Sometimes you’re told things that turn out to be incorrect, which is what happened when I originally wrote this post. I was asked why OWA displayed logos and turned to some contacts in Microsoft, one of whom told me that the answer was BIMI. As it turns out, that answer was wrong. I should have checked further, but didn’t. Now that I have found out the real answer, I document it here.
Table of Contents
BIMI: Helping to Highlight Good Email
Brand Indicators for Message Identification (BIMI) is a standardized method for companies to publish their brand logos online so that the logos can be used in applications like email. The idea is that users will be more easily able to recognize messages from companies by seeing their logos when the logos are displayed in applications. A draft industry-wide standard for BIMI is available.
BIMI Logos in DNS
The BIMI logo information is published in a DNS resource record. The record includes a link to the graphic file for an SVG-formatted logo. Email and other applications then retrieve the logo from DNS and load it alongside other message data such as Inbox lists and message windows.
It’s worth underlining that BIMI builds on and does not replace existing email authentication mechanisms such as SPF and DMARC. Reputable organizations should always publish SPF and DMARC records to allow receiving domains to authenticate inbound email. For more information about BIMI, head to the Brand Indicators site.
Microsoft’s Business Profile Program
Interesting as BIMI is, Microsoft does not participate in the BIMI initiative. Instead, they have their own approach called “brand cards,” which serve much the same purpose without using DNS. Instead, businesses sign up with the Microsoft Business Profile program, which is currently in beta.
When a company signed up, they give Microsoft a verified icon that is used by OWA in Office 365 and Outlook.com. As you can see below, the logos for Microsoft and Fitbit show up in OWA, which means that these organizations have business profiles, while Carrefour or Parking Tag do not. Outlook desktop and Outlook mobile do not yet support the display of brand cards. Because the program uses Bing, some brand cards are generated for well-known organizations.
Brand cards for Microsoft and Fitbit displayed by OWA
The BIMI initiative could become an industry standard. Microsoft’s business profile program is definitely led by Microsoft. Whether the two will come together in the future is open for debate.
Nothing for an Office 365 Admin to do
You don’t have to do anything inside Office 365 before OWA displays brand logos as this is under the control of the email program and depends on whether a brand card exists for an organization. In fact, you can’t stop OWA displaying the logos.
SPF and DMARC are discussed at length in Chapter 17 of the Office 365 for IT Pros eBook along with lots of other great information about anti-malware techniques.
This is very difficult to do with BIMI, and it is not likely that their malicious domain would remain viable for the time it takes for the ESP to verify the BIMI signal. Brand indicators don’t appear for IPs/domains with a poor reputation. Brand cards take this a step further by querying MS’s records to be sure the sending domains match what appears in the business’s profile.
So if they failed DMARC, the BIMI will not be showed in the user inbox, yes?
Would it not be better to show that the email failed DMARC set by that the sender domain ?
Expectation is it will not show the logo in case email reaches the mailbox.
That’s something which general people won’t get what a DMARC is. However, a missing logo can definitely make sense for everyone.
BIMI has been setup to enhance DMARC due to lack of take-up by the industry.
You also need to have you logo as a registered trademark in the countries you trade in, a digital authority to issue an EV SSL certificate tied to the domain for verification and DMARC set to quarantine or reject.
I have added a BIMI record into my domain. I am now waiting to see it works. Fingers crossed. My domain has DMARC reject and BIMI enabled. (I will say I am waiting on trademark verification).
To be honest I think Microsoft are muddying the water by coming out with a propitiatory protocol just for Microsoft users. (mmm trying to corner the market???) Look what happened to IBM in the early 80’s with the IBM PC, IBM compatible pc’s came out and left IBM behind.
To protect your email the some big guns out there should be working together. Stop trying to make a fast buck on everything.
On a foot note: I set my business up 6 months ago to push the take up of DMARC, I saw the value in a simple DNS record being added and the value of the data you get back form you sent emails which you won’t see without DMARC.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
So can a malicious sender use BIMI to give false visual signals that their message is valid?
This is very difficult to do with BIMI, and it is not likely that their malicious domain would remain viable for the time it takes for the ESP to verify the BIMI signal. Brand indicators don’t appear for IPs/domains with a poor reputation. Brand cards take this a step further by querying MS’s records to be sure the sending domains match what appears in the business’s profile.
So if they failed DMARC, the BIMI will not be showed in the user inbox, yes?
Would it not be better to show that the email failed DMARC set by that the sender domain ?
Expectation is it will not show the logo in case email reaches the mailbox.
That’s something which general people won’t get what a DMARC is. However, a missing logo can definitely make sense for everyone.
BIMI has been setup to enhance DMARC due to lack of take-up by the industry.
You also need to have you logo as a registered trademark in the countries you trade in, a digital authority to issue an EV SSL certificate tied to the domain for verification and DMARC set to quarantine or reject.
I have added a BIMI record into my domain. I am now waiting to see it works. Fingers crossed. My domain has DMARC reject and BIMI enabled. (I will say I am waiting on trademark verification).
To be honest I think Microsoft are muddying the water by coming out with a propitiatory protocol just for Microsoft users. (mmm trying to corner the market???) Look what happened to IBM in the early 80’s with the IBM PC, IBM compatible pc’s came out and left IBM behind.
To protect your email the some big guns out there should be working together. Stop trying to make a fast buck on everything.
On a foot note: I set my business up 6 months ago to push the take up of DMARC, I saw the value in a simple DNS record being added and the value of the data you get back form you sent emails which you won’t see without DMARC.