Logos in Email – Another Way to Stop Spoofing

Sometimes you’re told things that turn out to be incorrect, which is what happened when I originally wrote this post. I was asked why OWA displayed logos and turned to some contacts in Microsoft, one of whom told me that the answer was BIMI. As it turns out, that answer was wrong. I should have checked further, but didn’t. Now that I have found out the real answer, I document it here.

BIMI: Helping to Highlight Good Email

Brand Indicators for Message Identification (BIMI) is a standardized method for companies to publish their brand logos online so that the logos can be used in applications like email. The idea is that users will be more easily able to recognize messages from companies by seeing their logos when the logos are displayed in applications. A draft industry-wide standard  for BIMI is available.

BIMI Logos in DNS

The BIMI logo information is published in a DNS resource record. The record includes a link to the graphic file for an SVG-formatted logo. Email and other applications then retrieve the logo from DNS and load it alongside other message data such as Inbox lists and message windows.

It’s worth underlining that BIMI builds on and does not replace existing email authentication mechanisms such as SPF and DMARC. Reputable organizations should always publish SPF and DMARC records to allow receiving domains to authenticate inbound email. For more information about BIMI, head to the Brand Indicators site.

Microsoft’s Business Profile Program

Interesting as BIMI is, Microsoft does not participate in the BIMI initiative. Instead, they have their own approach called “brand cards,” which serve much the same purpose without using DNS. Instead, businesses sign up with the Microsoft Business Profile program, which is currently in beta.

When a company signed up, they give Microsoft a verified icon that is used by OWA in Office 365 and Outlook.com. As you can see below, the logos for Microsoft and Fitbit show up in OWA, which means that these organizations have business profiles, while Carrefour or Parking Tag do not. Outlook desktop and Outlook mobile do not yet support the display of brand cards. Because the program uses Bing, some brand cards are generated for well-known organizations.

BIMI
Brand cards for Microsoft and Fitbit displayed by OWA

The BIMI initiative could become an industry standard. Microsoft’s business profile program is definitely led by Microsoft. Whether the two will come together in the future is open for debate.

Nothing for an Office 365 Admin to do

You don’t have to do anything inside Office 365 before OWA displays brand logos as this is under the control of the email program and depends on whether a brand card exists for an organization. In fact, you can’t stop OWA displaying the logos.


SPF and DMARC are discussed at length in Chapter 17 of the Office 365 for IT Pros eBook along with lots of other great information about anti-malware techniques.

 

2 Replies to “Logos in Email – Another Way to Stop Spoofing”

    1. This is very difficult to do with BIMI, and it is not likely that their malicious domain would remain viable for the time it takes for the ESP to verify the BIMI signal. Brand indicators don’t appear for IPs/domains with a poor reputation. Brand cards take this a step further by querying MS’s records to be sure the sending domains match what appears in the business’s profile.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.