Brand Indicators for Message Identification (BIMI): Difference between revisions
Jump to navigation
Jump to search
Created page with "Category:InboxSys Category:Deliverability Category:Authentication Category:Reputation '''Brand Indicators for Message Identification''', or '''BIMI''', is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC [https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/ draft]. =Prerequisites= BIMI requires a valid and passing DMARC record, with the policy set to either "reject" or "qu..." |
No edit summary |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 10: | Line 10: | ||
BIMI requires a valid and passing [[DMARC]] record, with the policy set to either "reject" or "quarantine". | BIMI requires a valid and passing [[DMARC]] record, with the policy set to either "reject" or "quarantine". | ||
=DNS | =DNS record= | ||
By default, a BIMI DNS record is set on a subdomain named '''default._bimi'''. In this case, "default" is the '''selector'''. It contains the following elements: | |||
* A BIMI version (Currently only '''BIMI1''' is available). | * A BIMI version (Currently only '''BIMI1''' is available). | ||
* A link to a BIMI '''logo'''. | * A link to a BIMI '''logo'''. | ||
* Optional: A link to a BIMI certificate ('''VMC''' or '''CMC'''). | * Optional: A link to a BIMI certificate ('''VMC''' or '''CMC'''). | ||
* Optional: Avatar Preference - in case a user-avatar is also present, which to prefer. Options "bimi" or "personal". In case this is not set, it defaults to "bimi". | |||
BIMI DNS records looks like this: | BIMI DNS records looks like this: | ||
| Line 22: | Line 23: | ||
<pre> | <pre> | ||
$ host -t txt default._bimi.example.com | $ host -t txt default._bimi.example.com | ||
default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;" | default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem; s=bimi" | ||
</pre> | </pre> | ||
Alternatively, it's also possible to use a different selector for the BIMI record. For example, if the following header is found in the E-Mail that is supposed to show the BIMI logo in the inbox: | |||
The logo that's included in the "v"-switch of the BIMI DNS record | <pre> | ||
BIMI-Selector: v=BIMI1; s=myselector | |||
</pre> | |||
The actual BIMI record can be found with this query: | |||
<pre> | |||
$ host -t txt myselector._bimi.example.com | |||
myselector._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;" | |||
</pre> | |||
==On which domains to set a BIMI record== | |||
BIMI records can, just like DMARC records, be placed on the [[Organisational Domain|organisational domain]] as well as on subdomains. A subdomain that has no BIMI record inherits its BIMI record from the organisational domain. If a given selector is not found on a subdomain, the organisational domain is queried with that same selector. | |||
==BIMI logo== | |||
The logo that's included in the "v"-switch of the BIMI DNS record should comply to the folowing: | |||
* It must be in [[wikipedia:SVG_Tiny_P/S|SVG (Tiny P/S)]] format. | * It must be in [[wikipedia:SVG_Tiny_P/S|SVG (Tiny P/S)]] format. | ||
| Line 40: | Line 58: | ||
* The image should not have a transparent background. | * The image should not have a transparent background. | ||
==BIMI | ==BIMI certificate== | ||
The optional BIMI certificate is used to digitally sign the logo and the [[RFC5322.From|senderdomain]]. It contains other elements, such as an | The optional BIMI certificate is used to digitally sign the logo and the [[RFC5322.From|senderdomain]]. It contains other elements, such as an organisation name, a list of domains signed by this certificate and an expiration date. There are 2 types of certificate: '''VMC''' and '''CMC'''. CMC certificates are slightly less expensive than VMC certificates. They are issued by certification authorities (Entrust or DigiCert) recognized by the [https://bimigroup.org/ BIMI Working Group]. | ||
It is [https://community.letsencrypt.org/t/verified-mark-certificates/176835 not possible to create valid VMC or CMC certificates] with a free service such as [https://letsencrypt.org Letsencrypt]. | It is [https://community.letsencrypt.org/t/verified-mark-certificates/176835 not possible to create valid VMC or CMC certificates] with a free service such as [https://letsencrypt.org Letsencrypt]. | ||
===Difference between VMC and CMC certificates=== | ===Difference between VMC and CMC certificates=== | ||
* '''VMC''' means "'''Verified Mark Certificate'''" | |||
* '''CMC''' means "'''Common Mark Certificate'''" | |||
{| class="wikitable" | {| class="wikitable" | ||
| Line 61: | Line 82: | ||
|} | |} | ||
=BIMI | =BIMI adoption by ISPs= | ||
{| class="wikitable" | {| class="wikitable" | ||
| Line 76: | Line 97: | ||
| Yes | | Yes | ||
| No | | No | ||
| | | No | ||
|- | |- | ||
! scope="row"| Fastmail | ! scope="row"| Fastmail | ||
| Line 90: | Line 111: | ||
|- | |- | ||
! scope="row"| La Poste | ! scope="row"| La Poste | ||
| | | Yes | ||
| No | | No | ||
| Yes | | Yes | ||
| Domains without VMCs must be submitted and manually verified by La Poste. | | Domains without VMCs must be submitted and manually verified by La Poste. | ||
|} | |} | ||
=BIMI in InboxSys app= | |||
To check your BIMI record, [[Sending a message to the seedlist|send a message to your seedlist]] and look in the [[:Category:Authentication|authentication]] section of the [[:Category:E-Mail analysis|E-Mail analysis]]. Optionally, you can use the [https://app.inboxsys.com/bimi.php BIMI checker] to check your BIMI record. | |||
=Useful links= | =Useful links= | ||
| Line 101: | Line 126: | ||
* [[wikipedia:Brand_Indicators_for_Message_Identification]] | * [[wikipedia:Brand_Indicators_for_Message_Identification]] | ||
* [https://bimigroup.org/creating-bimi-svg-logo-files/ Creating BIMI svg logo files] | * [https://bimigroup.org/creating-bimi-svg-logo-files/ Creating BIMI svg logo files] | ||
* [https://app.inboxsys.com/bimi.php InboxSys BIMI checker] | |||
* [https://inboxsys.com/introducing-the-inboxsys-bimi-checker/ Blog post about BIMI] | |||
Latest revision as of 21:26, 11 November 2025
Brand Indicators for Message Identification, or BIMI, is a specification allowing for the display of brand logos in the inbox. BIMI is currently an RFC draft.
Prerequisites
BIMI requires a valid and passing DMARC record, with the policy set to either "reject" or "quarantine".
DNS record
By default, a BIMI DNS record is set on a subdomain named default._bimi. In this case, "default" is the selector. It contains the following elements:
- A BIMI version (Currently only BIMI1 is available).
- A link to a BIMI logo.
- Optional: A link to a BIMI certificate (VMC or CMC).
- Optional: Avatar Preference - in case a user-avatar is also present, which to prefer. Options "bimi" or "personal". In case this is not set, it defaults to "bimi".
BIMI DNS records looks like this:
$ host -t txt default._bimi.example.com default._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem; s=bimi"
Alternatively, it's also possible to use a different selector for the BIMI record. For example, if the following header is found in the E-Mail that is supposed to show the BIMI logo in the inbox:
BIMI-Selector: v=BIMI1; s=myselector
The actual BIMI record can be found with this query:
$ host -t txt myselector._bimi.example.com myselector._bimi.example.com descriptive text "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/image/certificate.pem;"
On which domains to set a BIMI record
BIMI records can, just like DMARC records, be placed on the organisational domain as well as on subdomains. A subdomain that has no BIMI record inherits its BIMI record from the organisational domain. If a given selector is not found on a subdomain, the organisational domain is queried with that same selector.
BIMI logo
The logo that's included in the "v"-switch of the BIMI DNS record should comply to the folowing:
- It must be in SVG (Tiny P/S) format.
- The "version" attribute must be set to "1.2"
- A <title> element must be included that reflects the company name.
- A <desc> (i.e. the "description") element is not required, but this should be included to support accessibility.
- The image must be sqare. Length and width should have the same value.
- The image size shouldn't exceed 32 Kb.
- No external links or references (other than to the specified XML namespaces) should be included.
- No scripts, animation, or other interactive elements should be included.
- No "x=" or "y=" attributes should be included within the <svg> root element.
- The image should not have a transparent background.
BIMI certificate
The optional BIMI certificate is used to digitally sign the logo and the senderdomain. It contains other elements, such as an organisation name, a list of domains signed by this certificate and an expiration date. There are 2 types of certificate: VMC and CMC. CMC certificates are slightly less expensive than VMC certificates. They are issued by certification authorities (Entrust or DigiCert) recognized by the BIMI Working Group.
It is not possible to create valid VMC or CMC certificates with a free service such as Letsencrypt.
Difference between VMC and CMC certificates
- VMC means "Verified Mark Certificate"
- CMC means "Common Mark Certificate"
| Requirement | VMC | CMC |
|---|---|---|
| Trademark Registration | Yes | No |
| Logo in use | Can be used immediately | Must have been in use since 1 year |
BIMI adoption by ISPs
| Client | VMC | CMC | Self-Asserted | Comment |
|---|---|---|---|---|
| AOL / Yahoo! | No | No | Yes | Only for bulk messages from high-reputation domains |
| Apple Mail | Yes | No | No | |
| Fastmail | No | No | Yes | |
| Gmail | Yes | Yes | No | Only VMC certificates get a blue checkmark. |
| La Poste | Yes | No | Yes | Domains without VMCs must be submitted and manually verified by La Poste. |
BIMI in InboxSys app
To check your BIMI record, send a message to your seedlist and look in the authentication section of the E-Mail analysis. Optionally, you can use the BIMI checker to check your BIMI record.