BIMI: Show Your Logo

BIMI, also known as Brand Indicators for Message Identification, is an email specification defined in RFC 9091 that allows mailbox providers to display a brand’s official logo next to authenticated messages. BIMI does not authenticate mail by itself. Instead it relies entirely on strong DMARC enforcement.

Think of BIMI as the ship’s flag that becomes visible only when the harbor has confirmed that the vessel is legitimate and follows all navigation rules.

BIMI’s purpose is to strengthen brand identity, increase user trust, and reward authenticated senders by giving them visual recognition inside inboxes. It helps users quickly distinguish legitimate mail from impersonation attempts.

It was also designed to combat the rising problem of logo phishing or favicon attacks where attackers place lookalike logos in user profile photo areas to build false trust.

BIMI works by layering on top of DMARC. A mailbox provider checks:

Whether DMARC is at p=quarantine or p=reject.

Whether the domain publishes a valid BIMI record.

Whether the SVG logo meets BIMI specifications.

Whether a Verified Mark Certificate is required and valid.

If everything aligns the provider may display the logo.

Higher brand visibility in inboxes.

Stronger user trust in identified messages.

Clearer distinction from phishing attempts.

Better user experience across supported providers.

It turns your brand into a recognizable vessel arriving with its official ensign clearly visible.

Some market studies have shown that BIMI enabled messages can increase open rates by more than ten percent.

It depends on the provider. Gmail requires a VMC for the logo to appear. Yahoo allows self asserted BIMI for some senders.

If you want universal coverage a VMC is required.

Strict DMARC policy at quarantine or reject.

Aligned SPF and or DKIM.

Valid BIMI DNS record.

A logo in the SVG Tiny Portable Secure format.

VMC certificate if required.

BIMI does not directly improve inbox placement. However providers view BIMI as an indicator of strong domain hygiene which can help strengthen reputation indirectly.

ARF also known as the Abuse Reporting Format is defined in RFC 5965 for the format itself and RFC 6591 for failure reporting. ARF is the standard used for Feedback Loops which are the complaint reports mailbox providers send to domain owners.

Authenticated Replies or Authenticated ARF refers to emerging proposals that enhance this system by adding cryptographic verification. The goal is to prevent forged or spoofed complaint reports which can damage sender reputation.

Future enhancements focus on:

Signed ARF reports using cryptographic seals that verify the mailbox provider truly generated the complaint.

Metadata that records authentication results at the moment the end user hit “Report Spam.”

Verified identifiers that prevent attackers from submitting fake complaint reports.

These changes strengthen trust in complaint data and create a more reliable foundation for sender reputation systems.

The AuthIndicators Working Group also known as the BIMI Group is steering the evolution of BIMI. Its BIMI v2 and broader Brand Trust initiatives aim to move beyond simple logo display toward:

richer brand metadata

verified organizational identity

stronger certificate requirements

anti-phishing visual signals

user side indicators of brand legitimacy

Future work may introduce multi frame branding, animated or context aware verification, and link level trust indicators tied to DMARC enforcement.

The direction is clear. Inbox providers want a more reliable visual ecosystem that distinguishes trusted brands from impersonators at a glance.