Google targets phishing with full BIMI email logo authentication support
Gmail will tie logos to DMARC authentication
Brand Indicators for Message Identification (BIMI), a standard for visually proving an email’s legitimacy, got a boost today with the launch of a new automation tool from email security company Valimail and official support from Google.
Launched as a formal specification in 2019, BIMI is a standard that lets companies define what marketing image is displayed next to emails sent from their servers. This image, which the BIMI working group calls a “brand assertation,” serves as visual proof that the message is authentic.
BIMI uses DNS records to define the image, and it also relies on the Domain-based Message Authentication, Reporting, and Performance (DMARC) standard, which helps protect against phishing. This, in turn, relies on two other technologies: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
DMARC and its underlying technologies help to prevent email spoofing, in which phishing attackers fake a sender’s domain in an email’s “From:” field. DMARC enables administrators to publish their policy for authenticating and rejecting emails.
When a DMARC-supporting email server receives an email, it uses DNS to look up the DMARC record for the alleged sender's domain. It then checks the mail's DKIM digital certificate to ensure it matches the alleged sender's DKIM certificate. It also verifies the message came from IP addresses listed in the SPF record.
While not a security solution, BIMI uses these technologies to verify the image attached to an email is really from the sender.
An incoming email server uses DMARC to authenticate the message. If the email passes the DMARC authentication, the email server uses DNS to retrieve the sender's BIMI image. The BIMI image then shows up next to the company's name in emails.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Boosting its legitimacy, BIMI also got official support from Google following a year-long pilot project. The company will now officially support BIMI in Gmail, according to the AuthIndicators Working Group, which manages the BIMI effort.
This official acceptance by Google means for an organization's logo to be eligible for display in Gmail, a brand must obtain a BIMI certificate confirming its right to use the image. These certificates are tied to registered trademarks from select jurisdictions.
Aberdeen Report: How a platform approach to security monitoring initiatives adds value
Integration, orchestration, analytics, automation, and the need for speed
Several other companies also support BIMI in pilot mode, including Yahoo!, AOL, Netscape, and Fastmail. Comcast was also planning BIMI support as of last October. Microsoft, however, still has not signed on to the program.
To help streamline this process, email security company Valimail, which claims to have “founded, named, and resourced the BIMI standard,” announced Amplify, a tool that automates BIMI support. With Amplify’s release, Valimain looks to make BIMI the baseline for all email security.
Along with the new product, Valimail debuted partnerships with certificate providers DigiCert and Entrust to develop BIMI further and create a straightforward process for companies to enforce DMARC and Verified Mark Certificate (VMC).
Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing.
Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.