BIMI is the protocol you can use to publish an icon to display in the inbox of some large consumer webmail providers. To have it displayed at Gmail you need more than just clean DMARC and a published BIMI record, you also need to have a Verified Mark Certificate, a VMC.
A VMC is a certificate, very similar in many ways to the TLS certificates used to secure webpages. It’s issued by a certificate authority, and if that certificate authority is trusted it will be included in the hard-wired list of “trusted” certificate authorities, and all the certificates they issue will be trusted by pretty much everyone.
There are hundreds of trusted certificate authorities for browser, but for BIMI VMCs there are just two, DigiCert and Entrust.
Entrust have had a series of unfortunate incidents that have lead Chrome to remove Entrust from their trusted list.
Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the Internet ecosystem, it is our opinion that Chrome’s continued trust in Entrust is no longer justified.
Google Security Blog
That’s the nuclear option. The Google Chrome team see Entrust as a certificate authority that they cannot trust with any of their users information.
If Google have lost confidence in Entrust this severely then it seems unlikely that they will continue to trust the BIMI VMCs Entrust have issued.
If you’re using Entrust it may be a good time to have a process in place to migrate away from them.
ETA: Al discusses this more over at LinkedIn.
What CA am I using?
If you need to know which CA issued the VMC for a domain, here’s a quick walkthrough using a linux / macOS / wsl shell:
% dig +short default._bimi.paypal.com
"v=BIMI1; l=https://www.paypalobjects.com/marketing/web/logos/paypal.svg; a=https://www.paypalobjects.com/marketing/web/logos/paypal_com.pem"
(“default” is the default BIMI selector. You need to see a BIMI using email to know for sure which selector is being used, but “default” is a good guess as it’s, well, the default.)
Check the result from dig and copy the URL from the a= field, then use curl, openssl1 and grep to find the issuer. It’s a one-line command, ignore the line breaks.
% curl -s https://www.paypalobjects.com/marketing/web/logos/paypal_com.pem | openssl x509 -text -noout | grep Issuer:
Issuer: C=US, O=DigiCert, Inc., CN=DigiCert Verified Mark RSA4096 SHA256 2021 CA1
You can see that PayPal are using DigiCert for their VMC.
- If you’re on a mac you won’t have the openssl tool by default, but it’s available from HomeBrew, amongst other places. Grab a copy, it’s often useful. ↩︎
RSS - Posts
Here’s the official word from Google at the moment: https://groups.google.com/a/ccadb.org/g/public/c/29CRLOPM6OM/m/-tvW5l-lAAAJ
“We’re currently working internally to assess the situation, with the intent of choosing a path that takes into account the relevant use cases in Gmail while upholding the safety and security of our users. We look forward to sharing more information in the coming weeks.”
FYI, MacOS comes with libressl which is close enough to openssl to use to decode certs. It’s in /usr/bin/openssl