Will BIMI become a standard trust indicator for email like SSL/TLS for websites?

Summary

The consensus on BIMI's potential to become a standard trust indicator like SSL/TLS is mixed. While BIMI enhances brand value and provides a visual cue for recipients, experts argue it's not inherently a trust indicator like SPF, DKIM, or DMARC. Adoption hinges on several factors: widespread support from ESPs and mailbox providers, consistent logo display, user awareness, and overcoming the significant cost barrier associated with trademark registration and Verified Mark Certificates (VMCs). The complexity and labor-intensive identity verification process present further challenges. Some believe that mailbox providers could implement similar systems more cost-effectively. Concerns have been raised about the parallels with Extended Validation certificates, which offered limited value. Therefore, its future depends on bridging the gap between security and marketing, and whether the benefits outweigh the costs for businesses of all sizes.

Key findings

  • Brand & Security Enhancement: BIMI enhances brand recognition and provides additional security against phishing.
  • Not Inherent Trust Signal: BIMI is not inherently a trust indicator in the same way as SPF, DKIM, or DMARC.
  • Adoption Barriers: Adoption faces significant barriers including cost, complexity, and limited mailbox provider support.
  • Marketing vs Security: BIMI's perceived value is impacted by whether it's considered primarily a marketing tool or a security feature.
  • Implementation Requirements: Requires DMARC enforcement, registered trademark, and a VMC, which requires renewal every 2 years.
  • User Awareness: User awareness and understanding are crucial for BIMI to function effectively as a trust indicator.

Key considerations

  • Cost-Benefit Analysis: Conduct a thorough cost-benefit analysis to determine if the investment in BIMI is justified.
  • Mailbox Provider Support: Evaluate the level of BIMI support provided by major mailbox providers.
  • Trademark Requirements: Ensure you have a registered trademark and understand the renewal requirements.
  • VMC Management: Plan for VMC acquisition, renewal, and management processes.
  • Alternative Solutions: Consider alternative or supplementary solutions for email authentication and brand protection.
  • Small Business Considerations: A small business must consider the overall costs and whether or not they are attainable.

What email marketers say
7Marketer opinions

The future of BIMI as a standard trust indicator for email, akin to SSL/TLS for websites, is multifaceted. While BIMI offers enhanced brand recognition, security against phishing, and improved subscriber trust, its widespread adoption faces hurdles. Key challenges include the limited support from email service providers (ESPs) and mailbox providers, the costs associated with trademark registration and Verified Mark Certificates (VMCs) which can be prohibitive for smaller businesses, and the necessity for consistent display of logos by mailbox providers coupled with user awareness for BIMI to function effectively as a trust signal. Experts believe that if these challenges can be overcome, BIMI has the potential to become a recognizable and trusted visual cue in the inbox.

Key opinions

  • Brand Recognition: BIMI enhances brand recognition in the inbox through visual logos.
  • Security: BIMI provides additional security against phishing by requiring trademarks and VMCs.
  • Cost Barrier: The cost of trademark registration and VMCs can be a significant barrier, especially for small businesses.
  • Adoption Dependence: Widespread adoption depends on support from ESPs and mailbox providers.
  • User Awareness: BIMI's success relies on users recognizing the logos as indicators of trust.

Key considerations

  • Cost Implications: Evaluate the costs associated with trademark registration and VMC acquisition for BIMI implementation.
  • Mailbox Provider Support: Assess the level of BIMI support offered by the mailbox providers your target audience uses.
  • User Education: Consider how to educate users to recognize and trust BIMI logos as a security indicator.
  • Long-Term Viability: Monitor BIMI adoption rates and technological advancements to determine its long-term viability as a standard trust indicator.
  • Alternative Solutions: If the cost is prohibitive, what alternative solutions can you consider.
Marketer view

Email marketer from SparkPost believes that as more companies implement BIMI, users will become more accustomed to seeing the logo, and it will increase trust and brand awareness, helping it become a standard indicator of trust.

December 2022 - SparkPost
Marketer view

Email marketer from ZeroBounce shares that BIMI provides a visual cue that enhances brand recognition in the inbox, improves trust with subscribers, and strengthens email security through DMARC enforcement.

March 2022 - ZeroBounce

What the experts say
10Expert opinions

Experts are skeptical about BIMI becoming a standard trust indicator like SSL/TLS. They highlight that BIMI isn't inherently a trust signal like SPF, DKIM, or DMARC, and compare it to Extended Validation (EV) certificates, which proved to be of limited value to users. The cost and complexity of obtaining Verified Mark Certificates (VMCs), along with the labor-intensive identity verification process, are significant barriers. While mailbox providers *could* implement similar systems more cheaply, the current implementation relies on Certificate Authorities for validation. To enter the BIMI CA space requires convincing major mailbox providers, making it difficult for new entrants. The effectiveness of BIMI also suffers as some systems only show logos if it’s a brand you email with frequently. Whether BIMI is seen as marketing fluff or as a genuine security measure significantly impacts the perception of its value. Ultimately, while CAs vouching for customer identity is valuable, the high cost and complex infrastructure cast doubt on BIMI's potential to become a universally adopted trust indicator.

Key opinions

  • Not Inherent Trust: BIMI is not inherently a trust indicator like SPF, DKIM, or DMARC.
  • Costly Implementation: The cost and complexity of VMCs are significant barriers to adoption.
  • Complex CA Entry: Entering the BIMI CA space is difficult and requires convincing mailbox providers.
  • Limited User Value: Some systems only show logos if it’s a brand you email with frequently.
  • Marketing vs. Security: BIMI's perceived value hinges on whether it's seen as marketing or security.
  • EV Certificate Parallel: BIMI shares similarities with Extended Validation (EV) certificates, which had limited success.

Key considerations

  • Cost-Benefit Analysis: Carefully evaluate the costs versus the benefits of implementing BIMI.
  • Alternative Authentication: Explore alternative or supplementary authentication methods that may be more cost-effective.
  • Mailbox Provider Politics: Understand the politics of mailbox provider adoption and potential alternative systems.
  • Security vs. Marketing Focus: Consider whether the primary goal is branding or enhanced security when considering BIMI.
  • Long-Term Viability: Assess the long-term viability of BIMI given the existing barriers and potential future alternatives.
Expert view

Expert from Email Geeks explains that CAs are vouching for the identity and trustworthiness of their customers, which is better than mailbox providers maintaining a whitelist but not free.

April 2024 - Email Geeks
Expert view

Expert from Email Geeks indicates that Extended Validation (EV) website certificates are the closest historical model to BIMI.

October 2024 - Email Geeks

What the documentation says
3Technical articles

BIMI aims to enhance brand value and security by connecting verified logos to DMARC enforcement, improving authentication and preventing domain impersonation. Implementing BIMI requires a DMARC policy set to enforcement (p=quarantine or p=reject), a registered trademark for the logo, and a valid Verified Mark Certificate (VMC) from an authorized certification authority. VMCs are valid for two years and must be renewed to ensure ongoing brand control and use.

Key findings

  • Brand Enhancement: BIMI enhances brand value through verified logos.
  • Security Enhancement: BIMI increases security by leveraging DMARC enforcement and preventing domain impersonation.
  • Implementation Requirements: Requires DMARC enforcement, a registered trademark, and a valid VMC.
  • VMC Validity: VMCs are valid for two years and require renewal.

Key considerations

  • DMARC Enforcement: Ensure DMARC is properly configured and set to p=quarantine or p=reject.
  • Trademark Requirement: Obtain a registered trademark for your brand logo.
  • VMC Acquisition: Secure a Verified Mark Certificate (VMC) from a trusted certification authority.
  • Renewal Management: Plan for the renewal of VMCs every two years to maintain BIMI compliance.
Technical article

Documentation from Entrust shares that a VMC is valid for two years, and after this period, the organization must renew it, proving ongoing control and use of the brand logo.

December 2023 - Entrust
Technical article

Documentation from BIMI Group explains that BIMI enhances brand value by connecting verified logos to the increased protection provided by DMARC enforcement, building on improved authentication against domain impersonation.

January 2024 - BIMI Group Website