Will BIMI become a standard trust indicator for email like SSL/TLS for websites?

Summary

The consensus on BIMI's potential to become a standard trust indicator like SSL/TLS is mixed. While BIMI enhances brand value and provides a visual cue for recipients, experts argue it's not inherently a trust indicator like SPF, DKIM, or DMARC. Adoption hinges on several factors: widespread support from ESPs and mailbox providers, consistent logo display, user awareness, and overcoming the significant cost barrier associated with trademark registration and Verified Mark Certificates (VMCs). The complexity and labor-intensive identity verification process present further challenges. Some believe that mailbox providers could implement similar systems more cost-effectively. Concerns have been raised about the parallels with Extended Validation certificates, which offered limited value. Therefore, its future depends on bridging the gap between security and marketing, and whether the benefits outweigh the costs for businesses of all sizes.

Key findings

  • Brand & Security Enhancement: BIMI enhances brand recognition and provides additional security against phishing.
  • Not Inherent Trust Signal: BIMI is not inherently a trust indicator in the same way as SPF, DKIM, or DMARC.
  • Adoption Barriers: Adoption faces significant barriers including cost, complexity, and limited mailbox provider support.
  • Marketing vs Security: BIMI's perceived value is impacted by whether it's considered primarily a marketing tool or a security feature.
  • Implementation Requirements: Requires DMARC enforcement, registered trademark, and a VMC, which requires renewal every 2 years.
  • User Awareness: User awareness and understanding are crucial for BIMI to function effectively as a trust indicator.

Key considerations

  • Cost-Benefit Analysis: Conduct a thorough cost-benefit analysis to determine if the investment in BIMI is justified.
  • Mailbox Provider Support: Evaluate the level of BIMI support provided by major mailbox providers.
  • Trademark Requirements: Ensure you have a registered trademark and understand the renewal requirements.
  • VMC Management: Plan for VMC acquisition, renewal, and management processes.
  • Alternative Solutions: Consider alternative or supplementary solutions for email authentication and brand protection.
  • Small Business Considerations: A small business must consider the overall costs and whether or not they are attainable.

What email marketers say
7Marketer opinions

The future of BIMI as a standard trust indicator for email, akin to SSL/TLS for websites, is multifaceted. While BIMI offers enhanced brand recognition, security against phishing, and improved subscriber trust, its widespread adoption faces hurdles. Key challenges include the limited support from email service providers (ESPs) and mailbox providers, the costs associated with trademark registration and Verified Mark Certificates (VMCs) which can be prohibitive for smaller businesses, and the necessity for consistent display of logos by mailbox providers coupled with user awareness for BIMI to function effectively as a trust signal. Experts believe that if these challenges can be overcome, BIMI has the potential to become a recognizable and trusted visual cue in the inbox.

Key opinions

  • Brand Recognition: BIMI enhances brand recognition in the inbox through visual logos.
  • Security: BIMI provides additional security against phishing by requiring trademarks and VMCs.
  • Cost Barrier: The cost of trademark registration and VMCs can be a significant barrier, especially for small businesses.
  • Adoption Dependence: Widespread adoption depends on support from ESPs and mailbox providers.
  • User Awareness: BIMI's success relies on users recognizing the logos as indicators of trust.

Key considerations

  • Cost Implications: Evaluate the costs associated with trademark registration and VMC acquisition for BIMI implementation.
  • Mailbox Provider Support: Assess the level of BIMI support offered by the mailbox providers your target audience uses.
  • User Education: Consider how to educate users to recognize and trust BIMI logos as a security indicator.
  • Long-Term Viability: Monitor BIMI adoption rates and technological advancements to determine its long-term viability as a standard trust indicator.
  • Alternative Solutions: If the cost is prohibitive, what alternative solutions can you consider.
Marketer view

Email marketer from SparkPost believes that as more companies implement BIMI, users will become more accustomed to seeing the logo, and it will increase trust and brand awareness, helping it become a standard indicator of trust.

December 2022 - SparkPost
Marketer view

Email marketer from ZeroBounce shares that BIMI provides a visual cue that enhances brand recognition in the inbox, improves trust with subscribers, and strengthens email security through DMARC enforcement.

March 2022 - ZeroBounce
Marketer view

Email marketer from Litmus explains that BIMI helps brands stand out in crowded inboxes and provides a recognizable trust indicator for recipients when correctly implemented.

March 2024 - Litmus
Marketer view

Email marketer from Reddit shares that BIMI adoption can be expensive for smaller businesses due to trademark registration and VMC costs. This presents a barrier to widespread adoption across all business sizes.

October 2021 - Reddit
Marketer view

Email marketer from Email on Acid responds that BIMI makes it harder for phishers to spoof legitimate brands, as they would need a registered trademark and VMC, adding a layer of security beyond SPF, DKIM, and DMARC alone.

April 2022 - Email on Acid
Marketer view

Email marketer from Mailjet explains that while BIMI is gaining traction, widespread adoption depends on email service providers (ESPs) and mailbox providers supporting the standard. Current support is limited but growing.

November 2022 - Mailjet
Marketer view

Email marketer from Gmass believes that BIMI's future as a trust indicator hinges on mailbox providers consistently displaying the logos and users recognizing them as signs of authenticity. Without consistent display and user awareness, its impact will be limited.

September 2022 - Gmass

What the experts say
10Expert opinions

Experts are skeptical about BIMI becoming a standard trust indicator like SSL/TLS. They highlight that BIMI isn't inherently a trust signal like SPF, DKIM, or DMARC, and compare it to Extended Validation (EV) certificates, which proved to be of limited value to users. The cost and complexity of obtaining Verified Mark Certificates (VMCs), along with the labor-intensive identity verification process, are significant barriers. While mailbox providers *could* implement similar systems more cheaply, the current implementation relies on Certificate Authorities for validation. To enter the BIMI CA space requires convincing major mailbox providers, making it difficult for new entrants. The effectiveness of BIMI also suffers as some systems only show logos if it’s a brand you email with frequently. Whether BIMI is seen as marketing fluff or as a genuine security measure significantly impacts the perception of its value. Ultimately, while CAs vouching for customer identity is valuable, the high cost and complex infrastructure cast doubt on BIMI's potential to become a universally adopted trust indicator.

Key opinions

  • Not Inherent Trust: BIMI is not inherently a trust indicator like SPF, DKIM, or DMARC.
  • Costly Implementation: The cost and complexity of VMCs are significant barriers to adoption.
  • Complex CA Entry: Entering the BIMI CA space is difficult and requires convincing mailbox providers.
  • Limited User Value: Some systems only show logos if it’s a brand you email with frequently.
  • Marketing vs. Security: BIMI's perceived value hinges on whether it's seen as marketing or security.
  • EV Certificate Parallel: BIMI shares similarities with Extended Validation (EV) certificates, which had limited success.

Key considerations

  • Cost-Benefit Analysis: Carefully evaluate the costs versus the benefits of implementing BIMI.
  • Alternative Authentication: Explore alternative or supplementary authentication methods that may be more cost-effective.
  • Mailbox Provider Politics: Understand the politics of mailbox provider adoption and potential alternative systems.
  • Security vs. Marketing Focus: Consider whether the primary goal is branding or enhanced security when considering BIMI.
  • Long-Term Viability: Assess the long-term viability of BIMI given the existing barriers and potential future alternatives.
Expert view

Expert from Email Geeks explains that CAs are vouching for the identity and trustworthiness of their customers, which is better than mailbox providers maintaining a whitelist but not free.

April 2024 - Email Geeks
Expert view

Expert from Email Geeks indicates that Extended Validation (EV) website certificates are the closest historical model to BIMI.

October 2024 - Email Geeks
Expert view

Expert from Email Geeks explains that BIMI is not inherently a trust indicator like SPF, DKIM, or DMARC.

March 2023 - Email Geeks
Expert view

Expert from Email Geeks clarifies that the main authentication difference with BIMI is the inclusion of a Certificate Authority to validate the sender's identity, which incurs a cost. The image is marketing and DMARC is politics, not authentication.

March 2023 - Email Geeks
Expert view

Expert from Email Geeks states that the cost is a significant aspect of BIMI. If BIMI is seen merely as marketing, the expense and minimal benefit to the recipient are less important. However, if BIMI is linked to trust, security, or phishing prevention, it becomes a more complex issue.

August 2022 - Email Geeks
Expert view

Expert from Email Geeks explains that if BIMI is viewed as just marketing, the labor-intensive part isn't necessary. However, if it's related to trust or brand integrity, the threat model around trademarks necessitates validation beyond just having a trademark.

January 2023 - Email Geeks
Expert view

Expert from Email Geeks explains that mailbox providers could implement a system similar to BIMI using DKIM and favicons (or other identity-to-image maps) without the expensive identity verification step. The labor-intensive identity verification is the key aspect of BIMI.

November 2022 - Email Geeks
Expert view

Expert from Word to the Wise responds that BIMI is unlikely to become a universal trust indicator. The primary reason is the complexity and cost associated with obtaining a Verified Mark Certificate (VMC), which is a requirement for BIMI. Also BIMI suffers as Gmail and other systems that fully support BIMI only show logos if it’s a brand you email with frequently.

October 2021 - Word to the Wise
Expert view

Expert from Email Geeks explains that to spin up a new BIMI CA, convincing mailbox providers of customer vetting, pricing, policing, and revenue stream is crucial, highlighting the role of transitive trust and personal relationships with mailbox provider executives.

October 2023 - Email Geeks
Expert view

Expert from Email Geeks compares BIMI to Extended Validation (EV) TLS certificates, noting EV certs were a revenue source for certificate authorities but offered little practical reassurance to users over Domain Validated (DV) certificates.

September 2024 - Email Geeks

What the documentation says
3Technical articles

BIMI aims to enhance brand value and security by connecting verified logos to DMARC enforcement, improving authentication and preventing domain impersonation. Implementing BIMI requires a DMARC policy set to enforcement (p=quarantine or p=reject), a registered trademark for the logo, and a valid Verified Mark Certificate (VMC) from an authorized certification authority. VMCs are valid for two years and must be renewed to ensure ongoing brand control and use.

Key findings

  • Brand Enhancement: BIMI enhances brand value through verified logos.
  • Security Enhancement: BIMI increases security by leveraging DMARC enforcement and preventing domain impersonation.
  • Implementation Requirements: Requires DMARC enforcement, a registered trademark, and a valid VMC.
  • VMC Validity: VMCs are valid for two years and require renewal.

Key considerations

  • DMARC Enforcement: Ensure DMARC is properly configured and set to p=quarantine or p=reject.
  • Trademark Requirement: Obtain a registered trademark for your brand logo.
  • VMC Acquisition: Secure a Verified Mark Certificate (VMC) from a trusted certification authority.
  • Renewal Management: Plan for the renewal of VMCs every two years to maintain BIMI compliance.
Technical article

Documentation from Entrust shares that a VMC is valid for two years, and after this period, the organization must renew it, proving ongoing control and use of the brand logo.

December 2023 - Entrust
Technical article

Documentation from BIMI Group explains that BIMI enhances brand value by connecting verified logos to the increased protection provided by DMARC enforcement, building on improved authentication against domain impersonation.

January 2024 - BIMI Group Website
Technical article

Documentation from DigiCert clarifies that to implement BIMI, you need DMARC set to enforcement (p=quarantine or p=reject), a registered trademark for your logo, and a Verified Mark Certificate (VMC) issued by an authorized certification authority.

December 2021 - DigiCert