BIMI through the lenses of a binoculars

What is the BIMI Email Specification and Does Your Brand Need It?


Have you noticed more and more brands that have logos showing up in email inboxes and wondered what it’s all about? The short answer is BIMI.

The long answer is Brand Indicators for Message Identification, which is what BIMI stands for. (Sorry about being Captain Obvious.) If you’ve never heard of this email specification before, or you just need some clarification on what BIMI is all about, we’ll explain. Plus, you’ll find out what it takes to get your brand’s logo showing up in your subscribers’ inboxes.

What is BIMI?

BIMI (pronounced Bih-mee by the way) is a relatively new email specification that is directly connected to authentication, but it’s not exactly an email authentication protocol. Hang in there, this will all make sense in a minute.

When BIMI is correctly implemented, email senders may see their logo showing up at the inbox and message levels. At least that’s the case with certain email clients that support the specification.

Check out the mockup below to see how messages may appear before and after BIMI implementation:

BIMI inbox logos for major brands with and without

Pretty cool right? We agree. Here are some of the benefits of BIMI logos:

  • Bonus branding on your email campaigns (increase brand recognition and loyalty)
  • Helps subscribers identify authenticated messages from your company, differentiating them from fraudulent emails, AKA email brand spoofing
  • Could help boost email open rates because your brand stands out in the inbox
  • Gives brands more control over inbox logos

On that last point, BIMI isn’t the first attempt to add inbox logos to messages from brands.

Remember Google+? At one point, Gmail tried using the long-gone social media platform to connect senders with their official logos. It didn’t always work out. Sometimes a logo was displayed that was completely wrong. The BIMI email specification lets senders define what logo to use.

But hold up a minute, getting BIMI to work isn’t quite as simple as uploading your logo somewhere (although that’d be nice). Setting up BIMI can actually get very technical. That’s partly because there are strict requirements involving email authentication, especially your DMARC policy.

You also need a specific type of file to create a BIMI logo and you need to add a BIMI record to your domain’s DNS server.

What is a BIMI record?

Unless you’ve got some serious technical skills and access to DNS servers, this part of the process may require you to get in touch with the IT department. But here goes...

Just like the SPF, DKIM, and DMARC protocols, a BIMI record is published on the DNS of your sending domain (or domains). That may be different from your brand’s main website domain. Often, larger organizations have a specific subdomain that’s used as a mail server (marketing.domain.com, mail.domain.com, etc.).

Here’s how a BIMI DNS TXT record is formatted:

default._bimi TXT "v=BIMI1; l=https://mydomain.com/image.svg;"

All that a BIMI record does is tell receiving email servers where to find the right SVG file for an official logo to represent your brand. However, adding the BIMI record is actually the last step in the BIMI implementation process. So, we sort of got ahead of ourselves. Let’s back up a bit...

Why was the BIMI email specification introduced?

The truth is, the BIMI email specification is basically a “carrot on the end of a stick” for email senders and marketers. But we don’t mean that in a negative way at all. BIMI is meant to motivate you to use stronger email authentication. And that’s a good thing.

You see, while email spoofing can hurt your brand reputation, it’s an even bigger problem for mailbox providers like Gmail, Outlook, and Apple Mail. When people using their email services start getting duped by scammers, they can lose trust in that mailbox provider for letting those shady emails through instead of blocking them or sending them to spam.

Email authentication is the only way to stop spoofing, and DMARC (Domain-based Message Authentication and Conformance) is the best way to do it. The problem is, too many senders have DMARC policies that are too relaxed.

You have three options for a DMARC policy:

  1. p=none: There is no policy and mailbox providers must decide how to filter the message if it fails DMARC.
  2. p=quarantine: This policy tells mailbox providers to send any message that fails DMARC to spam.
  3. p=reject: This is the strictest policy. It tells mailbox providers to block messages that fail DMARC from being delivered.

By now, you might see where this is going. To get a BIMI logo, you must have a DMARC policy of either p=quarantine or p=reject. However, too many senders chose to stick with a p=none policy after setting up DMARC, and that does absolutely nothing to prevent spoofing. BIMI is supposed to nudge brands in the right direction... because marketers and brand owners love seeing their logo in as many places as possible. I mean, it’s sort of vain, but it’s true.

So, mailbox providers are looking for a little advice on how to filter emails that appear to be from your brand (but might not be). The folks behind the BIMI email specification just want us all to do more to protect our subscribers from all the bad actors out there. And why not? Well, it seems there’s reluctance because DMARC is tricky to set up, and some senders worry that legitimate messages could inadvertently be blocked or quarantined.

In addition to enforcing DMARC, you’ll also need what’s known as a Verified Mark Certificate (VMC) if you want to get the most out of the BIMI email specification. Certain mailbox providers (namely Gmail) require a VMC before your logo is displayed in the inbox. A VMC will cost brands around $1,500 per year.

DMARC records and BIMI adoption

The good news is, it looks like BIMI and DMARC are catching on. Recent findings on DMARC adoption show that it’s up 84% over last year. Still, that doesn’t necessarily mean DMARC is being enforced. The site also shows nearly two-thirds (65%) of domains were still using a p=none policy in 2021.

Bar chart showing DMARC adoption between 2016 and 2021.

The website BIMIRadar.org (a service of Red Sift) tracks “BIMI readiness” across more than 65-million domains. It shows that only about 2.15% of those domains have an appropriate DMARC enforcement policy and a mere fraction have a VMC, which is needed for BIMI in Gmail.

Which mailbox providers support BIMI?

Many of the most popular email clients support BIMI and others are planning on it:

  • Gmail
  • Yahoo Mail
  • AOL
  • FastMail
  • Apple Mail (coming soon)

You’ll notice that Microsoft Outlook and Hotmail are not listed above. No word on when or if BIMI support is coming to those mailbox providers. But logos in inboxes could certainly be beneficial for all the B2B emails going to Outlook.

Verizon Media Group was an early adopter of the BIMI email specification, which means it is supported in AOL and Yahoo Mail inboxes. The paid Australian mailbox provider FastMail has also supported BIMI for a while now.

Then, in 2021, BIMI got a boost when Google announced that Gmail was moving out of a pilot program to fully support this method of displaying inbox logos. Since Gmail addresses make up a large portion of most contact lists, that made BIMI an attractive idea for a lot more brands. Of course, Gmail also threw the VMC requirement into the mix. That means brands need to make sure their logo is copyrighted (not as common as you might assume) and verified by an approved third party.

The latest news is that Apple Mail will introduce BIMI support when its newest operating systems are released in the fall. Apple has already informed users that both iOS 16, as well as macOS Ventura, will include BIMI as a new feature of its Mail application.

Like Gmail, Apple will also require a VMC before a brand’s BIMI logo is displayed. Verizon does not require a VMC, but it does take the certificate into account. The Yahoo Sender Hub states:

“We currently do not require VMCs to be set up for BIMI logos to appear in Yahoo applications. However, if a BIMI record includes a VMC, we might use it to inform the overall BIMI eligibility.”

So, now that support is growing, what do you need to do to make BIMI work?

How to set up BIMI

Gif of BIMI in the inbox with Email on Acid logo

We’ll go over the basic steps below, but you can also get expert advice in a more in-depth article from Email on Acid on how to set up BIMI. It even comes with a nifty roadmap infographic.

Here’s how BIMI setup works in seven steps:

  1. Identifyyour sending domain where you’ll upload the BIMI TXT record to the DNS server
    1. Get help from the IT department or cybersecurity team if necessary
  2. Verify your email authentication protocols are set up and functioning
    1. You’ll need to be using DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), or both (both is best)
  3. Set your DMARC policy to quarantine or reject and not p=none
    1. Note: There are also some other required settings in the DMARC TXT record
  4. Create a BIMI logo as an SVG file that will be uploaded to the DNS server
    1. You must use the SVG Tiny 1.2 format, which is considered secure
  5. Get a VMC for your logo from an accredited organization
    1. DigiCert and Entrust are the two approved certification authorities
  6. Publish your BIMI TXT record to the DNS server
    1. Don’t forget to double-check that the location of your logo file is correct
  7. Verify BIMI is working and that your logo is displaying as intended
    1. Use this free tool from BIMIGroup.org to enter your domain and inspect your record
    2. Expect it to take a few weeks to show up in all inboxes

In the end, it’s up to mailbox providers to decide whether to display your BIMI logo. But the real reward here isn’t the logo. It’s that you did the right thing by pursuing better email authentication for your brand. Right?

Would your brand benefit from a BIMI logo?

The industries that may benefit the most from BIMI are those that are the most susceptible to email brand spoofing. That includes financial institutions, social media sites, large ecommerce brands, and more.

While BIMI might make the most sense for big-name brands, the scary truth is that any business could be spoofed. Cybercriminals are targeting small businesses more often, and this type of phishing could have a disastrous effect on a company’s reputation as well as the livelihoods of customers and subscribers. According to Mimecast, SMBs are potential targets for brand spoofing because they often lack the email security and authentication that stop these attacks.

If you care about email security, pursuing DMARC authentication and getting a BIMI logo are two very smart moves. That being said, if you don’t have basic authentication in place (SPF and DKIM) you need to start there.

Does BIMI impact deliverability?

The BIMI email specification is not designed to impact email deliverability, but it could definitely have an indirect effect. Here’s how:

  1. Email engagement: BIMI could persuade more subscribers to open and engage with your messages. That’s a sign to mailbox providers that people want what you’re sending. So, they’ll be more likely to let you land in the inbox.

  2. Sender reputation: Every mailbox provider uses its own guidelines to score the trustworthiness of domains and IP addresses that send email. DMARC enforcement is almost certainly part of that scoring process, and so it makes sense that BIMI could be another positive signal.

Speaking of deliverability, if this is one of your top concerns as an email marketer, you’ve got to check out the tools available through Mailgun Optimize. They include solutions like Email validations as well as Deliverability Monitoring to help you keep an eye on inbox placement and more.

inbox placement insights report

Once you’ve got BIMI up and running, you can also look for it in your email previews in Email on Acid to find out which mailbox providers are displaying your logo.

Get more BIMI email specification guidance

Check out our video Q&A on BIMI with a couple of guys who are very close to this effort. Hear from Matt Vernhout of Email Karma and Marcel Becker from Verizon Media Group in a 2021 live video chat about the ins and outs of Brand Indicators for Message Identification.

We’ve also put together a special report that delves even further into BIMI. It features insights from email marketing veterans as well as members of the BIMI Working Group.

You’ll find out how Email on Acid worked to get BIMI set up for our brand and discover some tips for getting the job done right. Download “The path to BIMI implementation” today.

OPTIMIZE YOUR EMAIL PROGRAM FOR INBOX PLACEMENT

An email that’s blocked or filtered into spam is nothing but a waste. Get the most out of every send with Mailgun Optimize. It’s a complete deliverability suite with all the tools and insights you need to maximize email ROI. From Inbox Placement Testing to Reputation Monitoring, you’ll gain visibility into your sender reputation and what happens to your messages when they reach their destination.

EXPLORE THE SOLUTIONS