Forum Discussion

TonyRedmond's avatar
TonyRedmond
MVP
Dec 06, 2018

BIMI Logos – Another Way to Stop Email Spoofing

  Brand Indicators for Message Identification (BIMI) is a new industry effort to help identify email from reputable companies by displaying their logo alongside email (and potentially other items) ...
Exchange Server
Joshua Bines's avatar
Joshua Bines
Iron Contributor
Aug 03, 2022

Not that I have seen myself. My take is: the worry is around the verification on the image itself. In theory you could create any domain such as fakedomain.com add anyone's bimi image and as long as the email passes dmarc BIMI enabled services will display the image. If there is wider adoption of BIMI I can see how a spoofed email would appear more legit to users in this scenario. I imagine the user comments would go something like 'but it had the logo of course I clicked on the link...' That said I'm sure a well designed spam filter should be able to handle and filter out most these attacks. Other thoughts?

 

Update: Google is using Verified Mark Certificate (VMC) to get around this issue but it appears the scope is limited. 

 

https://bimigroup.org/how-bimi-avoids-unauthorized-or-fraudulent-use-of-logos/

Kevin Taber's avatar
Kevin Taber
Brass Contributor
Aug 03, 2022
Since an Mark Verifying Authority (MVA) will have to verify the domain owner and brand/logo, like an EV certificate, hopefully it helps prevent most of the malicious attempts. It's fairly strict I thought.

It will at least aid in the adoption of DMARC. I wish it was a requirement to have DMARC in place when owning a domain name. Heck there's still many that don't use SPF.

Resources