BIMI Email Standard Gets Big Boost by Becoming Less of a Standard

New moves by Google and Apple have given the Brand Indicators for Message Identification (BIMI) standard a huge boost. However, those same moves have fractured the email standard by creating multiple paths to various levels of compliance at various inbox providers.

Before getting into those new developments, let’s review the core benefits of BIMI and why it was created by a consortium of inbox providers and email industry vendors.

BIMI: The Carrot to Get Brands to Fully Authenticate

Email authentication helps inbox providers determine if email is actually from the sender it claims to be from. However, despite inbox providers penalizing the deliverability of noncompliant senders, many didn’t fully authenticate their emails using all three authentication standards: SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance).

With the all-stick approach having failed to produce the desired results, BIMI was created in 2019 to provide a carrot. If brands fully authenticate, they can implement BIMI, which allows them to have their logo displayed next to their sender name. This provides three key benefits:

1. It provides free ad impressions. Regardless of whether the email is opened or not, BIMI strengthens the brand impression and brand messaging that your email’s envelope content delivers.
2. It builds trust. Good email marketing depends on brand recognition and online trust. With brand spoofing on the rise, consumers place higher trust in email messages that look right and include familiar, official logos. A survey by Red Sift and Entrust found that the use of BIMI increased consumer confidence in the legitimacy of an email by 90%.
3. It boosts open rates. An early Verizon study found that BIMI increased open rates by 10% on average, and that Red Sift survey claimed open rates increases of 21%. However, our clients who have implemented it have seen much more modest increases. Plus, as adoption increases and the novelty effect of BIMI wears off, brands shouldn’t expect much of any open rate boost from implementing it. Instead, brands that don’t implement it should expect to see their open rates decline because they’ll look untrustworthy next to all the BIMI-enabled senders.

The introduction of BIMI has had the desired effect, boosting adoption of authentication, especially DMARC, which is the newest of the three standards. DMARC adoption got another boost from new sender requirements from Gmail and Yahoo that went into effect this year, which include the mandate to publish a DMARC record. However, along the way, the BIMI standard has splintered as major inbox providers like Gmail and Apple Mail created their own twists on the rules.

What brands need to do to comply with Gmail and Yahoo’s new deliverability rules.

BIMI Differences across Inbox Providers

Gmail, Yahoo, AOL, Verizon, and Apple all support BIMI, but there are some key differences. For example, Google now supports Common Mark Certificates (CMCs) in addition to Verified Mark Certificates (VMCs). While VMCs can only be obtained for brands with trademarked logos, CMCs allows brands with non-trademarked logos to get a BIMI certificate, so long as they can establish a year of prior use of the logo.

That opens up BIMI to a lot more brands, especially smaller ones. CMCs are also less expensive and faster to get than VMCs. However, brands that use a CMC won’t have the blue verified checkmark next to their sender name in Gmail like brands with a VMC.

Yahoo and AOL go a step further and have never required a VMC or CMC. However, if a BIMI record includes a VMC, they do use it to inform overall BIMI eligibility.

Apple announced support for BIMI in 2022 as part of iOS 16. However, that support was limited largely to iCloud accounts being accessed in Apple Mail. For BIMI to work with Gmail and Yahoo Mail accounts being accessed in Apple Mail, Apple requested that those mailbox providers change their email headers, inserting a DKIM signature that includes an Authentication-Results header with a BIMI statement. To date, that hasn’t happened.

Perhaps because of that, Apple announced Branded Mail in Apple Business Connect, which requires neither a VMC or CMC. Apple uses its own process to verify your brand’s identity and has their own logo requirements, but they still require brands to fully authenticate using SPF, DKIM, and DMARC, with a policy of p=quarantine or p=reject. Because of that core authentication requirement, we view Branded Mail as solidly part of the BIMI movement, despite its deviations.

Understand the Apple iOS 18 changes that most affect marketers.

A Critical Mass of Adoption

With the various forms of BIMI supported across Google, Yahoo, AOL, Verizon, and Apple inboxes, brands that fully implement the standard can expect their logo to appear with more than 90% of the emails they send on average, according to Litmus’s Email Client Market Share data. That’s up from the roughly 33% of emails that were BIMI-addressable before the changes by Google and Apple.

BIMI support is now undeniably the status quo. This should put additional pressure on inbox providers that don’t support it, including most notably Microsoft.

Explore the biggest shifts in email marketing trends.

How to Implement BIMI

Here are the six steps to follow to take advantage of BIMI and have your company’s logo display properly across all the major inbox providers.

1. Authenticate with DKIM and SPF. 

DKIM is a digital signature that allows the recipient of an email to know whether the email is from you and whether the content of the email has been tampered with. SPF is a public record of which IP addresses your brand sends email from. Together, these two authentication methods help mailbox providers accurately identify email you send—and email sent by spammers and phishers that claim to be from your company.

Today, most email service providers automatically authenticate the domains and IP addresses their customers use to send marketing emails, but confirm to be sure.

2. Publish a DMARC record with a restrictive policy.

DMARC is a security measure that helps defend your brand against spoofing and phishing. It does this by telling mailbox providers what to do with emails that fail DKIM or SPF checks. To enable BIMI, your DMARC record must specify that emails failing authentication checks are either quarantined or rejected, by setting a policy of p=quarantine or p=reject. A policy of p=none is not enough.

Your company will need to publish a DMARC policy for your organizational domain level (e.g., company.com), which is usually done with collaboration between your email marketing and IT teams. Depending on your ESP, you may already be publishing a DMARC record, so start by asking your ESP about your current DMARC policy. For instance, Oracle Responsys publishes a DMARC record with a “reject” policy for your email marketing domain by default.

Yahoo will accept it if a DMARC policy is published for the subdomain that you send marketing emails from (e.g., email.company.com), but they prefer that it’s set up at the organizational domain level. Gmail will accept it only if a DMARC policy is published for the organizational domain.

In addition to getting help from your ESP, other providers including Valimail offer services to help brands navigate the complexities of publishing the proper DMARC records, as well as completing a full BIMI implementation.  

3. Obtain a BIMI certificate.

As previously mentioned, the rules here differ among inbox providers that support BIMI. To reiterate, Google, Yahoo, AOL, Verizon, and Apple all honor Verified Mark Certificates (VMCs), although Yahoo and AOL don’t currently require them and Apple only honors them for iCloud Mail account holders. To honor BIMI in emails imported into Apple Mail from Gmail and Yahoo Mail accounts, brands must set up Branded Mail in Apple Business Connect—at least until Google and Yahoo make the email header changes Apple has requested. And, in addition to VMCs, Google also accepts Common Mark Certificates (CMCs), which don’t require your logo to be trademarked. However, a trademarked logo is required for a VMC.

Both VMCs and CMCs can be obtained from a Certificate Authority, such as DigiCert.

4. Host your logo as a scalable vector graphic.

For VMCs and CMCs, the .svg file format is the only one that’s acceptable for your logo image. The BIMI Group recommends:

• The image should have a square aspect ratio.
• Your logo should be centered, with some white space around it since it may be displayed in a square, a square with rounded corners, or a circle, depending on the inbox provider’s implementation.
• The image’s background should be a solid color, not transparent.
• The .svg file should be no larger than 32kb.

Once you have your logo formatted correctly, host it publicly on a server you have access to and control.

5. Add BIMI TXT instructions to your DNS record.

For VMCs and CMCs, BIMI is designated via a DNS record, similar to DMARC. The BIMI record allows senders to specify where their official logo resides. Reach out to either your ESP or your internal IT resource to add BIMI TXT record code to your DNS record that looks something like the following, where the URL points to the location where you’re hosting your logo and your VMC or CMC:

v=BIMI1; l=https://images.yourdomain.com/somedir/yourlogo.svg; a=https://images.yourdomain.com/somedir/yourverifiedmarkcertificate.pem

6. Maintain a good sender reputation.

BIMI is only honored if your company keeps its sender reputation high, so it’s wise to audit your deliverability health and sender reputation ahead of time to ensure you have a good sender reputation. If you see any red flags or warning signs, reach out to your ESP to request deliverability assistance. Going forward, you’ll want to pay extra attention to monitoring your reputation to not only avoid deliverability problems, but to also avoid BIMI failing to display your logo.

Once you’ve completed all six steps, you can use BIMI inspector tools to verify you’re in compliance with BIMI standards.

While each step may be straightforward, collaboration is needed to complete your BIMI implementation. You will be reaching out to your creative team, IT resources, ESP, and potentially others to complete the process. Because so many people are involved, especially if you have to trademark the logo you’re going to use, the whole process could take a few months to fully implement. So, start now!

—————

Need help setting up BIMI or maintaining a good sender reputation? Oracle Digital Experience Agency has hundreds of marketing and communication experts ready to help Responsys, Eloqua, Unity, and other Oracle customers create stronger connections with their customers and employees—even if they’re not using an Oracle platform as the foundation of that experience. With a 94% satisfaction rate, our clients are thrilled with the award-winning work our creative, strategy, and other specialists do for them, giving us an outstanding NPS of 82.

For help overcoming your challenges or seizing your opportunities, talk to your Oracle account manager, visit us online, or email us at OracleAgency_US@Oracle.com.

To stay up to date on customer experience best practices and news, subscribe to Oracle Digital Experience Agency’s award-winning, twice-monthly newsletter. View archive and subscribe →

Now updated, this blog post was originally published on Feb. 7, 2022 by Daniel Deneweth and subsequently updated on Oct. 27, 2022.