BIMI for Gmail: Google Makes Email Identity Indicators Part of Its New Security Updates

Google is partnering with DigiCert and Entrust Datacard to launch a BIMI pilot for Gmail — using brand indicators for message identification will boost email security and allow companies to show their logo in customers’ inboxes

For everyone who has BIMI — brand indicators for message identification — on their cybersecurity wish lists for G Suite, it looks like Christmas has come early.

Google recently announced their plans for Gmail to support BIMI as part of a larger series of G Suite security updates. And it’s partnering with two of the world’s leading commercial certificate authorities (CAs) — including DigiCert, one of our partner CAs — to make it happen. Rock on, Google.

For the newcomers to the discussion, what this means is that Gmail will display the company’s logo right in the user’s inbox, after the email passes a few security checks. That’s great for brands and great for users (it makes it easy to spot emails that are verified.)

But what does this move to BIMI standardization by Google mean for you in terms of your brand authentication and security? We’ll answer these questions about BIMI and more in this article, which also features a Q&A at the end.

Let’s hash it out.

What Is BIMI and Why Should I Care?

A DigiCert screenshot of how BIMI displays company logos
Image source: DigiCert

BIMI, the acronym for brand indicators for message identification, is an email standard that allows you to display your designated, verified brand logo next to in the “from” name on authenticated emails. While this open system relies on existing authentication protocols like DMARC, DKIM, or SPF, it isn’t a new authentication protocol in and of itself.

The BIMI standard uses two different mechanisms to verify emails before displaying the company’s logo: DMARC and verified mark certificates (VMCs).

  • DMARC, which stands for domain-based message authentication, reporting, and conformance, is key to email authentication. It gives organizations greater visibility and control of who sends emails from their domains.
  • A verified mark certificate, on the other hand, is a type of X.509 digital certificate that authenticates you to others and displays a logo. It’s issued by a trusted third-party CA — in this case, DigiCert or Entrust Datacard — who will vet your organization to ensure you’re legit.

VMCs vs Other PKI Digital Certificates

But wait, isn’t authentication what email signing certificates already do?

Yes and no. An email signing certificate is issued for an individual user (for example bob@example.com) and it doesn’t include a logo. It not only authenticates an email sender but it also encrypts email as well (if the recipient also uses an S/MIME certificate).

A verified mark certificate, on the other hand, is issued at the organization level. You can effectively fight misrepresentation of your brand by ensuring that any emails you send will display your company logo and brand.

So, in some ways, VMCs are kind of like SSL/TLS certificates in that they’re issued once a CA verifies your organization. But unlike SSL/TLS certificates, which display a padlock in the web address bar, these will put your organization’s logo front and center. This means that no one can question whether an email came from your organization. (EV SSL certificates do display your organization’s name in the certificate information, but it still won’t show your logo.)

Email Security Best Practices - 2019 Edition

Don’t Get Phished.

Email is the most commonly exploited attack vector, costing organizations millions annually. And for SMBs, the damage can be fatal in terms of suffering data breaches & going out of business. Don’t be another statistic.

Why Google’s BIMI Move Matters for Your Organization

To put it simply, BIMI takes your email and brand authentication capabilities to a whole new level. As Google put it in their announcement:

Our BIMI pilot will enable organizations, who authenticate their emails using DMARC, to validate ownership of their corporate logos and securely transmit them to Google. Once these authenticated emails pass all of our other anti-abuse checks, Gmail will start displaying the logo in existing avatar slots in the Gmail UI.”

Dean Coclin, Senior Director of Business Development at DigiCert, says that while using DMARC is great, brands often underutilize it.

At DigiCert, strong validation is one of the things we do best, and we are excited about participating in the Gmail BIMI pilot. DMARC can provide companies great value, but not enough brands take advantage of its protection. The BIMI working group and DigiCert are collaborating to increase usage of this important security standard while delivering additional value to those increasing security for their users.”

This Move by Google Marks a Major Step Toward Greater Email Security for Everyone

While Google isn’t the first to implement BIMI — the BIMI Group says that Verizon Media Group actually paved the way for it when they adopted it for their Yahoo and AOL email services — they certainly won’t be the last.

In 2019, DigiCert issued a VMC to CNN, which made their emails display like this:

This BIMI graphic is a screenshot of CNN's verified logo displaying in a Gmail inbox
Image source: Google

According to Coclin:

VMCs play a major role in providing cryptographic assurance that the trademarked logos have been vetted per BIMI standards and that the individual requesting is who they say they are and from the company they say they represent. This is a high hurdle to pass! VMCs provide the following benefits for organizations:

  • Ensure in the long term that customers see your logo in their inbox in email platforms using VMCs.
  • Provide an additional layer of protection against spoofing attacks through DMARC compliance.
  • Deliver a more authentic, recognizable and unified brand experience from email to conversion.
  • Distinguish your messaging from the clutter.”

All of this is to say that if you care about organizational identity, then you should care about BIMI. I say that because using brand indicators for message identification is a great step forward in the battle against email-based cybercrimes and fraud schemes. With BIMI, you can:

  • Increase your brand visibility,
  • Build customer confidence and trust in your brand, and
  • Reduce the likelihood of success for phishing and business email compromise schemes.

Basically, it’s a win-win for your company and customers and throws a massive monkey wrench in cybercriminals’ plans.

What You Should Know About the BIMI Pilot (And How It Will Affect Your Organization)

To help you better understand the impact of Google’s announcement and how to prepare for the changes it’ll bring to inboxes and your approach to DMARC, here are answers to a few questions you may have:

What Is BIMI?

Brand indicators for message identification, or BIMI, is an email standard for authenticating users and displaying brand logos. Its purpose is to authenticate organizations, prevent email fraud and enhance email delivery.

Who Supports BIMI Right Now?

As we mentioned earlier, Yahoo and AOL are currently the only email clients supporting BIMI. However, Google’s BIMI pilot will launch soon, and other email providers indicate their interest in doing so in the future as well.

When Will Google’s BIMI Pilot Take Effect?

There isn’t a specific date listed in Google’s announcement. According to the official release, they’ll launch the BIMI pilot “in the coming weeks” for a limited number of senders.

How Should I Prepare for This Change?

In general, enabling domain-based message, authentication, reporting and conformance (DMARC) is always a good idea. It’s a great way to help secure your organization’s email ecosystem. However, implementing DMARC is also a requirement for Google’s post-pilot launch.

So, if you haven’t already put DMARC to use in securing your email, then it’s time to get the ball rolling. This way, when VMC/BIMI is ready for widespread usage, you don’t get caught unprepared.

How Do I Implement BIMI for My Organization?

To get BIMI to work, you’ll need to:

  1. Create and configure your BIMI record (this is a text record that’s stored on a DNS server, much like SPF or DKIM),
  2. Validate your organization’s domain (using the DMARC standard with a policy of “p=quarantine” or “p=reject”), and
  3. Validate your logo using a VMC.

That’s it!

What Are the BIMI Logo Specifications?

To validate your logo for the BIMI standard, you need to format it in a specific way. According to the BIMI Working Group website:

The logo must be square, must be saved as a version of the Scaled Vector Graphic (SVG) format.  Specifically, the SVG logo must follow the restrictions defined by the SVG Tiny 1.2 profile published by the W3C in 2008. The logo cannot include any <script> tags and should not include any external links.”

How Do I Get a VMC?

That’s a great question, and I wish we had a better answer for you. While VMCs for organizations are on the horizon, they’re not available yet for purchase. Just keep an eye out for them to be generally available in the near future.  


*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/bimi-for-gmail-google-makes-email-identity-indicators-part-of-its-new-security-updates/