Is BIMI easily spoofed and are there drawbacks to BIMI implementation?

Summary

Experts and marketers generally agree that BIMI (Brand Indicators for Message Identification) is difficult to spoof due to the stringent checks by Certificate Authorities and the expense associated with obtaining a valid Verified Mark Certificate (VMC). However, BIMI implementation is not without drawbacks. The cost of obtaining a VMC can be prohibitive, especially for smaller businesses. Even with a valid VMC, mailbox providers are not obligated to display the logo, and may choose not to if the sender has a poor reputation. BIMI adoption is not universal across all email clients and ISPs, limiting its reach. While BIMI enhances brand recognition, it doesn't guarantee improved deliverability, which still depends on content quality and sender reputation. Technical complexities exist in setting up BIMI, including DMARC compliance, DNS record configuration, and VMC acquisition. There's also a risk of trademark disputes if the logo is too similar to existing trademarks. Ongoing maintenance of DMARC, SPF, and DKIM records is crucial to ensure continued effectiveness.

Key findings

  • Spoofing Difficulty: BIMI is difficult to spoof due to stringent CA checks and VMC requirements.
  • VMC Cost & Complexity: Obtaining and maintaining a VMC can be costly and complex, especially for small businesses.
  • No Display Guarantee: Mailbox providers are not obligated to display the BIMI logo.
  • Limited Adoption: BIMI is not universally supported across all email clients and ISPs.
  • No Deliverability Guarantee: BIMI doesn't guarantee improved deliverability; content and reputation remain key.
  • Technical Challenges: Setting up BIMI involves technical complexities like DMARC and DNS configuration.

Key considerations

  • Cost Budgeting: Factor in the cost of the VMC and ongoing maintenance when budgeting for BIMI.
  • Technical Expertise: Ensure adequate technical expertise for DMARC, DNS, and VMC implementation.
  • Trademark Clearance: Verify trademark status to avoid potential disputes related to logo usage.
  • DMARC Compliance: Ensure DMARC policies are strictly enforced (p=quarantine or p=reject).
  • Ongoing Maintenance: Commit to ongoing maintenance of DMARC, SPF, and DKIM records.
  • Limited Reach Awareness: Be aware that not all recipients will see the BIMI logo due to limited adoption.

What email marketers say
12Marketer opinions

While BIMI (Brand Indicators for Message Identification) enhances brand recognition in email inboxes, it's not without its drawbacks and potential complexities. Spoofing is considered difficult due to stringent Certificate Authority checks. However, mailbox providers aren't obligated to display BIMI logos, negating the investment for bad actors or those with poor reputations. Implementation requires a Verified Mark Certificate (VMC), which adds cost and complexity, particularly for smaller businesses. BIMI adoption is not universal, limiting the visual impact across all recipients. It doesn't guarantee higher deliverability, as content quality and sender reputation remain crucial. There's also the risk of trademark disputes and the technical challenges of setting up BIMI, including DMARC compliance. Ongoing maintenance of authentication records is necessary to maintain effectiveness.

Key opinions

  • Spoofing Difficulty: BIMI spoofing is difficult due to strict checks by Certificate Authorities.
  • No Guaranteed Display: Mailbox providers may not display BIMI logos, rendering the investment useless for senders with poor reputations.
  • VMC Requirement: BIMI requires a costly and complex Verified Mark Certificate (VMC).
  • Limited Adoption: BIMI is not universally adopted across all email providers and clients.
  • No Deliverability Guarantee: BIMI does not guarantee improved email deliverability; content and sender reputation are still critical.

Key considerations

  • Cost: The cost of obtaining and maintaining a VMC can be a barrier, especially for smaller businesses.
  • Technical Complexity: Setting up BIMI involves technical complexities, including DMARC, DNS records, and VMC acquisition.
  • Trademark Risk: There is a risk of trademark disputes if your logo is similar to existing trademarks.
  • Ongoing Maintenance: BIMI requires ongoing maintenance of DMARC, SPF, and DKIM records to remain effective.
  • Limited Reach: Due to limited adoption, not all recipients will see the BIMI logo.
Marketer view

Email marketer from Reddit explains the risk of trademark disputes with BIMI, if your logo is too similar to an existing trademark, even if unintentional, you might face legal challenges and have to discontinue using the logo for BIMI.

December 2023 - Reddit
Marketer view

Marketer from Email Geeks reminds that mailbox providers don’t HAVE to show your logo and that if you are a bad actor, they can just not show your BIMI logo so now you’ve paid money for no reason.

May 2024 - Email Geeks
Marketer view

Email marketer from Mailhardener shares that BIMI adoption is not universal among email providers, so the visual benefits may not be seen by all recipients. This limited support diminishes the value for some senders.

October 2022 - Mailhardener
Marketer view

Email marketer from SparkPost explains that while BIMI offers visual branding, it doesn't solve all email deliverability problems. Content quality and sender reputation are still critical.

June 2023 - SparkPost
Marketer view

Email marketer from Validity explains that BIMI acts as a visual trust signal, but notes that it requires ongoing maintenance of DMARC, SPF, and DKIM records to remain effective and prevent display issues if authentication fails.

January 2024 - Validity
Marketer view

Email marketer from EmailVendorSelection mentions the complexity involved in setting up BIMI, including DNS records, VMC acquisition, and DMARC configuration. This can be technically challenging for some organizations.

March 2024 - EmailVendorSelection
Marketer view

Email marketer from Val Geisler's website explains that BIMI requires a VMC (Verified Mark Certificate), which can be complex and costly to obtain, especially for smaller businesses. This cost and complexity can be a significant drawback.

August 2024 - Val Geisler (website)
Marketer view

Email marketer from Litmus shares that BIMI is not universally supported across all email clients and ISPs, which means that not all recipients will see the logo, reducing the overall impact of the implementation.

November 2022 - Litmus
Marketer view

Email marketer from ZeroBounce shares that while BIMI can improve brand recognition, it doesn't directly guarantee higher deliverability. Deliverability depends on various factors, including sender reputation and email content.

September 2023 - ZeroBounce
Marketer view

Email marketer from Reddit mentions that smaller businesses may find the cost and complexity of BIMI, especially the VMC, prohibitive compared to the potential benefits, making it less attractive.

December 2024 - Reddit
Marketer view

Marketer from Email Geeks explains that, VMC or no VMC, they also look at who you are and what you do in their network and just because you send an email and have a valid BIMI logo doesn’t mean they will show your logo, let alone your emails.

December 2021 - Email Geeks
Marketer view

Marketer from Email Geeks responds that spoofing BIMI is nearly impossible because the checks Certificate Authorities do are very thorough.

October 2021 - Email Geeks

What the experts say
4Expert opinions

Experts generally agree that BIMI spoofing is not easily achieved due to the expense and effort required for forgery, including obtaining valid certificates. While BIMI is seen as a worthwhile investment for enhancing brand presence and protecting against spoofing, implementing it correctly involves technical challenges, especially for smaller organizations lacking expertise in DMARC, VMC acquisition, and DNS setup.

Key opinions

  • Spoofing Not Easy: BIMI spoofing is not easy due to the cost and complexity of forging certificates.
  • Worthwhile Investment: BIMI is considered a worthwhile investment for brand enhancement and anti-spoofing.
  • Technical Challenges: Implementing BIMI correctly involves significant technical challenges.

Key considerations

  • Expertise Required: Smaller organizations may lack the expertise needed for proper BIMI implementation.
  • DMARC Compliance: Careful attention to DMARC compliance is crucial for BIMI implementation.
  • VMC Acquisition: The process of acquiring a VMC requires specific steps and can be complex.
  • DNS Setup: Proper DNS record setup is essential for BIMI to function correctly.
Expert view

Expert from Email Geeks shares they have not seen any BIMI spoofing in action, and they talk to the Cert providers frequently.

December 2022 - Email Geeks
Expert view

Expert from Spamresource explains that although BIMI has some drawbacks like cost and technical implementation, it's generally considered worthwhile for companies wanting to enhance their brand presence in the inbox and protect against spoofing.

October 2023 - Spamresource
Expert view

Expert from Email Geeks explains that BIMI forgery is kind of expensive and that bad actors that cycle domains are probably not going to cycle the certs like that and it does not mean a domain will have a good reputation.

June 2023 - Email Geeks
Expert view

Expert from Word to the Wise (Laura Atkins) shares that implementing BIMI correctly requires careful attention to detail regarding DMARC compliance, VMC acquisition, and DNS record setup, and that these technical hurdles can be a drawback for smaller organizations lacking specialized expertise.

December 2024 - Word to the Wise

What the documentation says
5Technical articles

BIMI relies on a multi-layered security approach, demanding a Verified Mark Certificate (VMC) from an authorized certification authority, and strict enforcement of a DMARC policy (p=quarantine or p=reject). Strong email authentication standards (SPF, DKIM, DMARC) are foundational to BIMI, ensuring only legitimate senders can display their logos and reducing spoofing risks. Precise adherence to technical specifications for SVG logos, DNS records, and VMC implementation is crucial for proper display. The cost of obtaining a VMC can be a considerable investment, particularly impacting smaller organizations and complicating budget planning.

Key findings

  • VMC Requirement: BIMI mandates a Verified Mark Certificate (VMC) from an authorized CA.
  • DMARC Enforcement: A strict DMARC policy (p=quarantine or p=reject) is required for BIMI.
  • Strong Authentication: BIMI relies on robust email authentication protocols: SPF, DKIM, and DMARC.
  • Technical Specifications: Precise technical specifications for logos and DNS records are essential for BIMI.
  • Costly VMC: The cost of a VMC can be a significant investment.

Key considerations

  • VMC Acquisition: Budget for the cost of obtaining a Verified Mark Certificate from an authorized provider.
  • DMARC Compliance: Ensure DMARC policy is set to quarantine or reject before implementing BIMI.
  • Technical Expertise: Address the technical requirements for SVG logos and DNS records setup.
  • Budgeting: Factor in the VMC cost, which can vary and affect budget planning.
  • Adherence to Standards: Adhere strictly to BIMI technical specifications for optimal display.
Technical article

Documentation from Entrust explains that to display a logo with BIMI, a Verified Mark Certificate (VMC) issued by an authorized certification authority is required, adding a layer of validation and cost.

July 2024 - Entrust
Technical article

Documentation from dmarcian explains that BIMI requires a DMARC policy to be enforced (p=quarantine or p=reject), which can be a hurdle for organizations still working on DMARC implementation. This is a requirement, not optional, for BIMI.

February 2022 - dmarcian
Technical article

Documentation from GlobalSign indicates that the cost of a VMC can be a significant investment, particularly for smaller organizations. This cost can vary, making budgeting difficult.

May 2024 - GlobalSign
Technical article

Documentation from BIMI Group explains the technical specifications of BIMI, including the requirements for SVG logos, DNS records, and the VMC, outlining the need for adherence to standards to ensure proper display.

December 2023 - BIMI Group
Technical article

Documentation from DigiCert explains that BIMI relies on strong email authentication (SPF, DKIM, DMARC) and a VMC, which ensures that only legitimate senders can display their logos, reducing the risk of spoofing.

June 2023 - DigiCert