More than 306 billion emails were sent every day in 2020. With so much clutter, it can be difficult to stand out. Even legitimate emails from trusted brands can get lost in a sea of spam.

Adding the security protocols and certificates to your domain that allow you to use BIMI also helps protect it from being misused. Since a domain is central to marketing your business online, you can protect your business’s reputation by implementing email authentication protocols. Securing your domain when sending email will help you avoid becoming a statistic in the FBI’s next email fraud report.

How does BIMI work?

• Sender Policy Framework (SPF): authenticates emails by identifying mail servers that are allowed to send from specific domains
• DomainKeys Identified Mail (DKIM): adds a digital signature to each email to verify it was sent from an authorized domain
• Domain-Based Message Authentication, Reporting, and Conformance (DMARC): confirms both SPF and DKIM records and specifies how unaligned emails should be handled

When emails are sent using BIMI, the receiving mail server will first perform the standard DMARC/DKIM authentication and SPF validation. If the email passes these tests, the server will check to see if it has a valid BIMI record, validate it, and display your brand’s logo.

The file for your logo is required to be in a certain format called SVG Tiny Portable/Secure. SVG stands for Scalable Vector Graphics. Vector graphics, unlike pixel-based graphics like JPGs or GIFs, define the visual shapes and elements in an image with lines and points. This makes the graphic scalable, or easy to use at different sizes. Requiring a vector graphic with this secure format helps ensure that your logo looks good anywhere it’s displayed through BIMI.

Some ESPs may require a Verified Mark Certificate (VMC) to provide evidence that you own the trademark and content of the logo. Although this is not a requirement for implementing BIMI on your domain at this time, VMC is expected to become part of the standard in the future.

How does BIMI interact with DMARC, DKIM, and SPF?

The first step toward using BIMI to display your logo is to implement DMARC. This is stored as a TXT record for your domain. For DMARC to work with BIMI, the reject policy in that record must either be p=quarantine or p=reject for all emails being sent from your domain.

While BIMI requires DMARC, DMARC requires your domain to have DKIM records to work. DMARC only requires either SPF or DKIM to align, but it’s best to include SPF records for additional security when using BIMI. These 2 security tools are also stored as TXT records for your domain.

How do I get my logo in the right format?

You’ll need to convert your logo into the right type of file to use with BIMI. While vector graphic formats are a standard for logos—so they can be scaled to use as a tiny icon or printed on large banners or billboards—BIMI requires you to supply the logo in an appropriate secure vector format.

The AuthIndicators Group provides a helpful tool you can download to convert an SVG Tiny 1.2 file into the correct SVG Tiny P/S secure format. However, if you have a different file type, such as an unsupported SVG file, an EPS file, a PNG, GIF, or JPG, you’ll need to use image editing software or a file type converter to recreate your file in the correct format.

You’ll also need to make sure the file is the correct size and shape. The file must be no larger than 32KB and be square in shape. The background cannot be transparent, and a solid color is recommended. For best results, there should be space around the logo in case it’s cropped or clipped. You can see more detailed instructions and examples on the BIMI website.

What is a Verified Mark Certificate (VMC)?

A Verified Mark Certificate (VMC) is a digital registration that authenticates the ownership of a logo for use with BIMI. It adds another layer of protection by verifying the correct logo for use. While it’s not mandatory for use of BIMI at this time, some ESPs will require it to display your logo.

When you send an email to a contact, the receiving mail server that manages their inbox will take the URL from the tag that indicates where the logo is to be displayed. It will then check the VMC to ensure the right logo is used. Once your logo is verified by the VMC, BIMI will display it next to your email.

To get a VMC, your domain must have DMARC implemented. Your logo will need to be registered (and in good standing) with the US Patent and Trademark Office and owned by your company. While different countries will have their own guidelines, in the US authorized trademarks can be:

• Design marks: made up of only a design
• Word marks: contain words, letters, and/or numbers, without any particular font, size, color, or style
• Combined marks: include a combination of words along with a design, stylized letters, or numbers

Entrust Datacard and DigiCert are the first 2 companies issuing Verified Mark Certificates for the BIMI standard. You can contact them to help you obtain one.

How to set up BIMI

Setting up BIMI will require you to publish a DNS record along with an image of your brand logo in the SVG P/S format. You can use AuthIndicators Group’s BIMI Generator to help you make a properly formatted record.

The exact values you’ll need to put into your records will depend on the name of your domain, how you send email, and what version of your logo you want to use if you have more than one. For instance, here’s what domain records for example.com could look like using BIMI and what it would take to set it up.

1. Ensure DKIM/DMARC and SPF are already set and validated for your domain.
2. Confirm the DMARC TXT record for your domain has a policy of either p=reject or p=quarantine.
   If set to p=quarantine, pct must be set to 100, either implicitly (by omitting the pct tag) or explicitly (by setting pct=100).

3. Confirm that your logo is:

   • in SVG P/S format
   • the file is less than 32KB
   • the image shape is square
   • the background is a solid color.

4. Upload the image to a service of your choice, and save the https:// URL where it’s available for future reference.

5. Access your DNS records through your domain service provider. If you’re not sure how to access your domain records, reach out to the person or team that manages your website or email address for assistance.
6. Create a new TXT record at the default._bimi subdomain.
   For example:
   default._bimi.example.com
   The exact steps to create the subdomain and TXT record will depend on your domain provider’s service.
7. Add a value for the TXT record that includes the BIMI version (v=) and location (l=) of the logo file.
   For example:
   v=BIMI1; l=https://example.com/images/logo.svg;
8. If you have a VMC, include the authority (a=) with the URL for the certificate .pem file.
   For example:
   v=BIMI1; l=https://example.com/images/logo.svg; a=https://example.com/certificate/aa0-0aa/aa/aa-example_com_vmc_2021-01-01.pem
9. Save your new record and wait for it to propagate across the internet.
10. Use AuthIndicators Group’s BIMI Inspector to make sure everything is set up properly.