How does Brand Indicators for Message Identification (BIMI) work?
Hi all,
Recently i was stumbled over a new expression called "BIMI"
Brand Indicators for Message Identification or BIMI (pronounced: Bih-mee) is an emerging email specification that
enables the use of brand-controlled logos within supporting email clients. BIM' leverages the work an organization
has put into deploying DMARC protection, by bringing brand logos to the customers inbox. For the brands logo to
be displayed. the email must pass DMARC authentication checks. ensuring that the organization's domain has not
been impersonated.
source: https://bimigroup.org/
The promise of BIMI is, that the Inbox shows your brand logo.
It's still an IETF Draft and started back in 2019 and had a new Version published in Oktober 2021
How does it work and what are the requirements. Here's the Overview and below i will go more into details
- The Domain is protected with SPF/DKIM/DMARC
- DMARC must be enforced: quarantine or reject for domain (p=) and subdomain (sp0)
- SVG File should be a square, but also fit nicely in a circle (see screenshot above)
- SVG File must meet Tiny 1.2 Specification
- SVG File must be less than 32kb
- SVG File must be published in the Internet
- BIMI DNS Record (TXT Record) must be published
- If your logo is protected by trademark, you can buy Verified Mark Certificates (VMC)
- VMC is a Certificate that will be published in the BIMI DNS Record
SPF / DKIM / DMARC
Sender Policy Framework (SPF)
Resolve-DnsName -name icewolf.ch -Type TXT -Server 8.8.8.8
icewolf.ch TXT v=spf1 ip4:95.143.60.16/29 include:spf.protection.outlook.com -all
DomainKeys Identified Mail (DKIM)
For Exchange Online / M365 the DNS Records looks like this
Resolve-DnsName -name selector1._domainkey.icewolf.ch -Type CNAME -Server 8.8.8.8
Resolve-DnsName -name selector1._domainkey.icewolf.ch -Type CNAME -Server 8.8.8.8
selector1._domainkey.icewolf.ch CNAME selector1-icewolf-ch._domainkey.icewolfch.onmicrosoft.com
selector2._domainkey.icewolf.ch CNAME selector2-icewolf-ch._domainkey.icewolfch.onmicrosoft.com
To check the DKIM Config in Exchange Online
Get-DkimSigningConfig
Domain-based Message Authentication, Reporting and Conformance (DMARC)
Important is here that domain and subdomain (p= / sp=) must be enforced. Means the value must be quarantine or reject.
Resolve-DnsName -name _dmarc.icewolf.ch -Type TXT -Server 8.8.8.8
_dmarc.icewolf.ch TXT v=DMARC1; p=reject; sp=reject rua=mailto:skmtvc6p@ag.eu.dmarcadvisor.com, mailto:dmarc_agg@vali.email; ruf=mailto:skmtvc6p@fr.eu.dmarcadvisor.com;
SVG File
I had to create a Scalable Vector Graphics (SVG) File. I use paint.net and it does not support *.svg files per default.
So i've created a *.jpg file with 64x64 Pixel
Then i used an Online Converter
JPG-zu-SVG-Konverter
The downloaded SVG File now must be converted to the SVG Tiny 1.2 Standard. I used the Tool below
SVG P/S Converter - Windows 10 GUI
https://github.com/authindicators/svg-ps-converters/tree/master/gui-win10
The *.svg file can be viewed in the Browser
BIMI DNS Record
A BIMI record has three attributes:
v=bimi1 – the record declaration indicating that this is a BIMI record
l=URL – the hosting location of the SVG image.
a=URL – the hosting location of the VMC/Assertion record
Each attribute is separated by a semicolon (;) and the final record will look similar to this:
default._bimi.example.com in txt
"v=BIMI1; l=https://www.example.com/path/to/logo/example.svg; a=https://www.example.com/path/to/vmc/VMC.pem;"
Resolve-DnsName -name default._bimi.icewolf.ch -Type TXT -Server 8.8.8.8
My DNS Record looks like this. As you can see there is no VMC Certificate.
default._bimi.icewolf.ch TXT v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny.svg; a=;
MX Toolbox supports also a BIMI Query
Testing
My setup looks like this. I send via Relay Connector on my Exchange 2016 to Exchange Online. There the Mail will be signed with DKIM. All Records SPF, DKIM, DMARC,BIMI will be valid from here.
I've disabled the Internet Connector and addet the * AddressSpace to the "Outbound to Office 365" Send Connector.
In some Articles i've found they talk about a BIMI Mailheader. In my Tests with Fastmail i didn't have to use that
BIMI-Selector: v=BIMI; s=default;
So, now sending the Mail with Telnet
Telnet 172.21.175.61 25
ehlo mail.icewolf.ch
mail from: <postmaster@icewolf.ch>
rcpt to: <abohren@fastmail.com>
data
BIMI-Selector: v=BIMI; s=default;
From: Postmaster <postmaster@icewolf.ch>
To: abohren@fastmail.com
Subject: Testmail BIMI
Just a little test
.
Quit
ehlo mail.icewolf.ch
mail from: <postmaster@icewolf.ch>
rcpt to: <abohren@fastmail.com>
data
BIMI-Selector: v=BIMI; s=default;
From: Postmaster <postmaster@icewolf.ch>
To: abohren@fastmail.com
Subject: Testmail BIMI
Just a little test
.
Quit
In the Inbox, the Logo is not visible
but when open the Mail, the logo appears
ARC-Authentication-Results: i=2; mx6.messagingengine.com; x-csa=none; x-me-sender=none; x-ptr=fail smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com policy.ptr=mail-db8eur05on2099.outbound.protection.outlook.com; bimi=pass header.d=icewolf.ch header.selector=default; arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass) smtp.remote-ip=40.107.20.99; x-arc-spf=pass (sender ip is 95.143.60.18) smtp.rcpttodomain=fastmail.com smtp.mailfrom=icewolf.ch x-arc-instance=1 x-arc-domain=microsoft.com (Trusted from aar.1.microsoft.com); dkim=pass (2048-bit rsa key sha256) header.d=icewolf.ch header.i=@icewolf.ch header.b=hkb29Gpe header.a=rsa-sha256 header.s=selector1 x-bits=2048; dmarc=pass policy.published-domain-policy=reject policy.published-subdomain-policy=reject policy.applied-disposition=none policy.evaluated-disposition=none (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=p header.from=icewolf.ch; iprev=pass smtp.remote-ip=40.107.20.99 (mail-db8eur05on2099.outbound.protection.outlook.com); spf=pass smtp.mailfrom=postmaster@icewolf.ch smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com X-ME-Authentication-Results: mx6.messagingengine.com; x-aligned-from=pass (Address match); x-return-mx=pass header.domain=icewolf.ch policy.is_org=yes (MX Records found: icewolf-ch.mail.protection.outlook.com); x-return-mx=pass smtp.domain=icewolf.ch policy.is_org=yes (MX Records found: icewolf-ch.mail.protection.outlook.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=50 state=0 Authentication-Results: mx6.messagingengine.com; x-csa=none; x-me-sender=none; x-ptr=fail smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com policy.ptr=mail-db8eur05on2099.outbound.protection.outlook.com Authentication-Results: mx6.messagingengine.com; bimi=pass header.d=icewolf.ch header.selector=default Authentication-Results: mx6.messagingengine.com; arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass) smtp.remote-ip=40.107.20.99; x-arc-spf=pass (sender ip is 95.143.60.18) smtp.rcpttodomain=fastmail.com smtp.mailfrom=icewolf.ch x-arc-instance=1 x-arc-domain=microsoft.com (Trusted from aar.1.microsoft.com) Authentication-Results: mx6.messagingengine.com; dkim=pass (2048-bit rsa key sha256) header.d=icewolf.ch header.i=@icewolf.ch header.b=hkb29Gpe header.a=rsa-sha256 header.s=selector1 x-bits=2048; dmarc=pass policy.published-domain-policy=reject policy.published-subdomain-policy=reject policy.applied-disposition=none policy.evaluated-disposition=none (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=p header.from=icewolf.ch; iprev=pass smtp.remote-ip=40.107.20.99 (mail-db8eur05on2099.outbound.protection.outlook.com); spf=pass smtp.mailfrom=postmaster@icewolf.ch smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com BIMI-Indicator: 77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiIHN0YW5kYWxvbmU9Im 5vIj8+DQo8c3ZnIHZlcnNpb249IjEuMiIgd2lkdGg9IjY0LjAwMDAwMHB0IiBoZWlnaHQ9 IjY0LjAwMDAwMHB0IiB2aWV3Qm94PSIwIDAgNjQuMDAwMDAwIDY0LjAwMDAwMCIgcHJlc2 VydmVBc3BlY3RSYXRpbz0ieE1pZFlNaWQgbWVldCIgYmFzZVByb2ZpbGU9InRpbnktcHMi IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+DQogIDx0aXRsZT5JY2V3b2 xmPC90aXRsZT4NCiAgPGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMC4wMDAwMDAsNjQuMDAw MDAwKSBzY2FsZSgwLjEwMDAwMCwtMC4xMDAwMDApIiBmaWxsPSIjMDAwMDAwIiBzdHJva2 U9Im5vbmUiPg0KICAgIDxwYXRoIGQ9Ik0zNDMgNjI4IGMtMTAgLTQgLTM5IC03IC02NSAt NyAtMjcgLTEgLTQ4IC0zIC00OCAtNiAwIC00IDcgLTIwIDE2IC0zNiAxMSAtMjEgMTkgLT I4IDI3IC0yMSA3IDUgMjEgNiAzMiAyIDE5IC03IDE5IC04IDIgLTE1IC0xMCAtNCAtMzEg LTUgLTQ4IC0xIC0yMiA0IC0yOSAyIC0yNyAtNyAzIC02IDE1IC0xNCAyOSAtMTYgMTMgLT EgMjcgLTcgMzAgLTEyIDMgLTYgMTYgLTYgMzIgMCAyNyAxMSA1NyA2IDU3IC05IDAgLTgg LTczIC03MCAtODMgLTcwIC0yIDAgLTEwIDE0IC0xNyAzMCAtMTYgMzkgLTEyMCAxMzUgLT E1NiAxNDQgLTM2IDkgLTUzIC0xNSAtMjEgLTI5IDcyIC0zMiAxMDEgLTcxIDEyMyAtMTYz IDEyIC01MiAxMiAtNTMgLTkgLTQ2IC0xMiA0IC00NyA3IC03NyA3IC04NiAwIC0xODMgLT YwIC0xMjIgLTc1IDEwIC0zIDI5IDMgNDEgMTMgMTUgMTIgMzkgMTkgNjYgMTkgNDQgMCAx MTkgLTI1IDExMSAtMzggLTIgLTQgNCAtNDggMTMgLTk5IDE1IC03NiAxNSAtOTMgNCAtOT cgLTcgLTMgLTEzIC0yIC0xMyAyIDAgNCAtOSA4IC0yMCA5IC0xMSAxIC0yMCAtMyAtMjAg LTggMCAtNiAtOSAtNyAtMjAgLTQgLTI0IDggLTI4IC0yMCAtNCAtMjkgOCAtMyAxMiAtMT AgOSAtMTYgLTQgLTYgMSAtNyAxMSAtMyAxMyA1IDE1IDMgOSAtOCAtNyAtMTIgLTYgLTEy IDcgLTEgMTMgMTAgMTcgMTAgMjEgMCA0IC0xMCAxMCAtOCAyMSA2IDEyIDE1IDE2IDE2ID E2IDUgMSAtOCA4IC0yIDE2IDE0IDEyIDIzIDIxIDI3IDU3IDI3IDU0IDAgODYgLTIxIDgz IC01NSAtMiAtMTMgMSAtMjIgNSAtMTkgNSAzIDkgMSA5IC00IDAgLTUgMTAgLTggMjMgLT cgMjggMyAyNiAzNyAtNCA3OSAtMjEgMjggLTIxIDI5IC0zIDY5IDI3IDU5IDcwIDEwNCAx MjUgMTMzIDMxIDE1IDQ4IDMwIDQ3IDQxIDAgMTAgMyA0NCA2IDc2IGw3IDU3IC0zOCAtMj UgYy03NCAtNDggLTg1IC01OCAtMTAwIC04OSAtOCAtMTcgLTIzIC00NyAtMzQgLTY2IC0x MCAtMTkgLTE5IC00NiAtMTkgLTU5IDAgLTIyIC0zNSAtOTEgLTQ3IC05MSAtMTAgMCA3ID g2IDI4IDE0MCAxMSAyOSAxOSA2NSAxOCA3OSAtMiAxNCA3IDQ1IDE5IDY3IDMwIDU4IDQ2 IDEyOCAzNCAxNDkgLTcgMTMgLTQgMjMgOSAzNiAxMSAxMSAxOSAyMyAxOSAyNyAwIDEwIC 0xNjIgMTAgLTE4NyAweiBtMjYgLTkyIGMtMiAtMiAtMjAgLTYgLTM5IC0xMCAtMjUgLTQg LTMxIC0zIC0yMCA0IDE0IDkgNjkgMTUgNTkgNnoiIC8+DQogIDwvZz4NCjwvc3ZnPg== BIMI-Location: v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny.svg
Didn't work with google or yahoo without VMC verified BIMI Image
Verified Mark Certificates (VMC)
Before we can issue a VMC, your logo must be registered with the appropriate trademark office for your region. It can be a lengthy process, so we recommend getting started as soon as possible. Learn more about trademarking your logo.
You can buy Verified Mark Certificates (VMC) from Entrust or Digicert
Trademark
In Switzerland you can protect a Brand at "Eidgenössisches Institut für Geistiges Eigentum (IGE)"
You can check the Database in Switzerland or EU with the following Links
Markendatenbank IGE (CH)
https://database.ipi.ch/database-client/search/query/trademarks
Madrid Monitor (EU)
BIMI Radar
If you are interested in the adoption rate of DMARC and BIMI, check out the BIMI Radar
BIMI Radar
BIMI Subdomains
I've also tested with a subdomain. Please note i have used here another svg (blue color)
Resolve-DnsName -name default._bimi.subdomain.icewolf.ch -Type TXT -Server 8.8.8.8
default._bimi.subdomain.icewolf.ch TXT v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny_blue.svg; a=;
Send again a Mail with Telnet
Telnet 172.21.175.61 25
ehlo mail.icewolf.ch
mail from: <demo@subdomain.icewolf.ch>
rcpt to: <abohren@fastmail.com>
data
From: Demo <demo@subdomain.icewolf.ch>
To: abohren@fastmail.com
Subject: Testmail BIMI
Just a little test
.
Quit
ehlo mail.icewolf.ch
mail from: <demo@subdomain.icewolf.ch>
rcpt to: <abohren@fastmail.com>
data
From: Demo <demo@subdomain.icewolf.ch>
To: abohren@fastmail.com
Subject: Testmail BIMI
Just a little test
.
Quit
As you can see, the Mail now uses the blue svg file
ARC-Authentication-Results: i=2; mx2.messagingengine.com; x-csa=none; x-me-sender=none; x-ptr=fail smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com policy.ptr=mail-am6eur05on2135.outbound.protection.outlook.com; bimi=pass header.d=subdomain.icewolf.ch header.selector=default; arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass) smtp.remote-ip=40.107.22.135; dkim=pass (2048-bit rsa key sha256) header.d=subdomain.icewolf.ch header.i=@subdomain.icewolf.ch header.b=Pzlg3fXH header.a=rsa-sha256 header.s=selector1 x-bits=2048; dmarc=pass policy.published-domain-policy=reject policy.published-subdomain-policy=reject policy.applied-disposition=none policy.evaluated-disposition=none (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=sp header.from=subdomain.icewolf.ch; iprev=pass smtp.remote-ip=40.107.22.135 (mail-am6eur05on2135.outbound.protection.outlook.com); spf=pass smtp.mailfrom=demo@subdomain.icewolf.ch smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com X-ME-Authentication-Results: mx2.messagingengine.com; x-aligned-from=pass (Address match); x-return-mx=pass header.domain=subdomain.icewolf.ch policy.org_domain=icewolf.ch policy.is_org=no (MX Records found: subdomain-icewolf-ch.mail.protection.outlook.com); x-return-mx=pass smtp.domain=subdomain.icewolf.ch policy.org_domain=icewolf.ch policy.is_org=no (MX Records found: subdomain-icewolf-ch.mail.protection.outlook.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 Authentication-Results: mx2.messagingengine.com; x-csa=none; x-me-sender=none; x-ptr=fail smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com policy.ptr=mail-am6eur05on2135.outbound.protection.outlook.com Authentication-Results: mx2.messagingengine.com; bimi=pass header.d=subdomain.icewolf.ch header.selector=default Authentication-Results: mx2.messagingengine.com; arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass) smtp.remote-ip=40.107.22.135 Authentication-Results: mx2.messagingengine.com; dkim=pass (2048-bit rsa key sha256) header.d=subdomain.icewolf.ch header.i=@subdomain.icewolf.ch header.b=Pzlg3fXH header.a=rsa-sha256 header.s=selector1 x-bits=2048; dmarc=pass policy.published-domain-policy=reject policy.published-subdomain-policy=reject policy.applied-disposition=none policy.evaluated-disposition=none (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=sp header.from=subdomain.icewolf.ch; iprev=pass smtp.remote-ip=40.107.22.135 (mail-am6eur05on2135.outbound.protection.outlook.com); spf=pass smtp.mailfrom=demo@subdomain.icewolf.ch smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com BIMI-Indicator: 77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiIHN0YW5kYWxvbmU9Im 5vIj8+DQo8c3ZnIHZlcnNpb249IjEuMiIgd2lkdGg9Ijg1LjAwMDAwMHB0IiBoZWlnaHQ9 Ijg1LjAwMDAwMHB0IiB2aWV3Qm94PSIwIDAgODUuMDAwMDAwIDg1LjAwMDAwMCIgcHJlc2 VydmVBc3BlY3RSYXRpbz0ieE1pZFlNaWQgbWVldCIgYmFzZVByb2ZpbGU9InRpbnktcHMi IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+DQogIDx0aXRsZT5pY2V3b2 xmPC90aXRsZT4NCiAgPGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMC4wMDAwMDAsODUuMDAw MDAwKSBzY2FsZSgwLjEwMDAwMCwtMC4xMDAwMDApIiBmaWxsPSIjMDAwMGZmIiBzdHJva2 U9Im5vbmUiPg0KICAgIDxwYXRoIGQ9Ik00NTUgODMwIGMtMTYgLTQgLTUzIC04IC04MiAt OSAtMjggMCAtNTUgLTYgLTU4IC0xMSAtNCAtNiAyIC0yNSAxMiAtNDMgMTUgLTI1IDI2IC 0zMiA1MSAtMzIgMTcgLTEgMzQgLTQgMzggLTggNCAtNCAtMTggLTcgLTQ5IC03IC02MSAw IC03NSAtMTQgLTI5IC0zMCAxNSAtNiAzNSAtMTQgNDQgLTIwIDkgLTUgMzkgLTcgNjcgLT MgNjQgNyA2OCAtMTAgMTQgLTUzIC01OSAtNDcgLTU5IC00NyAtODcgLTEgLTI4IDQ5IC0x MzEgMTQ5IC0xNzcgMTczIC0zNiAxOCAtNzMgMTUgLTc3IC03IC0yIC0xMCA5IC0yMSAzMC AtMzAgNjAgLTI1IDExNCAtOTAgMTM3IC0xNjQgMzMgLTEwNSAzNCAtMTAyIC01NiAtOTcg LTg3IDUgLTE0NCAtNyAtMTk0IC00MSAtNzIgLTQ4IC0xNyAtNjkgODQgLTMyIDQyIDE1ID U2IDE2IDEwMSA2IDY4IC0xNSA5NiAtMzUgOTYgLTY5IDAgLTE1IDcgLTY2IDE2IC0xMTUg MTkgLTEwNCAxNiAtMTIyIC0yMSAtMTA1IC0xOSA5IC0yOCA5IC0zNyAwIC03IC03IC0yMi AtMTIgLTM1IC0xMiAtMzAgMCAtMjkgLTE5IDMgLTUzIDE3IC0xOSAzMyAtMjcgNDUgLTI0 IDExIDMgMjIgMSAyNSAtNSA0IC01IDEzIC0zIDIzIDYgMTAgOSAyMCAxNCAyMyAxMSAyIC 0zIDE3IDggMzEgMjUgMjIgMjQgMzUgMzAgNjggMzAgNjggMCAxMDkgLTMwIDEwOSAtODEg MCAtMjAgMzkgLTM1IDY1IC0yNSAyMiA4IDE5IDM2IC0xMCA5MCAtMTQgMjYgLTI1IDU1IC 0yNSA2NSAwIDkgMTkgNDYgNDMgODIgMzIgNDggNjIgNzcgMTE3IDExNSA4MyA1NiA4NyA2 MyA4OSAxNzcgbDEgNjggLTMxIC0xOCBjLTg3IC01MiAtMTI1IC04OSAtMTY2IC0xNjggLT IzIC00NCAtNDUgLTk2IC00OSAtMTE1IC00IC0xOSAtMTggLTU3IC0zMiAtODUgLTM4IC03 NCAtMzkgLTM0IC0zIDkzIDE3IDU5IDMzIDEyNyAzNyAxNTIgNCAyNSAyMSA3NyAzNyAxMT UgMjIgNTEgMzEgODggMzMgMTM4IDEgNDggNyA3NCAxOSA4NyA5IDEwIDE0IDI0IDEwIDI5 IC03IDEzIC0yMDMgMTMgLTI1MCAxeiIgLz4NCiAgPC9nPg0KPC9zdmc+ BIMI-Location: v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny_blue.svg
Summary
Make sure, your domain are DMARC Protected (quarantine or reject)
If your logo/br is not yet registered as a trademark, that's the next thin you will have to do.
Registering a trademark and optaining a VMC Certificate will take some time and also costs a lot of money.
So make sure, your prepared for that.
Now you know, what it takes to implement BIMI and now you have to make your own opinion if the time and money is worth the effort.
Regards
Andres bohren
