CSA Digital Email Summit 2020
Implementing BIMI
Implementing BIMI
Florian Vierke – Sr. Manager, Deliverability Services, Mapp Digital
Peter Scholzuk – Head of Department Email Marketing, Josef Witt GmbH
Trust is a big topic in communication. How do we know who we are communicating with? How do we know that our communication partner is who they really say they are? We need a trust seal for email; like the blue verified check in Twitter. This is what BIMI (Brand Indicators for Message Identification) does; it creates trust, while adding marketing value. It allows brand logos to be displayed as a sender icon in email inboxes and defines what that logo should look like.
Creating trust with DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance) provides the technical requirements for creating this “trust”. There are many advantages to setting up DMARC (in best case on your org-domain):
- Protect your domain from being abused by others
- Get a better overview of what is being sent in your name (and whether it is authenticated)
- Identify broken processes quickly (e.g. broken DKIM processes)
- Set a policy, how ISPs should deal with mails from your domain failing authentication
By authenticating messages on the domain level, we can ensure that the recipient knows that the email is only coming from us. Reporting allows us to find track how many correctly authenticated emails are received and how many are not actually authenticated correctly (because our servers are wrongly configured or because someone is trying to abuse our domain). Conformity means that authentication measures and policies are the same everywhere and are enforced in the same way in the receiver’s side.
The BIMI standard requires that the brand domain enforces the DMARC policy of “quarantine” or “reject”. The domain must have sufficient reputation to display the logo. Gmail also requires an additional certificate.
How to implement DMARC
Ideally both SPF and DKIM must authenticate correctly for DMARC to work. Do this for all of the domains your company owns (even if they are not currently being actively used). The settings will be inherited by the subdomains.
The sending domain must be aligned, so the from: domain must be the same as the technical sending domain. Set DMARC Policy to NONE. Check and analyse reports (using a tool), then set DMARC Policy to REJECT once you are sure that you have resolved any issues with the reports. Keep monitoring reports and update when, e.g. new domains are introduced. Now you can start implementing BIMI.
Note that BIMI is for brands – using a personal domain without high volumes will not work. Personal communication is not brand communication. If “Marie” isn’t sending the email, then don’t use “marie@<domain>”. Better options are “news@, update@, offers@, info@ …”, etc.
Implementing BIMI: The logo
It’s technically tricky to create a BIMI logo as there aren’t easy tools yet to do so. Create a BIMI logo and place the logo at a secure (https) location. The logo must be square and be in .svg vector format. SVG images are XML-files (Version 1.2, „tiny-ps“). A file can be generated with a converter, but it will most likely fail the required specification check. The file needs to be manually checked against the specification (RNC Check). A tool like the Mailkit can help spot any issues.
Google requires an additional certificate
While, e.g., Yahoo relies on high volumes and reputation to verify a brand, note that you will require a certificate to have your logo displayed at Google. Since they announced that they will use BIMI, there has been a massive increase in DMARC and BIMI requests. As more major providers adopt BIMI and standards, senders wanting to ensure superior open rates on mail can benefit by the trust assurance BIMI can engender.
So far using BIMI is free. Should, however, a fee for certificates be introduced, then this could easily quickly become expensive for e.g. European brands who often have multiple domains for multiple European countries. List hygiene and a good reputation is still very important; having BIMI doesn’t allow brands to neglect this.
Open questions from the webinar
Which is legit tool to depend for correcting the BIMI logo?
There’s no perfect and easy tool so far. I’d recommend to start here: https://www.mailkit.com/resources/bimi-inspector. The BIMI Inspector will give you already a good feedback, if there’s issues with your logo or not. To correct the logos, I’m using the pyjing command tool to verify the BIMI logos against the latest RNC as described here: https://bimigroup.org/using-the-rnc-schema-to-validate-bimi-svg-images/. The errors being shown can be edited in a text editor (I’m using Gedit, but on Win machines notepad++, Ultraedit or any other editor will do the job either.
Will there be any modification in the BIMI configuration especially on logo validation?
I don’t know if there will be changes being made by the Bimigroup. I don’t expect so in the near future. I’d rather expect a better tool to create and validate logos in the future and probably a change with the VCMs (certificates might be a requirement in the future).
Why BIMI and not Trusted Dialog?
It’s not an “either – or” question. trustedDialog is a marketing product from 1&1 media covering more than 50% of the inboxes in the German Market (gmx.de, web.de, t-online.de, freenet.de mainly). BIMI is an open standard being implemented by Yahoo, AOL and Google in a closed test now. For BIMI I don’t see a reason not to participate because there’s no additional cost and it forces you to setup a strong DMARC record. For trusted dialog, it depends on your ISP share and type of Mailings whether it makes sense to implement it or not.
So if we’re emailing from a subdomain, we need to DMARC on the parent domain AND subdomain? And then the BIMI record can get added to the subdomain?
A DMARC record on the parent domain is inherited by all subdomains automatically, so it would be sufficient to implement it there. Some companies having delegated subdomains to different ESPs prefer to have DMARC only on subdomain level, which is good enough for DMARC itself. Preferrable is DMARC on the parent domain, and this is also the requirement.
For BIMI it depends on the domain being used in FROM where the logo needs to be placed.
If you use Google Annoations to display the sender logo’s in Gmail, Why adopt BIMI?
Good question. For the moment, Google Annotations is only visible in the Promotional Tab – and BIMI is not limited to promotions. Brands are not automatically Advertisers, this might be the core difference.
Any service where i can check reputation from yahoo side? like google doing it via https://postmaster.google.com
Verizon (owning Yahoo and AOL) are planning something like that, but you can’t request a “score” for the time being. The Postmaster center can be found here and once there’s news on this topic you’ll find it here as well: https://postmaster.verizonmedia.com/