BIMI: ISP Support as of August 2021

It's been a while since I've posted a BIMI status update, and things are changing! Things are standardizing! Things are getting good. So, let's get right to it...

BIMI, if you do not remember, is a new standard being adopted by multiple internet services providers (ISPs) to allow the display of a sender's logo along side email messages, when displayed on a mobile device or in a webmail client. Some ISPs and mail clients have had a sender logo display function for a while now (one example is Gravatar), but BIMI is an attempt to standardize and regulate this mechanism across the email ecosystem.

Here's the current status of BIMI Support at large ISPs, email hosting and webmail providers:

  1. Gmail: Yes, supports BIMI! Requires VMC. (Find more info here.)
  2. Yahoo (ex-Verizon): Yes, supports BIMI. Does not require VMC. (More info here.)
  3. Fastmail: Yes, supports BIMI! (More info here.)
  4. Considering BIMI Support: Comcast and Seznam.cz. (More info here.)
  5. Microsoft: Has no support for BIMI.

Gmail. In July 2020, Google announced their intent to support BIMI. In July 2021, Google announced that they were rolling out BIMI support over the coming weeks. Per the BIMI spec, Google requires that senders implement a Verified Mark Certificate (VMC), available from DigiCert or Entrust (and possibly others). It sounds like obtaining this VMC will require that a sender have trademarked their logo, which could be a significant barrier for smaller or hobbyist senders.

Yahoo (AOL/Yahoo/Verizon). Has support for BIMI. For a logo to display, the following conditions must be met: A BIMI record exists which points to a valid logo in SVG format, a DMARC policy of quarantine or reject is in place, the mailing is sent to large number of recipients (bulk mail), and they see sufficient reputation and engagement for the email address. They have a dedicated support page for BIMI and also have a contact address for questions/issues (click here and search for "BIMI" on the page).

Microsoft Outlook.com (Hotmail). Microsoft has not announced any support for BIMI. A competing system called "brand cards" has possibly been abandoned; multiple folks have told me that they have been unable to get enough information on how to implement a "brand card." There's no opportunity here at the present time, unfortunately.

So what should you do now? Here's what I would recommend large marketing senders do:

  1. Make sure all email you send is authenticated with both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) authentication. (All mail -- not just bulk or newsletter mail. Your ESPcorporate email platform (or both) should be able to help you do that.)
  2. Implement DMARC, perhaps working with a vendor like dmarcianAgariValimailProofPoint or Red Sift. A DMARC-savvy email security vendor can help you properly configure email authentication, configure DMARC failure monitoring, show you how to read DMARC failure reporting, and give you confidence that you're not going to break anything if you implement a restrictive DMARC policy.
  3. Move to a restrictive "p=reject" DMARC policy after your DMARC reporting shows that you properly authenticate all of your mail streams. Don't do this just for the future logo opportunity -- do it because it makes it harder for bad guys to send fake mail pretending to be from your email domain name.
  4. Trademark your logo and obtain a Verified Mark Certificate. You could go directly to DigiCert or Entrust, or look for help from Mailkit via their NOTAMIQ service or Red Sift.
  5. Understand that things are still developing. More ISPs could announce support in the future, and how they, or existing ISPs, will enforce the spec could evolve. Stay knowledgable and be flexible and able to evolve.
And now you know as much (or maybe more) about BIMI than I do. Good luck and get to it!

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.