Brand indicators in email

A number of companies in the email industry have been working on a way to better identify authenticated emails to users. One proposal is Brand Indicators for Message Identification (BIMI). A couple weeks ago, Agari announced a pilot program with some brands and a number of major consumer mail providers. These logos should be available in the Yahoo interface now and will be rolling out at other providers.

What is it?

BIMI leverages modern email authentication techniques, and DNS to present users with visual indicators in the mailbox that a message is really from the brand it says. During the pilot program, only the brands enrolled in the program will have their logos presented. If the pilot works out, other brands will be able to take advantage of the technology.
In order for a brand logo to be displayed, the brands must authenticate email using DMARC. This is a much higher bar than simply using SPF or DKIM. There’s also a provision in the standard for a 3rd party to verify the logo ownership.

Why do we need it?

I am not sure we need it, but there are a couple reasons to do something like this. The biggest is to use marketers to help drive adoption of DMARC. Implementing DMARC is not trivial. It takes a lot of work inside a company to identify all the mail streams, make sure they’re all properly authenticated and authorized. Even more, there needs to be process to create new streams. It’s a good thing to do, don’t get me wrong, but it’s a non-trivial amount of work.
One of the ideas behind BIMI is if we can get companies to see an actual marketing benefit to authentication we can get them on board with authentication faster. It’s a reasonable idea. BIMI gives free brand impressions in the inbox in return for securing email the way people think it should be secured.

What are the benefits?

I don’t think I can do better than just quoting Agari’s press release on the pilot program
BIMI offers strong benefits to CMOs and marketing organizations, including:

  • It will provide brands with billions of free brand impressions
  • It will let brands publish (and thus control) their logos themselves, ending cumbersome manual coordination with internet application providers to update logos
  • Updates to the brand logo will be picked up automatically by email and mobile app platforms
  • Different brand logos may be used in email associated with different product lines, specified for different groups of customers or changed seasonally
  • It has safeguards to prevent impersonation attempts, meaning the brand is shown only when associated with communication that is actually authenticated as being from your business

Where can I learn more about BIMI?

BIMI launches to add trusted logos to emails (from Martech Today)
BrandIndicators has a video on how it works. You can also sign up for the beta here.
Agari’s press release on the BIMI pilot program.
It doesn’t stop with email. 

Related Posts

Should you publish DMARC?

secure_email_blogI’ve been hearing a lot lately about DMARC. Being at M3AAWG has increased that. Last night we were at dinner and heard from the next table “And they’re not even publishing DMARC!!!!”
I know DMARC is the future. I know folks are going to have to start publishing DMARC records. I also know that the protocol is the future. I am also not sure that most companies are ready for DMARC.
So lets take a step back and talk about DMARC, what it is and why I’m still a little hesitant to jump on the PUBLISH DMARC NOW!! bandwagon.

Read More

Fun with opinions

Over the last few weeks I’ve seen a couple people get on mailing lists and make pronouncements about email. It’s great to have opinions and it’s great to share them. But they’re always a little bit right… and a little bit wrong.

Read More

ARC: Authenticated Received Chain

On Friday I talked a little about DMARC being a negative assertion rather than an authentication method, and also about how and when it could be deployed without causing problems. Today, how DMARC went wrong and a partial fix for it that is coming down the standards pipeline.
What breaks?

DMARC (with p=reject) risks causing problems any time mail with the protected domain in the From: field is either sent from a mailserver that is not under the control of the protected domain, or forwarded by a mailserver not under the control of the protected domain (and modified, however trivially, as it’s forwarded). “Problems” meaning the email is silently discarded.
This table summarizes some of the mail forwarding situations and what they break – but only from the original sender’s perspective. (If forwarding mail from a users mailbox on provider A to their mailbox on provider-Y breaks because of a DMARC policy on provider-A that’s the user’s problem, or maybe provider-A or provider-Y, but not the original sender’s.)

Read More