BIMI: Increasing security and brand affinity in the inbox 

If you’ve checked your inbox recently, you might have noticed that some emails display logos—or even a blue checkmark if you’re using Gmail. Seeing a logo builds trust and reinforces the sender’s legitimacy. But how can you get your brand’s logo to appear in your customers’ inboxes?

Enter Brand Indicators for Message Identification (BIMI)—a game-changer for email branding and security.

Brand Indicators for Message Identification (BIMI) is the standard for adding your verified logo to a customer's inbox. By using BIMI, brands can enhance trust, build legitimacy as verified senders, and reduce the risk of phishing campaigns.

A third party verifies and certifies your logo, providing legitimacy that you are who you claim to be. This can be a valuable avenue for brands at risk of being spoofed through phishing campaigns, further strengthening their legitimacy in the inbox. For example, financial institutions or social media platforms may particularly benefit from BIMI.

In many ways, BIMI is a great security tool, but it also is excellent for branding.

So, how do you get a BIMI standard? Before you can showcase your verified logo in the inbox, you must meet a short list of strict requirements. The process could cost thousands of dollars and take months to complete.

To implement BIMI, follow these steps before your verified logo can appear in inboxes:

Your logo must be certified by a third party for BIMI to function on most email clients (cough, cough, Gmail).

Requires your logo to be trademarked by an intellectual property office, which can take 6-12 months. Currently, DigiCert and Entrust both offer VMC certification, but Apple no longer supports certificates issued by Entrust as of November 15th, 2024. We recommend using DigiCert as the third-party service for VMC certification.

This is easier to acquire as it doesn't require a trademarked logo but will not display a verified blue checkmark in Gmail.

• Create an SVG file of your logo
• Add a TXT record in your DNS that references the SVG file
• Upload your PEM file (what your certificate will be issued in) to your domain’s public web server
• Set a DMARC policy to quarantine or reject with the percent option (pct) set to 100.

The annual cost of a VMC or CMC ranges from $1,000 to $3,000 per year, depending on the issuing authority and the level of validation required.

Depending on your route, you should consider the costs of hiring a legal team to achieve a trademark or technical resources to make necessary changes in your DNS.

A DMARC monitoring service ensures that your policy is correctly implemented and active, preventing accidental lapses. Depending on the provider, this annual cost ranges between $500 and $5000.

If you are just starting, it’s essential to understand that this is not an overnight process. If you do not have prerequisites in place, it could take you upwards of a year.

BIMI is supported on a variety of email clients, but not all. Before acquiring BIMI for your business, I highly encourage senders to understand their email client weight and whether BIMI will be seen by the majority of their subscriber base.

• As of 2023, Gmail provides a blue checkmark next to VMC-verified logos

• One of the earliest adopters of BIMI
• Yahoo Mail does not currently require a Verified Mark Certificate (VMC) to display a BIMI logo.
  • You must have a properly configured BIMI DNS TXT record that points to your logo in the required SVG format.
  • Yahoo currently shows BIMI in the message list and mobile mail applications on Yahoo and AOL.

• Starting with iOS 16 and macOS Ventura, Apple Mail supports BIMI.

• Fastmail
• AOL Mail
• La Poste (France)

According to Litmus data, Apple Mail currently holds the largest market share of email clients. However, it’s important to note that each sender’s audience is unique. If your audience is weighted towards one of the email clients that does not support BIMI, such as Outlook, Zoho Mail, or Thunderbird, it might not be worthwhile.

• Strict DMARC records, if your business isn’t ready for them, can cause issues with your emails being quarantined or rejected.
• Competing tools, such as Apple Business Connect, suggest that email clients (in this case, Apple Mail) may be choosing to invest in their verification features instead of universal standards.
• There is a lack of standardization of requirements to meet the BIMI standard across email clients. Yahoo, on the one hand, only requires a strict DMARC policy and a TXT record, whereas if you want to get a blue checkmark in Gmail, you must have a VMC. If you choose to implement BIMI, you might as well complete all the requirements (attaining a VMC) to see full support across all mail clients listed on BIMI group.

If you are solely interested in acquiring a logo for branding purposes, you might explore these alternatives—knowing that they do not replace the security enhancements that BIMI provides.

• If your subscriber base is heavily weighted toward Apple Mail, it might make sense to proceed with your branding via Apple Business Connect.
• If your subscriber base is heavily weighted toward Gmail, you might just want to add your logo to your Gmail workspace.

BIMI is still a relatively new security measure for senders and email clients—although it was introduced in 2015, it wasn’t until 2020 that Gmail announced support for it, and Apple Mail in 2022 with its release of iOS16. BIMI can be a fantastic way for brands to introduce strengthened legitimacy in the inbox, as long as the team implementing it has sufficient resources to invest in it.