Forum Discussion
BIMI Logos – Another Way to Stop Email Spoofing
TonyRedmond Google recently touched upon BIMI again (7/12)...as did Postmark (7/13). As long as DMARC has been around, it's sad how few have implemented. Hopefully this can gain traction.
https://cloud.google.com/blog/products/identity-security/bringing-bimi-to-gmail-in-google-workspace
https://postmarkapp.com/blog/what-the-heck-is-bimi#how-do-you-implement-bimi
Kevin Taber I still cannot believe the slow uptake on DMARC and really confused around the lack of BIMI on Microsofts Part. Both of these are great initiatives at reducing the prevalence of security events in the email space as it relates to PHISHING and targeted attacks. Come on Microsoft, time to prioritise the easy wins and listen to the community and commentators like TonyRedmond
David Westgate TonyRedmond a year later, anyone know if Microsoft changed their stance in BIMI?
Would be interesting to know why Microsoft have not yet shown interest.Not that I have seen myself. My take is: the worry is around the verification on the image itself. In theory you could create any domain such as fakedomain.com add anyone's bimi image and as long as the email passes dmarc BIMI enabled services will display the image. If there is wider adoption of BIMI I can see how a spoofed email would appear more legit to users in this scenario. I imagine the user comments would go something like 'but it had the logo of course I clicked on the link...' That said I'm sure a well designed spam filter should be able to handle and filter out most these attacks. Other thoughts?
Update: Google is using Verified Mark Certificate (VMC) to get around this issue but it appears the scope is limited.
How BIMI Avoids Unauthorized (or Fraudulent) Use of Logos - BIMI Group
- Since an Mark Verifying Authority (MVA) will have to verify the domain owner and brand/logo, like an EV certificate, hopefully it helps prevent most of the malicious attempts. It's fairly strict I thought.
It will at least aid in the adoption of DMARC. I wish it was a requirement to have DMARC in place when owning a domain name. Heck there's still many that don't use SPF.
