Will BIMI become a standard trust indicator for email like SSL/TLS for websites?

Summary

The consensus on BIMI's potential to become a standard trust indicator like SSL/TLS is mixed. While BIMI enhances brand value and provides a visual cue for recipients, experts argue it's not inherently a trust indicator like SPF, DKIM, or DMARC. Adoption hinges on several factors: widespread support from ESPs and mailbox providers, consistent logo display, user awareness, and overcoming the significant cost barrier associated with trademark registration and Verified Mark Certificates (VMCs). The complexity and labor-intensive identity verification process present further challenges. Some believe that mailbox providers could implement similar systems more cost-effectively. Concerns have been raised about the parallels with Extended Validation certificates, which offered limited value. Therefore, its future depends on bridging the gap between security and marketing, and whether the benefits outweigh the costs for businesses of all sizes.

Key findings

Brand & Security Enhancement: BIMI enhances brand recognition and provides additional security against phishing.
Not Inherent Trust Signal: BIMI is not inherently a trust indicator in the same way as SPF, DKIM, or DMARC.
Adoption Barriers: Adoption faces significant barriers including cost, complexity, and limited mailbox provider support.
Marketing vs Security: BIMI's perceived value is impacted by whether it's considered primarily a marketing tool or a security feature.
Implementation Requirements: Requires DMARC enforcement, registered trademark, and a VMC, which requires renewal every 2 years.
User Awareness: User awareness and understanding are crucial for BIMI to function effectively as a trust indicator.

Key considerations

Cost-Benefit Analysis: Conduct a thorough cost-benefit analysis to determine if the investment in BIMI is justified.
Mailbox Provider Support: Evaluate the level of BIMI support provided by major mailbox providers.
Trademark Requirements: Ensure you have a registered trademark and understand the renewal requirements.
VMC Management: Plan for VMC acquisition, renewal, and management processes.
Alternative Solutions: Consider alternative or supplementary solutions for email authentication and brand protection.
Small Business Considerations: A small business must consider the overall costs and whether or not they are attainable.

What email marketers say
7Marketer opinions

The future of BIMI as a standard trust indicator for email, akin to SSL/TLS for websites, is multifaceted. While BIMI offers enhanced brand recognition, security against phishing, and improved subscriber trust, its widespread adoption faces hurdles. Key challenges include the limited support from email service providers (ESPs) and mailbox providers, the costs associated with trademark registration and Verified Mark Certificates (VMCs) which can be prohibitive for smaller businesses, and the necessity for consistent display of logos by mailbox providers coupled with user awareness for BIMI to function effectively as a trust signal. Experts believe that if these challenges can be overcome, BIMI has the potential to become a recognizable and trusted visual cue in the inbox.

Key opinions

Brand Recognition: BIMI enhances brand recognition in the inbox through visual logos.
Security: BIMI provides additional security against phishing by requiring trademarks and VMCs.
Cost Barrier: The cost of trademark registration and VMCs can be a significant barrier, especially for small businesses.
Adoption Dependence: Widespread adoption depends on support from ESPs and mailbox providers.
User Awareness: BIMI's success relies on users recognizing the logos as indicators of trust.

Key considerations

Cost Implications: Evaluate the costs associated with trademark registration and VMC acquisition for BIMI implementation.
Mailbox Provider Support: Assess the level of BIMI support offered by the mailbox providers your target audience uses.
User Education: Consider how to educate users to recognize and trust BIMI logos as a security indicator.
Long-Term Viability: Monitor BIMI adoption rates and technological advancements to determine its long-term viability as a standard trust indicator.
Alternative Solutions: If the cost is prohibitive, what alternative solutions can you consider.

Marketer view

Email marketer from SparkPost believes that as more companies implement BIMI, users will become more accustomed to seeing the logo, and it will increase trust and brand awareness, helping it become a standard indicator of trust.

December 2022 - SparkPost

Marketer view

Email marketer from ZeroBounce shares that BIMI provides a visual cue that enhances brand recognition in the inbox, improves trust with subscribers, and strengthens email security through DMARC enforcement.

March 2022 - ZeroBounce

Marketer view

Email marketer from Litmus explains that BIMI helps brands stand out in crowded inboxes and provides a recognizable trust indicator for recipients when correctly implemented.

March 2024 - Litmus

Marketer view

Email marketer from Reddit shares that BIMI adoption can be expensive for smaller businesses due to trademark registration and VMC costs. This presents a barrier to widespread adoption across all business sizes.

October 2021 - Reddit

What the experts say
10Expert opinions

Experts are skeptical about BIMI becoming a standard trust indicator like SSL/TLS. They highlight that BIMI isn't inherently a trust signal like SPF, DKIM, or DMARC, and compare it to Extended Validation (EV) certificates, which proved to be of limited value to users. The cost and complexity of obtaining Verified Mark Certificates (VMCs), along with the labor-intensive identity verification process, are significant barriers. While mailbox providers *could* implement similar systems more cheaply, the current implementation relies on Certificate Authorities for validation. To enter the BIMI CA space requires convincing major mailbox providers, making it difficult for new entrants. The effectiveness of BIMI also suffers as some systems only show logos if it’s a brand you email with frequently. Whether BIMI is seen as marketing fluff or as a genuine security measure significantly impacts the perception of its value. Ultimately, while CAs vouching for customer identity is valuable, the high cost and complex infrastructure cast doubt on BIMI's potential to become a universally adopted trust indicator.

Key opinions

Not Inherent Trust: BIMI is not inherently a trust indicator like SPF, DKIM, or DMARC.
Costly Implementation: The cost and complexity of VMCs are significant barriers to adoption.
Complex CA Entry: Entering the BIMI CA space is difficult and requires convincing mailbox providers.
Limited User Value: Some systems only show logos if it’s a brand you email with frequently.
Marketing vs. Security: BIMI's perceived value hinges on whether it's seen as marketing or security.
EV Certificate Parallel: BIMI shares similarities with Extended Validation (EV) certificates, which had limited success.

Key considerations

Cost-Benefit Analysis: Carefully evaluate the costs versus the benefits of implementing BIMI.
Alternative Authentication: Explore alternative or supplementary authentication methods that may be more cost-effective.
Mailbox Provider Politics: Understand the politics of mailbox provider adoption and potential alternative systems.
Security vs. Marketing Focus: Consider whether the primary goal is branding or enhanced security when considering BIMI.
Long-Term Viability: Assess the long-term viability of BIMI given the existing barriers and potential future alternatives.

Expert view

Expert from Email Geeks explains that CAs are vouching for the identity and trustworthiness of their customers, which is better than mailbox providers maintaining a whitelist but not free.

April 2024 - Email Geeks

Expert view

Expert from Email Geeks indicates that Extended Validation (EV) website certificates are the closest historical model to BIMI.

October 2024 - Email Geeks

Expert view

Expert from Email Geeks explains that BIMI is not inherently a trust indicator like SPF, DKIM, or DMARC.

March 2023 - Email Geeks

Expert view

Expert from Email Geeks clarifies that the main authentication difference with BIMI is the inclusion of a Certificate Authority to validate the sender's identity, which incurs a cost. The image is marketing and DMARC is politics, not authentication.

March 2023 - Email Geeks

What the documentation says
3Technical articles

BIMI aims to enhance brand value and security by connecting verified logos to DMARC enforcement, improving authentication and preventing domain impersonation. Implementing BIMI requires a DMARC policy set to enforcement (p=quarantine or p=reject), a registered trademark for the logo, and a valid Verified Mark Certificate (VMC) from an authorized certification authority. VMCs are valid for two years and must be renewed to ensure ongoing brand control and use.

Key findings

Brand Enhancement: BIMI enhances brand value through verified logos.
Security Enhancement: BIMI increases security by leveraging DMARC enforcement and preventing domain impersonation.
Implementation Requirements: Requires DMARC enforcement, a registered trademark, and a valid VMC.
VMC Validity: VMCs are valid for two years and require renewal.

Key considerations

DMARC Enforcement: Ensure DMARC is properly configured and set to p=quarantine or p=reject.
Trademark Requirement: Obtain a registered trademark for your brand logo.
VMC Acquisition: Secure a Verified Mark Certificate (VMC) from a trusted certification authority.
Renewal Management: Plan for the renewal of VMCs every two years to maintain BIMI compliance.

Technical article

Documentation from Entrust shares that a VMC is valid for two years, and after this period, the organization must renew it, proving ongoing control and use of the brand logo.

December 2023 - Entrust

Technical article

Documentation from BIMI Group explains that BIMI enhances brand value by connecting verified logos to the increased protection provided by DMARC enforcement, building on improved authentication against domain impersonation.

January 2024 - BIMI Group Website

Technical article

Documentation from DigiCert clarifies that to implement BIMI, you need DMARC set to enforcement (p=quarantine or p=reject), a registered trademark for your logo, and a Verified Mark Certificate (VMC) issued by an authorized certification authority.

December 2021 - DigiCert

How (and Why) to Use BIMI For Email Marketing

Now more than ever, email security and trust are more critical than ever, and that's where BIMI logos come into play.

Customer Engagement Blog

Everything you need to know about BIMI

Everything you need to know about BIMI and validated mark certificates, how they increase brand trust, and which companies have adopted them.

Spoor & Fisher

Verified Mark Certificates & the BIMI Standard: Show Your Company ...

Learn about BIMI — a new email standard that could boost your email visibility, build customer trust, and help fight phishing If your job is related to email marketing, terms...

Hashed Out by The SSL Store™

BIMI for Gmail: Google Makes Email Identity Indicators Part of Its ...

Google is partnering with DigiCert and Entrust Datacard to launch a BIMI pilot for Gmail — here's what to know about how it will boost email security and allow companies to show their logo in customers’ inboxes

Hashed Out by The SSL Store™

Does BIMI impact email deliverability?

Does BIMI improve email deliverability and engagement?

How do I implement BIMI and get my logo to show in Gmail and Yahoo Mail?

How do I implement BIMI for email verification in Gmail and Yahoo?

Do I need a VMC for BIMI to work with Google and Gmail?

Does Microsoft Outlook support BIMI for displaying brand logos in email?