BIMI Logos – Another Way to Stop Email Spoofing

MVP

 

Brand Indicators for Message Identification (BIMI) is a new industry effort to help identify email from reputable companies by displaying their logo alongside email (and potentially other items) in applications.

https://office365itpros.com/2018/12/06/bimi-office365/

24 Replies

@TonyRedmondincentivising the dmarc records to move from p=none i think is a great idea might get the exec's on board.  According to June 1 still no take up from MS  https://bimigroup.org/bimi-adoption-june-2020/

Glad I found this article and as @Joshua Bines points out the situation hasn't changed as of June 2020 according to BIMI working group. I would go further and suggest, like one of the commentators on @TonyRedmond original page, that Microsoft are muddying the waters and confusing both implementers and recipients. 

The "new" Microsoft approach was supposed to be more open standards orientated and they have made some good progress in this area. However, lack of DMARC reporting and BIMI support is very disappointing in overcoming phishing/SPAM as an industry wide initiative.

October 2020 and still no support from Microsoft: https://bimigroup.org/bimi-adoption-october-2020/

@TonyRedmond Google recently touched upon BIMI again (7/12)...as did Postmark (7/13). As long as DMARC has been around, it's sad how few have implemented. Hopefully this can gain traction.

 

https://cloud.google.com/blog/products/identity-security/bringing-bimi-to-gmail-in-google-workspace

 

https://postmarkapp.com/blog/what-the-heck-is-bimi#how-do-you-implement-bimi

 

 

@Kevin Taber I still cannot believe the slow uptake on DMARC and really confused around the lack of BIMI on Microsofts Part. Both of these are great initiatives at reducing the prevalence of security events in the email space as it relates to PHISHING and targeted attacks. Come on Microsoft, time to prioritise the easy wins and listen to the community and commentators like @TonyRedmond 

@David Westgate @TonyRedmond a year later, anyone know if Microsoft changed their stance in BIMI?

Would be interesting to know why Microsoft have not yet shown interest.

Not that I have seen myself. My take is: the worry is around the verification on the image itself. In theory you could create any domain such as fakedomain.com add anyone's bimi image and as long as the email passes dmarc BIMI enabled services will display the image. If there is wider adoption of BIMI I can see how a spoofed email would appear more legit to users in this scenario. I imagine the user comments would go something like 'but it had the logo of course I clicked on the link...' That said I'm sure a well designed spam filter should be able to handle and filter out most these attacks. Other thoughts?

 

Update: Google is using Verified Mark Certificate (VMC) to get around this issue but it appears the scope is limited. 

 

How BIMI Avoids Unauthorized (or Fraudulent) Use of Logos - BIMI Group

Since an Mark Verifying Authority (MVA) will have to verify the domain owner and brand/logo, like an EV certificate, hopefully it helps prevent most of the malicious attempts. It's fairly strict I thought.

It will at least aid in the adoption of DMARC. I wish it was a requirement to have DMARC in place when owning a domain name. Heck there's still many that don't use SPF.

Hello @TonyRedmond and @Joshua Bines. Do you have any news about that Microsoft plans to support in Office 365  and Exchange Brand Indicators for Message Identification (BIMI). My organization has a plan to implement for security reason, but we need your confirmation because that we must know about feature action. 

Please can you check closest date for public support of BIMI in office 365.

Thanks

Bump. At this point you would think MS has BIMI on the roadmap and an ETA or they don't and have no plans to support it? @TonyRedmond 

At this point it start to be very noticeable, and used by competition against Office 365, so urgent to have an official statment somewhere

@Laurent Gébeau 

Just going to chime in here and say that I wish Microsoft would implement BIMI.  Our organization is rolling it out presently.  But the conversations is a bit awkward when we're trying to advocate internally for a standard when the software that we use ourselves doesn't adhere to that very standard...

Any news @Pernille-Eskebo? Supported vendors are growing, Apple works now too. We miss Microsoft!
https://bimigroup.org/bimi-infographic/

Microsoft, get moving please, we need BIMI

@guieix 

Where do you see that M365 is supporting BIMI?

I can only make that Dynamics 365 supporting BIMI for sending email, not that Microsoft started to support it.

@the_bear_glitch @guieix 

The documentation on
https://learn.microsoft.com/es-es/dynamics365/marketing/bimi-support
only applies to email sending from the Dynamics 365 MARKETING Application

(not to all of Dynamics 365)

@TonyRedmond

 

Do you know if Exchange Online will support BIMI next year?

 

We love the idea behind BIMI.