The vast majority of online scams are conducted via email as the medium is readily accessible and easy to abuse. A new form of message authentication known as BIMI should help you understand which messages are genuine and which are trying to deceive you.

What Is BIMI?

BIMI stands for Brand Indicator for Message Identification, a provider-neutral email specification developed by a body called the AuthIndicators Working Group. BIMI is designed to make email more trustworthy.

Once implemented correctly, BIMI allows brands to show a logo alongside email messages in supported services and email clients. This logo verifies that an email is genuine, providing an easy visual indicator that the message isn't spam or fraud.

BIMI is still classed as an emerging specification, which means that some brands, email providers, and software platforms don't support it just yet.

Why Is BIMI Necessary?

A Deloitte report released in 2020 claimed that 91% of all cyber attacks start with a phishing email. The email inbox makes it easy for scammers to cast a wide net, sending out as many messages as necessary to snare a single victim. These scams often target payment processors like PayPal or modern peer-to-peer services like Zelle using email as their preferred method of communication.

While much of the working world has been slowly moving away from email with services like Slack and Microsoft Teams, most people still rely heavily on the service. Your password reset notifications are delivered via email, more retailers than ever are going paperless with email receipts and invoices, and even your bank emails you to tell you when your statement is ready.

Email hasn't changed a lot since it was first introduced. While there are smarter ways of sifting through your inbox, a renewed focus on healthier email habits, and even improved privacy and spam controls, the mechanisms behind email remain the same overall.

BIMI is a step forward in making email a more trustworthy platform. If you can verify that an email is genuine at a glance, you can also identify those that aren't. The standard is still a few years away from that stage, but brands, email providers, and other technology companies are laying the groundwork now.

How Does BIMI Work?

The good news is that BIMI requires no work on the part of the recipient of an email to work. The technology leans heavily on Domain-based Message Authentication, Reporting, and Conformance, or DMARC. This email authentication protocol was designed to help prevent the unauthorized use of domain names.

For BIMI to work, a brand must authenticate emails using Sender Policy Framework (SPF), which effectively whitelists mail servers that can send emails from specific domains. In addition, technology known as DomainKeys Identified Mail adds digital signatures to each message to authenticate outgoing emails.

The final step is for DMARC to confirm these records and point to the .SVG file that will appear alongside the email. On top of this, a Verified Mark Certificate (VMC) acts as a form of digital registration to further safeguard the logo used, though BIMI doesn't require it at rollout.

Once again, only brands need to worry about this infrastructure and incorporating these steps.

Which Services Support BIMI?

Since BIMI is still in the process of being rolled out, support is far from universal at this stage. Fortunately, some of the biggest services have already implemented support for BIMI, including Gmail, Yahoo! Mail, AOL, Fastmail, and Apple Mail in iOS 16 and macOS Ventura.

Whether you'll see evidence of BIMI in your inbox is another issue entirely. Many brands are not yet on board, though the influence of companies like Google and Apple in accelerating adoption and introducing consumers to the technology can't be understated.

Much of the buzz surrounding BIMI has (so far) been aimed at brands, marketing professionals, and the IT professionals involved in implementing the standard. Google has produced an explainer for how BIMI's rollout works in Gmail within Google Workspace.

Even though support at the beginning is limited to Google Workspace, the release gives a good indication of what BIMI looks like in Gmail in terms of desktop and mobile implementation.

Google has used Bank of America as an example, with a view that shows how brand logos are automatically displayed in both inbox and message views. Note that Google allows senders to display images alongside their emails as part of their profile, but this isn't the same as BIMI.

Even though Apple has also apparently launched BIMI with the release of iOS 16, iPadOS 16, and macOS 13 Ventura, we were unable to see BIMI-verified brand logos in Apple Mail (even from Apple when using an iCloud Mail account).

Yahoo! Mail is also on the BIMI bandwagon, having had support for the standard since 2018. In November 2022, the company announced that it's making its implementation more robust with verification checkmarks "next to the sending address and logo to indicate that Yahoo has verified that the email was sent by the brand owning the logo being shown."

More Ways to Stay Safe Online

There are too many email scams out there for anyone to keep up with. Whether it's Amazon seeking to "confirm" an order or Netflix threatening to suspend your account, stay on the lookout for anything shady (especially where money is involved).

More sophisticated scams may involve spear phishing or whaling, a form of social engineering.

As email scams have become more prevalent, scammers are turning to phone, text messages, and instant messaging platforms. Be on the lookout for calls from numbers that look suspiciously close to your own, text message or "smishing" scammers, and so-called close relatives asking you to pay a bill or borrow money.