Forum Discussion
BIMI Logos – Another Way to Stop Email Spoofing
Brand Indicators for Message Identification (BIMI) is a new industry effort to help identify email from reputable companies by displaying their logo alongside email (and potentially other items) ...
David Westgate TonyRedmond a year later, anyone know if Microsoft changed their stance in BIMI?
Would be interesting to know why Microsoft have not yet shown interest.
Not that I have seen myself. My take is: the worry is around the verification on the image itself. In theory you could create any domain such as fakedomain.com add anyone's bimi image and as long as the email passes dmarc BIMI enabled services will display the image. If there is wider adoption of BIMI I can see how a spoofed email would appear more legit to users in this scenario. I imagine the user comments would go something like 'but it had the logo of course I clicked on the link...' That said I'm sure a well designed spam filter should be able to handle and filter out most these attacks. Other thoughts?
Update: Google is using Verified Mark Certificate (VMC) to get around this issue but it appears the scope is limited.
How BIMI Avoids Unauthorized (or Fraudulent) Use of Logos - BIMI Group
- Since an Mark Verifying Authority (MVA) will have to verify the domain owner and brand/logo, like an EV certificate, hopefully it helps prevent most of the malicious attempts. It's fairly strict I thought.
It will at least aid in the adoption of DMARC. I wish it was a requirement to have DMARC in place when owning a domain name. Heck there's still many that don't use SPF.
