BIMI: ISP Support as of March 2021


It's been a while since I've posted a BIMI status update, so let's get right to it...

BIMI, if you do not remember, is a new standard being adopted by multiple internet services providers (ISPs) to allow senders to facilitate the display of a sender's logo along side email messages, when displayed on a mobile device or in webmail. Some ISPs and mail clients have had a sender logo display function for a while now (one example is Gravatar), but BIMI attempts to standardize and regulate this process across the email ecosystem.

Here's the current status of BIMI Support at large ISPs, email hosting and webmail providers:

  1. Verizon: Yes, supports BIMI.
  2. Microsoft: No support announced.
  3. Gmail: Support announced, and is believed to be in beta.
  4. Fastmail: Noted as having support (here) but I have no more details at this time.
  5. "Considering" BIMI Support: Comcast and Seznam.cz. (More info here.)

Verizon Media (AOL/Yahoo/Verizon). Has support for BIMI. For a logo to display, the following conditions must be met: A BIMI record exists which points to a valid logo in SVG format, a DMARC policy of quarantine or reject is in place, the mailing is sent to large number of recipients (bulk mail), and they see sufficient reputation and engagement for the email address. They also have a contact address for questions/issues (click here and search for "BIMI" on the page).

Microsoft Outlook.com (Hotmail). Microsoft has not announced any support for BIMI. A competing system called "brand cards" has possibly been abandoned; multiple folks have told me that they have been unable to get enough information on how to implement a "brand card." There's no opportunity here until something changes.

Gmail. In July 2020, Google announced their intent to support BIMI. My understanding is that they are in a (closed) pilot phase. Google appears to be requiring that senders implement a Verified Mark Certificate (VMC), available from DigiCert or Entrust (and possibly others). It sounds like obtaining this VMC will require that a sender have trademarked their logo, which could be a significant barrier for smaller or hobbyist senders.

So what should you do now? Here's what I would recommend large marketing senders do:

  1. Make sure all email you send is authenticated with both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) authentication. (All mail -- not just bulk or newsletter mail. Your ESP, corporate email platform (or both) should be able to help you do that.)
  2. Implement DMARC, perhaps working with a vendor like Agari, Valimail, ProofPoint or Red Sift. A DMARC-savvy email security vendor can help you properly configure email authentication, configure DMARC failure monitoring, show you how to read DMARC failure reporting, and give you confidence that you're not going to break anything if you implement a restrictive DMARC policy.
  3. Move to a restrictive "p=reject" DMARC policy after your DMARC reporting shows that you properly authenticate all of your mail streams. Don't do this just for the future logo opportunity -- do it because it makes it harder for bad guys to send fake mail pretending to be from your email domain name.
  4. Trademark your logo. (Will this be required in the future? I have no data, but if I were a betting man ... and I am ... I suspect that yes, this will be required in the future.)
  5. Wait and see what develops next in the ongoing saga that is BIMI.
And now you know as much (or maybe more) about BIMI than I do. I hope that helps!

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.