Inside BIMI: How Email Logos Are Becoming Security Features

AI created, human edited.

In a recent episode of Security Now, host Steve Gibson shared his fascinating journey into implementing BIMI (Brand Indicators for Message Identification) for his company GRC. The story reveals both the promise and complexity of this emerging email authentication standard that's been a decade in the making.

BIMI allows organizations to display their official logos in supported email clients' sender fields, but only after passing strict authentication requirements. It's not just about pretty pictures – it's about creating a visible indicator of email authenticity that average users can understand.

Gibson's experience getting BIMI-certified through DigiCert was nothing short of extraordinary. The process included:

- Creating a specially formatted SVG logo meeting the strict SVG-TinyPS standard
- Undergoing organization validation at the EV (Extended Validation) certificate level
- Participating in a video interview where he had to:
 - Show government-issued photo ID
 - Hold the ID next to his face
 - Wave his hand in front of and behind the ID to prove it wasn't digitally inserted
- Proving historical usage of his logo through the Internet Archive's Wayback Machine

Major email providers, including Gmail, Yahoo, and Apple Mail, now support BIMI. During the discussion, Gibson noted seeing BIMI logos from major companies like PayPal and Disney+ in his Gmail inbox, though adoption remains limited.

As co-host Leo Laporte pointed out, implementing BIMI isn't cheap. While exact costs weren't disclosed, the certification process requires significant investment in both time and money. This creates an interesting dynamic: while email remains free to send, organizations must pay for this enhanced level of authentication and brand display.

Both hosts expressed measured optimism about BIMI's potential. Gibson suggested it might "chip away at some of the catastrophe that completely free email creation and delivery has created." However, Laporte raised valid concerns about whether users will notice or understand what these logos signify.

The implementation of BIMI represents a fascinating shift in email security – one that tries to make authentication visible to end users through trusted logos. While the standard sets an unusually high bar for participation, this stringency might be exactly what email security has been missing.

As Gibson put it, "in an industry that has repeatedly been in such a hurry that the bar is usually set too low, I consider this to be a change in the right direction."

BIMI represents an interesting evolution in email authentication, combining visual branding with robust security measures. While its adoption and impact remain to be seen, it offers a new tool in the ongoing battle against email spoofing and phishing attacks. Organizations considering BIMI implementation should be prepared for a rigorous certification process but may find the enhanced email authenticity worth the effort.
 

Become a subscriber and never miss an episode: Security Now