Brand Indicators for Message Identification (BIMI)
Brand Indicators for Message Identification, or BIMI, is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC draft.
Prerequisites
BIMI requires a valid and passing DMARC record, with the policy set to either "reject" or "quarantine".
DNS record
By default, a BIMI DNS record is set on a subdomain named default._bimi. In this case, "default" is the selector. It contains the following elements:
- A BIMI version (Currently only BIMI1 is available).
- A link to a BIMI logo.
- Optional: A link to a BIMI certificate (VMC or CMC).
- Optional: Avatar Preference - in case a user-avatar is also present, which to prefer. Options "bimi" or "personal". In case this is not set, it defaults to "bimi".
BIMI DNS records looks like this:
$ host -t txt default._bimi.example.com default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem; s=bimi"
Alternatively, it's also possible to use a different selector for the BIMI record. For example, if the following header is found in the E-Mail that is supposed to show the BIMI logo in the inbox:
BIMI-Selector: v=BIMI1; s=myselector
The actual BIMI record can be found with this query:
$ host -t txt myselector._bimi.example.com myselector._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;"
On which domains to set a BIMI record
BIMI records can, just like DMARC records, be placed on the organisational domain as well as on subdomains. A subdomain that has no BIMI record inherits its BIMI record from the organisational domain. If a given selector is not found on a subdomain, the organisational domain is queried with that same selector.
BIMI logo
The logo that's included in the "v"-switch of the BIMI DNS record should comply to the folowing:
- It must be in SVG (Tiny P/S) format.
- The "version" attribute must be set to "1.2"
- A <title> element must be included that reflects the company name.
- A <desc> (i.e. the "description") element is not required, but this should be included to support accessibility.
- The image must be sqare. Length and width should have the same value.
- The image size shouldn't exceed 32 Kb.
- No external links or references (other than to the specified XML namespaces) should be included.
- No scripts, animation, or other interactive elements should be included.
- No "x=" or "y=" attributes should be included within the <svg> root element.
- The image should not have a transparent background.
BIMI certificate
The optional BIMI certificate is used to digitally sign the logo and the senderdomain. It contains other elements, such as an organisation name, a list of domains signed by this certificate and an expiration date. There are 2 types of certificate: VMC and CMC. CMC certificates are slightly less expensive than VMC certificates. They are issued by certification authorities (Entrust or DigiCert) recognized by the BIMI Working Group.
It is not possible to create valid VMC or CMC certificates with a free service such as Letsencrypt.
Difference between VMC and CMC certificates
- VMC means "Verified Mark Certificate"
- CMC means "Common Mark Certificate"
| Requirement | VMC | CMC |
|---|---|---|
| Trademark Registration | Yes | No |
| Logo in use | Can be used immediately | Must have been in use since 1 year |
BIMI adoption by ISPs
| Client | VMC | CMC | Self-Asserted | Comment |
|---|---|---|---|---|
| AOL / Yahoo! | No | No | Yes | Only for bulk messages from high-reputation domains |
| Apple Mail | Yes | No | No | |
| Fastmail | No | No | Yes | |
| Gmail | Yes | Yes | No | Only VMC certificates get a blue checkmark. |
| La Poste | Yes | No | Yes | Domains without VMCs must be submitted and manually verified by La Poste. |