BIMI: The Carrot to Get Email Marketers to Fully Authenticate

Inbox providers’ long-standing approach has been to punish email marketing managers for not authenticating their emails with SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance). This all-stick-and-no-carrot approach to email authentication led to slow adoption of SPF and DKIM since their introductions in the early 2000s, as well as slow adoption of DMARC since its creation in 2012. For instance, only 20.3% of domains publish some level of DMARC policy and a mere 6.1% have the preferred “p=reject” policy in place, according to 250ok’s 2019 Global DMARC Adoption report.

In an acknowledgment that the all-stick approach hadn’t fostered the adoption rates they wanted, a group of mailbox providers and email vendors got together and created Brand Indicators for Message Identification, or BIMI (/bē mē/), as it’s commonly known. This standard rewards email senders who authenticate with SPF and DKIM and publish a DMARC record.

Implementing BIMI allows email marketing managers to display their chosen logo next to their sender name, which provides three benefits:

1. It boosts opens. A Verizon study found that BIMI increased open rates by 10% on average. However, our clients who have implemented BIMI have seen more modest increases.
2. It provides free ad impressions. Regardless of whether the email is opened or not, BIMI strengthens the brand impression and brand messaging that your email’s envelope content delivers.
3. It provides flexible branding. BIMI also provides a way to switch out specialized versions of your company logo, whether it’s seasonally themed or to recognize a cause. For instance, your holiday themed logo or Pride month logo could be easily swapped in.
4. It builds trust. Good email marketing depends on brand recognition and online trust. With brand spoofing on the rise, consumers place higher trust in an email message that looks right and includes familiar, official logos. A survey by Red Sift and Entrust found that the use of BIMI increased consumer confidence in the legitimacy of an email by 90%.

Those benefits have had the desired effect on adoption of authentication, especially the newest standard, as adoption of DMARC increased nearly 8 fold from the end of 2018 to the end of 2021, according to DMARC.org.

Which inbox providers support BIMI?

Yahoo, AOL, and Verizon were early adopters, leading the way on BIMI adoption. In 2021, Gmail announced support for BIMI after running a pilot program. And this year, Apple announced support for BIMI as part of iOS 16.

However, Apple’s support of BIMI comes with additional requirements for mail providers like Gmail and Yahoo. In order for BIMI to work with their emails in Apple Mail, they must insert a DKIM signature that includes an Authentication-Results header with a bimi statement. As of the publication of this blog post, neither Gmail nor Yahoo had done that, limiting BIMI support in Apple Mail largely to iCloud accounts, which have very little market share.

However, both Gmail and Yahoo have indicated they will be making those changes in the coming months. When they do, marketers who adopt BIMI can expect their logo to appear with more than 90% of the emails they send on average, according to Litmus’s Email Client Market Share data. That’s up from the roughly 33% of emails that appear with BIMI support as of this month. This greatly expanded support will turn BIMI from a nice-to-have to a must-have.

The mainstreaming of BIMI would likely convince other mailbox providers to also come on board. For instance, Comcast has indicated they may consider supporting BIMI at some point. Microsoft hasn’t indicated whether they’ll support it.

How do email marketers implement BIMI?

Here are the six steps to follow to take advantage of BIMI and have your company’s logo display properly:

1. Authenticate your marketing emails with DKIM and SPF. 

DKIM is a digital signature that allows the recipient of an email to know whether the email is from you and whether the content of the email has been tampered with. SPF is a public record of which IP addresses your brand sends email from. Together, these two authentication methods help mailboxes accurately identify email you send—and email sent by spammers and phishers that claim to be from your company.

Today, most email service providers automatically authenticate the domains and IP addresses that their customers use to send marketing emails, but confirm to be sure.

2. Publish a DMARC record with a policy of “quarantine” or “reject.”

DMARC is a security measure that helps defend your brand against spoofing and phishing. It does this by telling mailbox providers what to do with emails that fail DKIM or SPF checks. To enable BIMI, your DMARC record must specify that emails that fail authentication checks are either quarantined or rejected.

Your company will need to publish a DMARC policy for your organizational domain level (e.g., company.com), which is usually done with collaboration between your email marketing and IT teams. Depending on your ESP, you may already be publishing a DMARC record, so start by asking your ESP about your current DMARC policy. For instance, Oracle Responsys publishes a DMARC policy with a “reject” policy for your email marketing domain by default.

Yahoo! will accept it if a DMARC policy is published for the subdomain that you send marketing emails from (e.g., email.company.com), but they do prefer that it’s set up at the organizational domain level. Gmail will accept it only if a DMARC policy is published for the organizational domain, and a policy of either ‘reject’ or ‘quarantine’ is required.

Companies including Valimail and other providers offer services to help brands navigate the complexities of publishing the proper DMARC records as well as full BIMI implementation.  

3. Obtain a Verified Mark Certificate.

Gmail requires that brands get a Verified Mark Certificate (VMC), which is proof that your company owns the registered trademark for your logo in your country. And Yahoo plans to accept VMCs in the near future. If you don’t have your logo trademarked, you’ll need to do that before you can get a VMC, which you can secure from Entrust, DigiCert, and other providers.

4. Host your company’s logo as a scalable vector graphic.

The .svg file format is the only one that’s acceptable for your logo image. The BIMI Group recommends that:

• The image should be a square aspect ratio.
• Your logo should be centered, with some white space around it since it may be displayed in a square, a square with rounded corners, or a circle, depending on the inbox provider’s implementation.
• The image’s background should be a solid color, not transparent.
• The .svg file should not be larger than 32kb.

Once you have your logo formatted correctly, host it publicly on a server you have access to and control.

5. Add BIMI TXT instructions to your DNS record.

BIMI is designated via a DNS record, similar to DMARC. The BIMI record allows senders to specify where their official logo resides. Reach out to either your ESP or your internal IT resource to add BIMI TXT record code to your DNS record that looks something like the following, where the URL points to the location where you’re hosting your logo and your VMC:

6. Maintain a good sender reputation at the mailbox provider.

BIMI only works if your company keeps its sender reputation high, so it’s wise to audit your deliverability health and sender reputation ahead of time to ensure you have a good sender reputation. If you see any red flags or warning signs, reach out to your ESP to request deliverability assistance. Going forward, you’ll want to pay extra attention to monitoring your reputation to not only avoid deliverability problems, but to also avoid BIMI failing to display your logo. 

Once you’ve completed all six steps, you can use BIMI inspector tools to verify that you’re in compliance with BIMI standards.

While each step may be straightforward, collaboration is needed to complete your BIMI implementation. You will be reaching out to your creative team, IT resources, ESP, and potentially others to complete the process. Because so many people are involved, especially if you have to trademark the logo you’re going to use, the whole process could take a few months to fully implement. So, start now!

Originally published on Feb. 7, 2022, this post has been updated with new details about BIMI support and more.

Learn more about how email deliverability and authentication with these resources: 

• Understanding Email Deliverability: Key Factors & Key Performance Indicators
• 6 Unique Email Deliverability Challenges that B2B Brands Face
• The Definitive Guide to Adapting to Mail Privacy Protection

—————

Need help setting up BIMI or maintaining a good sender reputation? Oracle Marketing Consulting has more than 500 of the leading marketing minds ready to help you to achieve more with the leading marketing cloud, including an Email Deliverability Services team that can help you protect your brand and take advantage of BIMI. Talk to your Oracle account manager, visit us online, or reach out to us at CXMconsulting_ww@Oracle.com.