Email Security and Authentication

Email Experts Series: BIMI 101

minute read

Post Image

We’re always working to stay innovative and at the very forefront of email technology. That’s why we’re proud to be a part of the Brand Indicators for Message Identification (BIMI) working group! However, since it’s a newer feature available only at a select number of mailbox providers right now, the requirements and benefits still aren’t widely known by marketers.

That’s why our next video in our Email Experts Series video tackles the ins and outs of BIMI, featuring Anthony Chiulli, director of product marketing, Matthew Vernhout, director of privacy and industry relations, and LB Blair, solutions architect.

(We’ve found key timestamps and transcribed this video below.)

 

Total Run Time: 15 minutes
00:34 – Overview of BIMI (Brand Indicators for Message Identification)
01:25 – BIMI standard; how it builds upon email authentication
02:52 – History of BIMI and working group behind developing standard
04:05 – Dependencies and requirements for brands to implement BIMI
05:43 – Unique benefits of BIMI as both an authentication incentive and marketing benefit
07:35 – Overview and guided walk-through of creating BIMI record in DNS
10:25 – Examples of brands who have successfully implemented BIMI
12:20 – Available resources for more information on BIMI


Listen and subscribe on your favorite platform:

   


Transcript

Anthony Chiulli
Hi everyone, and thanks for joining us today. We have a great topic to discuss with you today, a very new and relevant topic called “BIMI.” I’m joined today with my lovely colleagues, Matthew Vernhout and LB, and we are going to break down this conversation talking about what is BIMI, the history of BIMI, a little bit of the technical specs and requirements for BIMI, and where you can go to learn more. So with that, Matt, tell us what is BIMI, for those that may not be familiar?

Matthew Vernhout
Yeah. So BIMI’s this new, kind of cool add-on, if you will, to go along with the—it’s almost as a reward for good authentication. So if you have good practices around SPF, around DKIM, and around your DMARC policies where you actually add an enforcement, you can activate a BIMI record in your DNS, and then the Brand Indicator for Message Identification logo, which we’ll show a little bit later, will appear in the email UI. Right now, it’s only at Verizon Media, but it’s coming soon to a Gmail app near you sometime in 2020. So that’s really the basis, is it’s almost a reward for having strong authentication practices for your brand.

AC
And is it an authentication standard? Where does it live? And how do you actually create this thing called BIMI?

MV
Well, it’s not an authentication standard on its own, if you will. It sort of layers on top of our standard authentication solutions around SPF and around DKIM, and it works in partnership with those three sort-of technologies. Even DMARC’s not necessarily an authentication solution. It’s a policy to say, “Please take an enforcement action if my authentication fails.” And then BIMI basically is, “If my authentication’s really good, put my logo in the UI.” So it’s sort of an add-on, an addition to that kind of solution.

LB Blair
I would probably say it’s kind of like a capstone that provides a tangible benefit to marketers. It gives them increased branding so that they can make sure their emails look the way they want. It solves what’s become kind of a problem in the marketplace. If there are 1,001 different ways to get your logo to display somewhere, you have to go set it up here, there, and everywhere. Instead, it says, “How about we have just one place to do that? That’d be great.”

MV
That’s great. Yeah. As a standard, do it once and see the benefit everywhere it’s supported.

AC
And this is a fairly new topic, right, or a new standard? Can you tell me a little bit about how this idea came to fruition?

MV
Yeah. So it’s been around a year or two at this point. And it’s a collaboration effort between Verizon Media, Google, Valimail, Agari’s involved, LinkedIn was involved. So they’ve sort of come together and said, “How do we entice people to do better authentication?” And then the solution sort of came out from that and it’s, “We’ll give you the reward of your logo if you do things right.” And like I said earlier, Yahoo or Verizon media, it’s in the Yahoo mobile app. It’s in the Yahoo web app. So that’s where you can see it now. And they’re really the first, and they’ve really been pushing the effort to get the standard. And yeah, just recently, Google announced that they’re going to launch in beta. So that’s pretty exciting.

AC
Right.

MV
When the biggest email platform on the planet says, we’re going to try something–

AC
People pay attention.

MV
People really pay attention. So that’s why we’ve spent so much time building tools to help clients and walking clients through getting configured and setting it up.

AC
So I want to break this down a little bit more and help our audience understand the dependencies, the requirements for BIMI. So LB, can you talk about what are the requirements in order for a marketer or brand to take advantage of this new feature?

LB
Yeah, absolutely. There are a few. You have to have authentication set up, you have to have SPF set up, you need to have your DKIM, and then you have to have a DMARC policy set to either quarantine or reject, which means you also have to have everything aligning properly for DMARC so that you can then implement BIMI. As Matt said, it’s definitely an incentive in terms of tangible branding and customer-facing branding to have marketers secure the email channel in a way that benefits everyone. There are a few other requirements. You have to send a commercial mail. You have to send a significant volume of mail. You have to send enough to have developed a positive—and you have to develop a positive sender reputation. Essentially, just the same now as when you send an email to Gmail, if they decide they don’t like your sender reputation for whatever reason, they’re not going to put it in the inbox. They can kind of make that same determination of, “Oh, well, I’m not going to show the logo, because I don’t think you qualify for whatever magical reason.” It lives inside their algorithm.

AC
Yeah. So it almost sounds like, Matt, going back to what you were talking about, you talked about kind of the benefits of what makes this unique and attractive. And LB, you mentioned that a lot of mailbox providers have offered something similar to this concept, but it hasn’t been universal. It hasn’t been across the industry. And BIMI, it sounds like, is one of these standards that is, it literally is standardizing it across mailbox providers. It’s allowing brands to do it once and have benefits at participating mailbox providers. And also, kind of that dual edge of additional security, right, because it requires DMARC at enforcement, but also, clearly the marketing and the impression benefit from a brand’s perspective.

MV
Yeah. And the idea is you should be able to, in the end, determine if a logo shows up, and then a logo doesn’t show up. Ideally, the consumer will recognize the message without the logo is potentially not as trustworthy.

AC
Right.

MV
Our clients that have implemented BIMI, we have seen, I wouldn’t say significant, giant lift in open rates and click rates, but it’s not zero either. Right? So there is certainly–

AC
So it can only help, in my opinion.

MV
Yeah. There is certainly benefit for doing this. And in the scale of domain size, footprint size, Yahoo and AOL and Verizon, they’re significantly sized, but they are not the biggest fish right now. So they are going to move the needle, but they’re not going to move the needle as much as someone like a Gmail.

LB
And I would say in the way that a lot of these providers have kind of treated—SPF and DKIM are kind of de facto requirements now. That’s something you’re just expected to have. BIMI is really not designed to be another authentication parameter that you just have to have sitting on top. It’s definitely designed to be something beneficial for everyone.

MV
Right.

AC
Matt, I want to ask you if you could show us and show our audience how to create a BIMI record? And if you can walk through kind of the different aspects of what’s involved or entailed in that record, and what those various aspects mean?

MV
Sure. Yeah. So there’s a couple of flags, I call them flags, but they’re parameters within the BIMI record and it’s very similar. So anyone who set up a DKIM record will sort of understand the structure. So right now, the selector is much like a DKIM selector. It’s default. It’s the one that we’ve used at least during all the trial periods and such, default. And then there’s underscore BIMI, and then you get into the domain names. You’re basically setting up what looks very much like a Domain Key record, except it’s going to be a series of URLs.

So on the screen here, we have the BIMI wizard created by 250ok, and we allow a preview to show of what it will look like when it would show in a UI. So we allow you to change the Friendly From, put your domain name in, and then put your logo and where you’ve hosted that logo. And the BIMI selector, like I said, is default. So we’ve locked that in for now. At some point in the future, that is expected to change, so you could have different logos for different types of traffic. You could have a transactional logo versus a commercial logo. And if it gets to the point where they’re going to support consumer one-to-one style messaging, then you may be able to go down to that level as well. But as of right now, default is that.

Put everything in the UI, like we’ve shown here, click on the Save Settings button. And then down below, we have the actual record. So this is what you would have created. It has what the host name needs to be. So you take that to your DNS provider, put that record in, then it has the DNS text copy, which has the versions of BIMI. It has the logo location for where the URL’s going to be pointing to the image, and then it has an A record. An A record’s not currently being used, but it’s going to be for a verification or some type of certificate that will come as part of the BIMI standard, as it moved beyond sort of the beta launch, if you will. To allow for a brand to say, “Yes, I went and I got certified that this is my logo. This is my brand. This is my domain.” And then there’s even an additional security check so that you don’t have somebody who is phishing or trying to spoof a brand and use BIMI as something to say, “You should really trust me,” because they won’t be able to get this right certificate. They won’t be able to get the right validation for that.

AC
So let’s take a look, if you don’t mind, at some actual examples of customers and brands that have successfully implemented BIMI, and show what this actually looks like in the real world.

MV
Sure. So we’ve written about this on our site as well, so we have a couple of articles as well. But when looking through, we’ve gone through the process with a couple of clients and we’ve chosen two here. So this is eHarmony on the left and Furniture Row on the right. And in both cases, you can see this is what the UI for the Yahoo mobile app looks like. So you see that from address or the Friendly From, the subject line, preheader, and then you see the logo next to the message. They look really nice. As a consumer, if I were to look at this, “I know those logos, I’m going to trust them.” Then when you actually open the message, we see the repeating logo, repeating from domain or from address, Friendly From. And then along with the rest of the message, you see the repeating of the logo. So it’s really obvious to consumers who those brands are.

AC
Yeah. A picture is worth 1,000 words, right?

MV
Right.

AC
And it’s such a strong signal and engagement for an average consumer to see logo.

MV
So yeah, it’s significantly stronger than potentially even the default logo or default avatar that you would see in something like the Yahoo mobile client, where it might just show you the initials of the sender with some sort of random initial text that has been chosen by the platform. Last up, so this is what the inbox view looks like. So when you’re on the website, you’ll see on the left-hand side of the screen, it’s the Friendly From. It doesn’t have the logo, but once you open the message, the logo is there, and then the logo also shows in the address card. So you do get it in two places as well. And I would expect over time, the inbox will evolve and include the logo as well.

AC
This is great. So I think for most marketers and brands that maybe not be familiar or maybe have heard of BIMI, this is available now. There’s no cost to this. It’s out of beta. This is something that marketers can take advantage of today. So with that, LB, where would someone go to learn more information about BIMI, or perhaps understand and keep up on news about which mailbox providers are supporting BIMI and how to get started?

LB
There’s definitely the BIMI website, bimigroup.org. That’s their new official website. You can check it out there, get more information. They have a list of the logos there. You can also check a variety of blogs. I know some very good ones that everyone can check out that are going to be reporting on kind of what’s new with BIMI. I mean, I think that the best thing about BIMI is—modern marketing platforms are all about giving you feedback and control, so that marketers can control as much as possible about the user experience. And pretty much any time you can give these inbox providers like Gmail, Yahoo, Hotmail, etc., an explicit instruction of what you want them to do, it’s always better to go ahead and provide that versus letting them kind of decide on their own what they want to pick and choose.

MV
Yeah. Because we’ve seen that where currently, one of the providers will choose a logo thinking it’s the right logo for business and it’s not, which I think is worse for a brand. Having the wrong logo show up next to your email than no logo at all. So putting the control back in the domain owner’s point of view to say, “Here’s my logo. If you’re going to display one, please display this one.” Right? It’s a request, just like DMARC is a request to say, “Please reject mail if it fails authentication.” If the service provider feels they know better, maybe they won’t. But again, it’s a collaborative effort between the sending side and the receiving side. And the sending side is giving that indicator of, “Here’s what I would like you to do. Here’s my logo. Here’s what I can provide you. Here’s my authentication. Please do with it the right things.”

AC
Yeah. Well said. This has been extremely informative. I hope for our audience as well that this is something that is helpful for you in understanding or learning a little bit more about this new standard in BIMI, and thank you for watching. We look forward to seeing you on another Expert Series video.