large scale: cnn.com.
Additionally, we are helping customers become BIMI-ready through a partnership with Valimail. DigiCert is one of only two CAs authorized to participate in BIMI right now, and the only one with the global scale and local support for every region of the world required to enable VMCs for every company that will eventually want to use them.
On the horizon
We are committed to developing a scalable BIMI-VMC solution in the second half of 2020 that will work in DigiCert CertCentral®, for large-scale VMC issuance and management to support the expected huge demand.
We look forward to the rollout and completion of the Google BIMI Pilot, as well as the results and our continued work with industry partners to improve email authentication.
If you're interested in being one of the first to receive a VMC when they are widely available, sign up here. We'll provide periodic updates on the progress of VMC pilots and you'll be among the first to receive these certificates when they become available for general use.
Getting ready! What can you do now?
Getting DMARC enforced: First check if you're enforced. You can use our partner and BIMI group member Valimail's DMARC checker to quickly see your status at valimail.com/digicert. If you're at enforcement, great! You can purchase a VMC when available. If not, getting ready can be simple for some, complex for others. If you're a business that has only one or a few email-sending domains, then getting ready might be as simple as asking your web hosting company or email service provider if you are DMARC enabled or not. For larger organizations that have more complex email infrastructures, a more thorough review and process may be required.
Get your logo ready: Currently, to acquire a VMC you'll need to have your logo registered with your country's intellectual property office (US Patent and Trademark Office, European Union Intellectual Property Office, Japan Trademark Office, etc.) and the logo has to be in a SVG format, in a square format where the logo is centered and legible, and the file should be publicly accessible.
Both of these items may seem complex, but we'll be sharing more information on how to prepare and status on the pilot. Sign up on our VMC webpage and we'll let you know when we publish more blogs with detailed information on DMARC prep, logo prep and more.