blog.icewolf.ch

Let's talk about IT!
posts - 2054, comments - 295, trackbacks - 0

My Links

Archives

Post Categories

icewolf

How does Brand Indicators for Message Identification (BIMI) work?

Hi all,

Recently i was stumbled over a new expression called "BIMI"

What is BIMI?
Brand Indicators for Message Identification or BIMI (pronounced: Bih-mee) is an emerging email specification that
enables the use of brand-controlled logos within supporting email clients. BIM' leverages the work an organization
has put into deploying DMARC protection, by bringing brand logos to the customers inbox. For the brands logo to
be displayed. the email must pass DMARC authentication checks. ensuring that the organization's domain has not
been impersonated.


The promise of BIMI is, that the Inbox shows your brand logo.



It's still an IETF Draft and started back in 2019 and had a new Version published in Oktober 2021


How does it work and what are the requirements. Here's the Overview and below i will go more into details
  • The Domain is protected with SPF/DKIM/DMARC
  • DMARC must be enforced: quarantine or reject for domain (p=)  and subdomain (sp0)
  • SVG File should be a square, but also fit nicely in a circle (see screenshot above)
  • SVG File must meet Tiny 1.2 Specification
  • SVG File must be less than 32kb
  • SVG File must be published in the Internet
  • BIMI DNS Record (TXT Record) must be published
  • If your logo is protected by trademark, you can buy Verified Mark Certificates (VMC)
  • VMC is a Certificate that will be published in the BIMI DNS Record

SPF / DKIM / DMARC


Sender Policy Framework (SPF)
Resolve-DnsName -name icewolf.ch -Type TXT -Server 8.8.8.8

icewolf.ch TXT v=spf1 ip4:95.143.60.16/29 include:spf.protection.outlook.com -all



DomainKeys Identified Mail (DKIM)

For Exchange Online / M365 the DNS Records looks like this
Resolve-DnsName -name selector1._domainkey.icewolf.ch -Type CNAME -Server 8.8.8.8
Resolve-DnsName -name selector1._domainkey.icewolf.ch -Type CNAME -Server 8.8.8.8

selector1._domainkey.icewolf.ch CNAME selector1-icewolf-ch._domainkey.icewolfch.onmicrosoft.com
selector2._domainkey.icewolf.ch CNAME selector2-icewolf-ch._domainkey.icewolfch.onmicrosoft.com

To check the DKIM Config in Exchange Online
Get-DkimSigningConfig



Domain-based Message Authentication, Reporting and Conformance (DMARC)
Important is here that domain and subdomain (p= / sp=) must be enforced. Means the value must be quarantine or reject.

Resolve-DnsName -name _dmarc.icewolf.ch -Type TXT -Server 8.8.8.8

_dmarc.icewolf.ch TXT v=DMARC1; p=reject; sp=reject rua=mailto:skmtvc6p@ag.eu.dmarcadvisor.com, mailto:dmarc_agg@vali.email; ruf=mailto:skmtvc6p@fr.eu.dmarcadvisor.com;



SVG File

I had to create a Scalable Vector Graphics (SVG) File. I use paint.net and it does not support *.svg files per default.
So i've created a *.jpg file with 64x64 Pixel


Then i used an Online Converter

JPG-zu-SVG-Konverter

https://convertio.co/de/jpg-svg/



The downloaded SVG File now must be converted to the SVG Tiny 1.2 Standard. I used the Tool below



The *.svg file can be viewed in the Browser


BIMI DNS Record

A BIMI record has three attributes:

 

v=bimi1 – the record declaration indicating that this is a BIMI record

l=URL – the hosting location of the SVG image.

a=URL – the hosting location of the VMC/Assertion record

Each attribute is separated by a semicolon (;) and the final record will look similar to this:

 

default._bimi.example.com in txt

"v=BIMI1; l=https://www.example.com/path/to/logo/example.svg; a=https://www.example.com/path/to/vmc/VMC.pem;"


Resolve-DnsName -name default._bimi.icewolf.ch -Type TXT -Server 8.8.8.8


My DNS Record looks like this. As you can see there is no VMC Certificate.
default._bimi.icewolf.ch TXT v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny.svg; a=;


MX Toolbox supports also a BIMI Query


Testing

My setup looks like this. I send via Relay Connector on my Exchange 2016 to Exchange Online. There the Mail will be signed with DKIM. All Records SPF, DKIM, DMARC,BIMI will be valid from here.


I've disabled the Internet Connector and addet the * AddressSpace to the "Outbound to Office 365" Send Connector.


In some Articles i've found they talk about a BIMI Mailheader. In my Tests with Fastmail i didn't have to use that

BIMI-Selector: v=BIMI; s=default;

So, now sending the Mail with Telnet
Telnet 172.21.175.61 25
ehlo mail.icewolf.ch
mail from: <postmaster@icewolf.ch>
rcpt to: <abohren@fastmail.com>
data
BIMI-Selector: v=BIMI; s=default;
From: Postmaster <postmaster@icewolf.ch>
To: abohren@fastmail.com
Subject: Testmail BIMI

Just a little test
.
Quit




In the Inbox, the Logo is not visible


but when open the Mail, the logo appears


ARC-Authentication-Results: i=2; mx6.messagingengine.com;     x-csa=none;     x-me-sender=none;     x-ptr=fail smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com     policy.ptr=mail-db8eur05on2099.outbound.protection.outlook.com;     bimi=pass header.d=icewolf.ch header.selector=default;     arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass)     smtp.remote-ip=40.107.20.99;     x-arc-spf=pass (sender ip is   95.143.60.18)     smtp.rcpttodomain=fastmail.com smtp.mailfrom=icewolf.ch     x-arc-instance=1 x-arc-domain=microsoft.com     (Trusted from aar.1.microsoft.com);     dkim=pass (2048-bit rsa key sha256) header.d=icewolf.ch     header.i=@icewolf.ch header.b=hkb29Gpe header.a=rsa-sha256     header.s=selector1 x-bits=2048;     dmarc=pass policy.published-domain-policy=reject     policy.published-subdomain-policy=reject     policy.applied-disposition=none policy.evaluated-disposition=none     (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=p     header.from=icewolf.ch;     iprev=pass smtp.remote-ip=40.107.20.99     (mail-db8eur05on2099.outbound.protection.outlook.com);     spf=pass smtp.mailfrom=postmaster@icewolf.ch     smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com X-ME-Authentication-Results: mx6.messagingengine.com;     x-aligned-from=pass (Address match);     x-return-mx=pass header.domain=icewolf.ch policy.is_org=yes       (MX Records found: icewolf-ch.mail.protection.outlook.com);     x-return-mx=pass smtp.domain=icewolf.ch policy.is_org=yes       (MX Records found: icewolf-ch.mail.protection.outlook.com);     x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384       smtp.bits=256/256;     x-vs=clean score=50 state=0 Authentication-Results: mx6.messagingengine.com;     x-csa=none;     x-me-sender=none;     x-ptr=fail smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com       policy.ptr=mail-db8eur05on2099.outbound.protection.outlook.com Authentication-Results: mx6.messagingengine.com;     bimi=pass header.d=icewolf.ch header.selector=default Authentication-Results: mx6.messagingengine.com;     arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass)       smtp.remote-ip=40.107.20.99;     x-arc-spf=pass (sender ip is   95.143.60.18)       smtp.rcpttodomain=fastmail.com smtp.mailfrom=icewolf.ch       x-arc-instance=1 x-arc-domain=microsoft.com       (Trusted from aar.1.microsoft.com) Authentication-Results: mx6.messagingengine.com;     dkim=pass (2048-bit rsa key sha256) header.d=icewolf.ch       header.i=@icewolf.ch header.b=hkb29Gpe header.a=rsa-sha256       header.s=selector1 x-bits=2048;     dmarc=pass policy.published-domain-policy=reject       policy.published-subdomain-policy=reject       policy.applied-disposition=none policy.evaluated-disposition=none       (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=p       header.from=icewolf.ch;     iprev=pass smtp.remote-ip=40.107.20.99       (mail-db8eur05on2099.outbound.protection.outlook.com);     spf=pass smtp.mailfrom=postmaster@icewolf.ch       smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com BIMI-Indicator: 77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiIHN0YW5kYWxvbmU9Im     5vIj8+DQo8c3ZnIHZlcnNpb249IjEuMiIgd2lkdGg9IjY0LjAwMDAwMHB0IiBoZWlnaHQ9     IjY0LjAwMDAwMHB0IiB2aWV3Qm94PSIwIDAgNjQuMDAwMDAwIDY0LjAwMDAwMCIgcHJlc2     VydmVBc3BlY3RSYXRpbz0ieE1pZFlNaWQgbWVldCIgYmFzZVByb2ZpbGU9InRpbnktcHMi     IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+DQogIDx0aXRsZT5JY2V3b2     xmPC90aXRsZT4NCiAgPGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMC4wMDAwMDAsNjQuMDAw     MDAwKSBzY2FsZSgwLjEwMDAwMCwtMC4xMDAwMDApIiBmaWxsPSIjMDAwMDAwIiBzdHJva2     U9Im5vbmUiPg0KICAgIDxwYXRoIGQ9Ik0zNDMgNjI4IGMtMTAgLTQgLTM5IC03IC02NSAt     NyAtMjcgLTEgLTQ4IC0zIC00OCAtNiAwIC00IDcgLTIwIDE2IC0zNiAxMSAtMjEgMTkgLT     I4IDI3IC0yMSA3IDUgMjEgNiAzMiAyIDE5IC03IDE5IC04IDIgLTE1IC0xMCAtNCAtMzEg     LTUgLTQ4IC0xIC0yMiA0IC0yOSAyIC0yNyAtNyAzIC02IDE1IC0xNCAyOSAtMTYgMTMgLT     EgMjcgLTcgMzAgLTEyIDMgLTYgMTYgLTYgMzIgMCAyNyAxMSA1NyA2IDU3IC05IDAgLTgg     LTczIC03MCAtODMgLTcwIC0yIDAgLTEwIDE0IC0xNyAzMCAtMTYgMzkgLTEyMCAxMzUgLT     E1NiAxNDQgLTM2IDkgLTUzIC0xNSAtMjEgLTI5IDcyIC0zMiAxMDEgLTcxIDEyMyAtMTYz     IDEyIC01MiAxMiAtNTMgLTkgLTQ2IC0xMiA0IC00NyA3IC03NyA3IC04NiAwIC0xODMgLT     YwIC0xMjIgLTc1IDEwIC0zIDI5IDMgNDEgMTMgMTUgMTIgMzkgMTkgNjYgMTkgNDQgMCAx     MTkgLTI1IDExMSAtMzggLTIgLTQgNCAtNDggMTMgLTk5IDE1IC03NiAxNSAtOTMgNCAtOT     cgLTcgLTMgLTEzIC0yIC0xMyAyIDAgNCAtOSA4IC0yMCA5IC0xMSAxIC0yMCAtMyAtMjAg     LTggMCAtNiAtOSAtNyAtMjAgLTQgLTI0IDggLTI4IC0yMCAtNCAtMjkgOCAtMyAxMiAtMT     AgOSAtMTYgLTQgLTYgMSAtNyAxMSAtMyAxMyA1IDE1IDMgOSAtOCAtNyAtMTIgLTYgLTEy     IDcgLTEgMTMgMTAgMTcgMTAgMjEgMCA0IC0xMCAxMCAtOCAyMSA2IDEyIDE1IDE2IDE2ID     E2IDUgMSAtOCA4IC0yIDE2IDE0IDEyIDIzIDIxIDI3IDU3IDI3IDU0IDAgODYgLTIxIDgz     IC01NSAtMiAtMTMgMSAtMjIgNSAtMTkgNSAzIDkgMSA5IC00IDAgLTUgMTAgLTggMjMgLT     cgMjggMyAyNiAzNyAtNCA3OSAtMjEgMjggLTIxIDI5IC0zIDY5IDI3IDU5IDcwIDEwNCAx     MjUgMTMzIDMxIDE1IDQ4IDMwIDQ3IDQxIDAgMTAgMyA0NCA2IDc2IGw3IDU3IC0zOCAtMj     UgYy03NCAtNDggLTg1IC01OCAtMTAwIC04OSAtOCAtMTcgLTIzIC00NyAtMzQgLTY2IC0x     MCAtMTkgLTE5IC00NiAtMTkgLTU5IDAgLTIyIC0zNSAtOTEgLTQ3IC05MSAtMTAgMCA3ID     g2IDI4IDE0MCAxMSAyOSAxOSA2NSAxOCA3OSAtMiAxNCA3IDQ1IDE5IDY3IDMwIDU4IDQ2     IDEyOCAzNCAxNDkgLTcgMTMgLTQgMjMgOSAzNiAxMSAxMSAxOSAyMyAxOSAyNyAwIDEwIC     0xNjIgMTAgLTE4NyAweiBtMjYgLTkyIGMtMiAtMiAtMjAgLTYgLTM5IC0xMCAtMjUgLTQg     LTMxIC0zIC0yMCA0IDE0IDkgNjkgMTUgNTkgNnoiIC8+DQogIDwvZz4NCjwvc3ZnPg== BIMI-Location: v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny.svg


Didn't work with google or yahoo without VMC verified BIMI Image



Verified Mark Certificates (VMC)


Before we can issue a VMC, your logo must be registered with the appropriate trademark office for your region. It can be a lengthy process, so we recommend getting started as soon as possible. Learn more about trademarking your logo.

You can buy Verified Mark Certificates (VMC) from Entrust or Digicert




Trademark
In Switzerland you can protect a Brand at "Eidgenössisches Institut für Geistiges Eigentum (IGE)"


You can check the Database in Switzerland or EU with the following Links


BIMI Radar

If you are interested in the adoption rate of DMARC and BIMI, check out the BIMI Radar



BIMI Subdomains

I've also tested with a subdomain. Please note i have used here another svg (blue color)

Resolve-DnsName -name default._bimi.subdomain.icewolf.ch -Type TXT -Server 8.8.8.8

default._bimi.subdomain.icewolf.ch TXT v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny_blue.svg; a=;


Send again a Mail with Telnet

Telnet 172.21.175.61 25
ehlo mail.icewolf.ch
mail from: <demo@subdomain.icewolf.ch>
rcpt to: <abohren@fastmail.com>
data
From: Demo <
demo@subdomain.icewolf.ch>
To: abohren@fastmail.com
Subject: Testmail BIMI

Just a little test
.
Quit



As you can see, the Mail now uses the blue svg file


ARC-Authentication-Results: i=2; mx2.messagingengine.com;     x-csa=none;     x-me-sender=none;     x-ptr=fail smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com     policy.ptr=mail-am6eur05on2135.outbound.protection.outlook.com;     bimi=pass header.d=subdomain.icewolf.ch header.selector=default;     arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass)     smtp.remote-ip=40.107.22.135;     dkim=pass (2048-bit rsa key sha256) header.d=subdomain.icewolf.ch     header.i=@subdomain.icewolf.ch header.b=Pzlg3fXH header.a=rsa-sha256     header.s=selector1 x-bits=2048;     dmarc=pass policy.published-domain-policy=reject     policy.published-subdomain-policy=reject     policy.applied-disposition=none policy.evaluated-disposition=none     (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=sp     header.from=subdomain.icewolf.ch;     iprev=pass smtp.remote-ip=40.107.22.135     (mail-am6eur05on2135.outbound.protection.outlook.com);     spf=pass smtp.mailfrom=demo@subdomain.icewolf.ch     smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com X-ME-Authentication-Results: mx2.messagingengine.com;     x-aligned-from=pass (Address match);     x-return-mx=pass header.domain=subdomain.icewolf.ch       policy.org_domain=icewolf.ch policy.is_org=no       (MX Records found: subdomain-icewolf-ch.mail.protection.outlook.com);     x-return-mx=pass smtp.domain=subdomain.icewolf.ch       policy.org_domain=icewolf.ch policy.is_org=no       (MX Records found: subdomain-icewolf-ch.mail.protection.outlook.com);     x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384       smtp.bits=256/256;     x-vs=clean score=0 state=0 Authentication-Results: mx2.messagingengine.com;     x-csa=none;     x-me-sender=none;     x-ptr=fail smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com       policy.ptr=mail-am6eur05on2135.outbound.protection.outlook.com Authentication-Results: mx2.messagingengine.com;     bimi=pass header.d=subdomain.icewolf.ch header.selector=default Authentication-Results: mx2.messagingengine.com;     arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass)       smtp.remote-ip=40.107.22.135 Authentication-Results: mx2.messagingengine.com;     dkim=pass (2048-bit rsa key sha256) header.d=subdomain.icewolf.ch       header.i=@subdomain.icewolf.ch header.b=Pzlg3fXH header.a=rsa-sha256       header.s=selector1 x-bits=2048;     dmarc=pass policy.published-domain-policy=reject       policy.published-subdomain-policy=reject       policy.applied-disposition=none policy.evaluated-disposition=none       (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=sp       header.from=subdomain.icewolf.ch;     iprev=pass smtp.remote-ip=40.107.22.135       (mail-am6eur05on2135.outbound.protection.outlook.com);     spf=pass smtp.mailfrom=demo@subdomain.icewolf.ch       smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com BIMI-Indicator: 77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiIHN0YW5kYWxvbmU9Im     5vIj8+DQo8c3ZnIHZlcnNpb249IjEuMiIgd2lkdGg9Ijg1LjAwMDAwMHB0IiBoZWlnaHQ9     Ijg1LjAwMDAwMHB0IiB2aWV3Qm94PSIwIDAgODUuMDAwMDAwIDg1LjAwMDAwMCIgcHJlc2     VydmVBc3BlY3RSYXRpbz0ieE1pZFlNaWQgbWVldCIgYmFzZVByb2ZpbGU9InRpbnktcHMi     IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+DQogIDx0aXRsZT5pY2V3b2     xmPC90aXRsZT4NCiAgPGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMC4wMDAwMDAsODUuMDAw     MDAwKSBzY2FsZSgwLjEwMDAwMCwtMC4xMDAwMDApIiBmaWxsPSIjMDAwMGZmIiBzdHJva2     U9Im5vbmUiPg0KICAgIDxwYXRoIGQ9Ik00NTUgODMwIGMtMTYgLTQgLTUzIC04IC04MiAt     OSAtMjggMCAtNTUgLTYgLTU4IC0xMSAtNCAtNiAyIC0yNSAxMiAtNDMgMTUgLTI1IDI2IC     0zMiA1MSAtMzIgMTcgLTEgMzQgLTQgMzggLTggNCAtNCAtMTggLTcgLTQ5IC03IC02MSAw     IC03NSAtMTQgLTI5IC0zMCAxNSAtNiAzNSAtMTQgNDQgLTIwIDkgLTUgMzkgLTcgNjcgLT     MgNjQgNyA2OCAtMTAgMTQgLTUzIC01OSAtNDcgLTU5IC00NyAtODcgLTEgLTI4IDQ5IC0x     MzEgMTQ5IC0xNzcgMTczIC0zNiAxOCAtNzMgMTUgLTc3IC03IC0yIC0xMCA5IC0yMSAzMC     AtMzAgNjAgLTI1IDExNCAtOTAgMTM3IC0xNjQgMzMgLTEwNSAzNCAtMTAyIC01NiAtOTcg     LTg3IDUgLTE0NCAtNyAtMTk0IC00MSAtNzIgLTQ4IC0xNyAtNjkgODQgLTMyIDQyIDE1ID     U2IDE2IDEwMSA2IDY4IC0xNSA5NiAtMzUgOTYgLTY5IDAgLTE1IDcgLTY2IDE2IC0xMTUg     MTkgLTEwNCAxNiAtMTIyIC0yMSAtMTA1IC0xOSA5IC0yOCA5IC0zNyAwIC03IC03IC0yMi     AtMTIgLTM1IC0xMiAtMzAgMCAtMjkgLTE5IDMgLTUzIDE3IC0xOSAzMyAtMjcgNDUgLTI0     IDExIDMgMjIgMSAyNSAtNSA0IC01IDEzIC0zIDIzIDYgMTAgOSAyMCAxNCAyMyAxMSAyIC     0zIDE3IDggMzEgMjUgMjIgMjQgMzUgMzAgNjggMzAgNjggMCAxMDkgLTMwIDEwOSAtODEg     MCAtMjAgMzkgLTM1IDY1IC0yNSAyMiA4IDE5IDM2IC0xMCA5MCAtMTQgMjYgLTI1IDU1IC     0yNSA2NSAwIDkgMTkgNDYgNDMgODIgMzIgNDggNjIgNzcgMTE3IDExNSA4MyA1NiA4NyA2     MyA4OSAxNzcgbDEgNjggLTMxIC0xOCBjLTg3IC01MiAtMTI1IC04OSAtMTY2IC0xNjggLT     IzIC00NCAtNDUgLTk2IC00OSAtMTE1IC00IC0xOSAtMTggLTU3IC0zMiAtODUgLTM4IC03     NCAtMzkgLTM0IC0zIDkzIDE3IDU5IDMzIDEyNyAzNyAxNTIgNCAyNSAyMSA3NyAzNyAxMT     UgMjIgNTEgMzEgODggMzMgMTM4IDEgNDggNyA3NCAxOSA4NyA5IDEwIDE0IDI0IDEwIDI5     IC03IDEzIC0yMDMgMTMgLTI1MCAxeiIgLz4NCiAgPC9nPg0KPC9zdmc+ BIMI-Location: v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny_blue.svg

Summary

Make sure, your domain are DMARC Protected (quarantine or reject)
If your logo/br is not yet registered as a trademark, that's the next thin you will have to do.
Registering a trademark and optaining a VMC Certificate will take some time and also costs a lot of money.
So make sure, your prepared for that.
Now you know, what it takes to implement BIMI and now you have to make your own opinion if the time and money is worth the effort.

Regards
Andres bohren


Print | posted on Thursday, January 20, 2022 3:29 PM | Filed Under [ Exchange ]

Powered by:
Powered By Subtext Powered By ASP.NET