Vernhout: Upping your Email Game with BIMI!


Every year for just a couple of days, I listen to some of the best minds in email share their experiences, guidance, and grievances over the email industry at the Email Innovations Summit in Las Vegas. Topics range from selecting your next email service provider (ESP), RFP best practices, privacy, design, and deliverability. This event is also a great place for people to meet with industry veterans, email alumni, and newbies in the field. Now that I’ve adequately set the stage…

This year I was honoured to be invited again to talk about upcoming and emerging innovations in email deliverability and how to take advantage of emerging tech coming to an inbox near you. What was really nice to see, having had the pleasure of being one of the first sessions, is several others talked about at least one or two of the items I touched on after my presentation. 

Before I get into those two technologies, let’s take a quick trip down memory lane.

In the early 2000s, we were still a trusting group of emailers, so SMTP was happily functioning on the trust of being an open technology used between academics, researchers, and governments. Consumers were likely just getting into the swing of having a personalized email address of their own and businesses were starting to get the hang of sending promotions via email. Then we saw the rise of spam, phishing, fraud, and malware, and the industry needed a way to separate the fake email from the real. 

Our first attempt was SPF and it worked for a bit. A few years later, we tried to solve more email issues and DomainKeys Identified Mail (DKIM) emerged as a way to validate portions of an email’s authenticity. All was good for a time, but it wasn’t good enough. Mailbox providers (MBPs) pushed for opportunistic TLS to enhance the security of data being sent between networks, and then another layer was added to the authentication stack, Domain-based Message Authentication, Reporting and Conformance (DMARC), to help brands and MBPs combat the ongoing rise of spoofing and fake emails. But adoption was slow from the start, and growth hasn’t been as rapid as many would like... 

Thus, Brand Indicators for Message Identification (BIMI) was created to follow in the footsteps of these already existing technologies. Think of this landscape as an authentication lasagna, with layers of pasta, sauce, and cheese, except way less tasty because it’s SPF, DKIM, TLS, DMARC, and BIMI. 

It is important to note none of these technologies say an email authenticated with any or all of these solutions is legitimate or not spam, but is instead to help the recipient-provider better understand who is sending it and if they are approved to deploy it from their network. These solutions provide a way for domain owners to provide proof of ownership or sending approval.

Now that the history lesson is over, let’s dive into two of the emerging technologies I covered at EIS LV, because in all honesty, writing about all of them would be way too much text to read.

I’ve already touched on DMARC and BIMI during my history lesson, and while one is a couple of years old now, I still classify them both as emerging.

With the reliance on DMARC to make BIMI work and the limited number of MBPs where you will actually see it in use, marketing teams’ interest in configuring BIMI is rather low. Currently, there are only three MBPs using BIMI and only one has implemented a mostly automated setup for brand owners. 

To use BIMI to see your logo in the mail client like in the example below, you’ll need to complete a few things before actually seeing any of the benefits. Yes, you need to work for it.  

The TL:DR version: BIMI is for well-authenticated domains (SPF, DKIM), with a good reputation, DMARC enforcement (quarantine or reject), and significant volume. Marketers will be able to self-select a logo to display alongside their Friendly From in the mail client (currently supported by Verizon Media’s Yahoo mail). 

Phase 1: The Hard Part

You’ll need to be sure your SPF and DKIM records are properly configured for all the mail you’re sending on behalf of your brand. Using DMARC in a reporting-only mode (p=none) will make this task much easier, as you’ll be able to see all of the properly authenticated email sources, those that are possibly legitimate but are poorly authenticated, and those that are clearly not legitimate but are utilizing your brand and domains. 

Pushing your vendors to support domain alignment will also be important, meaning the From, Return-Path, and DKIM domain are all the same. This will likely take the most work to complete, but it’s also the most important part to get right. 

Phase 2: The Easy Part

Once you feel comfortable your authentication is up to par, you can increase the policy to a stricter enforcement setting (p=quarantine, and later a p=reject, if necessary). NOTE: Doing this too quickly or poorly CAN impact your deliverability. At that stage, though, BIMI participation is now possible. 

Next, be sure you decide on a logo that will look good in a small circle. The logo should be something easily recognizable to your consumers. Wide or tall logos will become indistinguishable at a small size, so think carefully about your options. 

The BIMI record consists of three parts. The authentication record type and version: BIMI1, the vector graphic logo (SVG) file and secure hosting location (https), and the trust authority tag (currently optional) that will provide validation of the logo and brand relationship. All together, these will look something like this: in TXT “v=BIMI1; l=; a=;”

But simply publishing a BIMI record isn’t enough. You need to send enough volume to build a strong and positive reputation at an ISP, requiring more than just your usual 1:1 messaging from your corporate mail servers. In fact, BIMI is not designed for personal mail, so don’t be surprised if you don’t see it when you send yourself a test from your work email to your account. Also, BIMI will take a little time to show up in your email; it’s not instant. Wait 48 hours before you sound the alarm that something is not working. If after 48 hours you’re still not seeing the logo, confirm your authentication records are properly set up for the mail you’re sending, that you’ve published your DMARC records at an enforcement level, and that your BIMI logo file is publicly accessible.