BIMI is the Next Chapter in Email Authentication

Posted on March 26, 2018

Today’s announcement that deployment of Brand Indicators for Message Identification (BIMI) has begun marks the next chapter in the fight to make the world safe from identity deception.

Many of BIMI’s developers, including Agari, worked together from 2010 to 2013 to develop the DMARC email authentication standard, aimed at stopping the plague of phishing and other email attacks. Billions of phish have been prevented but we’re just getting started and are excited to be working with the same group of companies on this next chapter.

Brand indicators extend DMARC’s foundation of authentication and provides an economic incentive to adopt DMARC. Email platforms (a.k.a. email receivers) like Yahoo will display logos only for senders whose internet domains have implemented DMARC reject or quarantine policies. Companies that adopt BIMI will gain the opportunity for an unlimited number of free brand impressions.

With BIMI, email applications display the sending company’s brand logo alongside authenticated emails in the inbox list and within emails themselves. The logos appear on screen real estate controlled by the email application, not in the body of the email, preventing criminals from faking the logos.

BIMI-Image
This is the second major boost for strong email authentication in the last six months. In October 2017, the U.S. Department of Homeland Security ordered federal agencies with .gov email domains to fully implement strict DMARC policies by October 2018.

Unlike most other email protection methods focused on identifying malicious email, BIMI shows users at a glance which emails and messages are authentic. As such, it reflects an Agari strategy of identifying the good. There will always be a new variant of malware or malicious email that has never been seen before. But while we don’t know what every type of bad email looks like, we know very well what good email looks like. Modeling the good helps identify anything that departs from the model.

BIMI adds another layer of authentication on top of DMARC. When the standard is complete and fully implemented, domain owners will need to use a trusted third-party authority – a Mark Verifying Authority (MVA) – to verify ownership of their brand and logo and issue a BIMI certificate.

BIMI certificates are a type of public key certificate similar to the Extended Validation (EV) Certificates that confirm the authenticity of a website. The vetting by the MVA will include all the requirements for obtaining an EV Certificate, the strictest of three levels for proving domain ownership, and will also audit all relationships between the domain name and the associated logo.

For everyone who wakes up in the morning with an inbox full of urgent messages, worried about what to open, they should be able to wipe some of the sweat off their brows.