Sometimes you’re told things that turn out to be incorrect, which is what happened when I originally wrote this post. I was asked why OWA displayed logos and turned to some contacts in Microsoft, one of whom told me that the answer was BIMI. As it turns out, that answer was wrong. I should have checked further, but didn’t. Now that I have found out the real answer, I document it here.
Table of Contents
BIMI: Helping to Highlight Good Email
Brand Indicators for Message Identification (BIMI) is a standardized method for companies to publish their brand logos online so that the logos can be used in applications like email. The idea is that users will be more easily able to recognize messages from companies by seeing their logos when the logos are displayed in applications. A draft industry-wide standard for BIMI is available.
BIMI Logos in DNS
The BIMI logo information is published in a DNS resource record. The record includes a link to the graphic file for an SVG-formatted logo. Email and other applications then retrieve the logo from DNS and load it alongside other message data such as Inbox lists and message windows.
It’s worth underlining that BIMI builds on and does not replace existing email authentication mechanisms such as SPF and DMARC. Reputable organizations should always publish SPF and DMARC records to allow receiving domains to authenticate inbound email. For more information about BIMI, head to the Brand Indicators site.
Microsoft’s Business Profile Program
Interesting as BIMI is, Microsoft does not participate in the BIMI initiative. Instead, they have their own approach called “brand cards,” which serve much the same purpose without using DNS. Instead, businesses sign up with the Microsoft Business Profile program, which is currently in beta.
When a company signed up, they give Microsoft a verified icon that is used by OWA in Office 365 and Outlook.com. As you can see below, the logos for Microsoft and Fitbit show up in OWA, which means that these organizations have business profiles, while Carrefour or Parking Tag do not. Outlook desktop and Outlook mobile do not yet support the display of brand cards. Because the program uses Bing, some brand cards are generated for well-known organizations.
The BIMI initiative could become an industry standard. Microsoft’s business profile program is definitely led by Microsoft. Whether the two will come together in the future is open for debate.
Nothing for an Office 365 Admin to do
You don’t have to do anything inside Office 365 before OWA displays brand logos as this is under the control of the email program and depends on whether a brand card exists for an organization. In fact, you can’t stop OWA displaying the logos.
SPF and DMARC are discussed at length in Chapter 17 of the Office 365 for IT Pros eBook along with lots of other great information about anti-malware techniques.
So can a malicious sender use BIMI to give false visual signals that their message is valid?
This is very difficult to do with BIMI, and it is not likely that their malicious domain would remain viable for the time it takes for the ESP to verify the BIMI signal. Brand indicators don’t appear for IPs/domains with a poor reputation. Brand cards take this a step further by querying MS’s records to be sure the sending domains match what appears in the business’s profile.
So if they failed DMARC, the BIMI will not be showed in the user inbox, yes?
Would it not be better to show that the email failed DMARC set by that the sender domain ?
Expectation is it will not show the logo in case email reaches the mailbox.
That’s something which general people won’t get what a DMARC is. However, a missing logo can definitely make sense for everyone.
BIMI has been setup to enhance DMARC due to lack of take-up by the industry.
You also need to have you logo as a registered trademark in the countries you trade in, a digital authority to issue an EV SSL certificate tied to the domain for verification and DMARC set to quarantine or reject.
I have added a BIMI record into my domain. I am now waiting to see it works. Fingers crossed. My domain has DMARC reject and BIMI enabled. (I will say I am waiting on trademark verification).
To be honest I think Microsoft are muddying the water by coming out with a propitiatory protocol just for Microsoft users. (mmm trying to corner the market???) Look what happened to IBM in the early 80’s with the IBM PC, IBM compatible pc’s came out and left IBM behind.
To protect your email the some big guns out there should be working together. Stop trying to make a fast buck on everything.
On a foot note: I set my business up 6 months ago to push the take up of DMARC, I saw the value in a simple DNS record being added and the value of the data you get back form you sent emails which you won’t see without DMARC.