Brand Indicators for Message Identification (BIMI) enables email senders to have a logo or image of their choosing displayed next to email messages they send to participating mailbox providers. BIMI builds on DMARC and related email authentication standards to ensure that only messages authorized by those senders display such images, so it frequently comes up as a topic when DMARC is discussed.
During 2020 GMail and Yahoo were running pilot programs, but BIMI moved to general availability in 2021. It is currently supported by Google, AOL-Yahoo, and Fastmail, and is under consideration or evaluation at other services like IONOS by 1&1, British Telecom, and Comcast. Google requires a special X.509 certificate called a Verified Mark Certificate (VMC) – this is obtained by presenting proof of trademark ownership to a certificate authority, known as a Mark Verifying Authority (MVA), where the trademark will be used in the BIMI-enabled logo. DigiCert and Entrust are currently able to issue VMCs.
Starting in mid-2021, Farsight Security started supplying DMARC.org with data on DNS lookups of BIMI records. A total of 9,860 unique BIMI records were observed through the end of the third quarter.* Of that total, only 179 records included a link to a VMC. The following graph shows the number of new BIMI records observed each month from March through September.
This seems to represent a healthy amount of activity for a feature just exiting two pilot projects, with the number of new records ranging from 383 in April to 922 in July.
With continuing support from Farsight Security, more observations about BIMI will be presented in future.
* The February 2021 figure included over 5,000 records. Odds are that all records for the preceding year or two were inadvertently attributed to February. DMARC.org will try to resolve this matter in the near future.