How to Setup BIMI and Add a Verified Logo to Your Business Emails?

1 Star2 Stars3 Stars4 Stars5 Stars (10 votes, average: 5.00 out of 5)
Loading...
Setup BIMI for Business Emails

In today’s digital world, email communication is the key to business growth. Brand Indicators for Message Identification (BIMI) is the best solution for it, which helps in establishing brand trust, enhancing brand visibility, and secure delivery of emails.

In this guide, we will walk you through everything you need to know about setting up BIMI and adding a verified logo to your business emails. Just be with me till the end of this post, and we will cover everything here from scratch, you don’t have to go somewhere else.

Overview of BIMI

BIMI is an email standard that lets organizations display their brand’s logo in outgoing email. It also provides additional email security that will help in the fight against phishing and spoofing attacks, and helps to boost brand recognition.

To use BIMI, your domain and logo must be certified by a third party. This certification must come in the form of either a Verified Mark Certificate (VMC) or a Common Mark Certificate (CMC).

Both of them have their own advantages or disadvantages, like in Gmail, you’ll see a checkmark next to senders verified with a VMC, but you are required to have a registered trade mark logo.

Choosing BIMI in your email strategy for your organization or brand has several benefits, both in terms of security and marketing effectiveness. Here are some of the primary advantages:

  1. Better Brand Visibility
  2. More Trust
  3. Credibility
  4. Email Engagement
  5. Security
  6. Staying Ahead of Competitors

Why do we need BIMI Logos?

The brand logo has been used in email marketing for a long time. However, different email clients such as Gmail, Outlook, and Yahoo Mail all had their own methods of finding logos to use. That can cause problems such as a bad-looking logo, the wrong logo, or the logo not displaying in the inbox.

Also Read: Importance and Benefits of DMARC, BIMI and VMC Certificates for Businesses

These problems are solved by BIMI, it is supported by most of the top email clients such as Gmail, Yahoo, and Apple Mail, except for Microsoft. A BIMI record is added to your sending domain’s DNS, directing the receiving mail server to the correct logo.

Steps to Implement BIMI and Display a Verified Logo in Your Emails

Here are the steps to set up the BIMI logo for your Business and organisation, after following this steps BIMI will be implemented for your organisation and the logo will display in the client inbox and if you use VMC, then a blue checkmark will also show in the client email inbox next to your brand email.

1. Setup Email Authentication Standards

Before you can implement BIMI, you have to set up several email authentication standards. This is a prerequisite step you have to fulfil before applying for BIMI.

The three email security protocols you have to add are as follows:

1.1 Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is an email authentication method that helps prevent spoofing. It specifies which mail servers are allowed to send emails on behalf of your domain. It works by adding an SPF record to your domain’s DNS TXT record.

It ensures only authorized servers, which are added to the DNS TXT record, can send email using your domain name.

Method to Setting Up SPF:

To set up SPF record for your domain, follow the below steps.

  1. Identify all the Email Providers: List out all the servers and the third-party services which you want to allow to send email for your domain.
  2. Add DNS TXT Record: Create a SPF record and add it to your DNS TXT. Just like the example below:
v=spf1 include:_spf.exampleprovider1.com include:_spf.exampleprovider2.com -all

Let’s understand each parameter:

  • v=spf1 → Indicates that this is an SPF record.
  • include:_spf.exampleprovider1.com → Allows exampleprovider1 to send emails on your behalf.
  • include:_spf.exampleprovider2.com → Allows exampleprovider2 to send emails on your behalf.
  • -all → Excludes all others, Blocks any unauthorized servers from sending emails using your domain.
  • Record Validation → Use this tool to check and validate your SPF records. If it is not set correctly, legitimate emails get blocked or go to spam.

1.2 DomainKeys Identified Mail (DKIM)

DKIM provides an additional layer of email security. Here a digital signature is attached to each email, this signature is verified by the receiving mail servers using a public key published in your DNS. It ensures the email is not tempered in between.

Method to Setting up DKIM:

To set up DKIM record for your domain, follow the below steps.

1. Generate a Key Pair: Generate public and private key pair for your DKIM. Use your email provider or a dedicated tool for it.

2. Publish the Public Key: Create DKIM record and publish it to DNS TXT record. An example looks like this:

default._domainkey.example.com TXT “v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY”
  • default._domainkey.example.com → The DKIM selector for your domain.
  • v=DKIM1 → Tells the DKIM version.
  • k=rsa → Defines the encryption method.
  • p=YOUR_PUBLIC_KEY → This is your public key used for verification.

3. DKIM Signing: Configure your email server to attach the DKIM signature using the private key.

4. Verify DKIM Configuration: Use online DKIM checkers to verify the signature is valid.

1.3 Domain-based Message Authentication, Reporting & Conformance (DMARC)

DMARC builds on SPF and DKIM. It provides instructions on how to handle emails that fail authentication. A DMARC record tells receiving servers whether to quarantine or reject emails that do not pass SPF or DKIM checks.

It also reports you about the potential abuse of your domain, Regularly check your DMARC reports to detect misuse of your domain.

Method to Setting up DMARC:

To set up DKIM record for your domain, follow the below steps.

1. Set Up the DMARC TXT Record:

    Create a DMARC record policy, based on the security that is best for your organization, and put it in the DNS TXT record. An example looks like this:

    _dmarc.example.com TXT “v=DMARC1; p=quarantine; rua=mailto:[email protected]"
    • _dmarc.example.com → The location of the DMARC record.
    • v=DMARC1 → Defines the DMARC version, here it’s version one.
    • p=quarantine → Suspicious emails are sent to spam.
    • rua=mailto:[email protected] → Receives reports about misuse of your domain email to the “[email protected]”.
    • Choose a Policy:
      • none: → Monitoring Only
      • quarantine: → Send Suspicious Emails to Spam
      • reject: → Block Emails that fail Authentication

    2. Verify your Logo is eligible for a VMC or CMC

    To display your logo using BIMI, you need a Verified Mark Certificate (VMC) or a Certification Mark Certificate (CMC) issued by a Certificate Authority (CA).

    To qualify for a VMC, your logo must be registered as a trademark with an intellectual property office recognised by VMC issuers. It is advisable to consult with your legal team or a lawyer to complete the trademark registration, which may take between 6 to 12 months.

    For the most secure BIMI implementation, obtaining a VMC is highly recommended whenever possible. It gives a blue check near to your email which CMC doesn’t offer.

    If your logo is not trademarked, you can implement BIMI using a logo with a Common Mark Certificate (CMC). The requirements for obtaining a CMC are that your logo has been used by you at least the past 12 months.

    Based on the case which fits best for you, choose CMC or VMC for your organization.

    3. Check your Public Web Server supports BIMI

    The web server hosting your BIMI files must support HTTPS. For best security, recommend using TLS version 1.2 or later, ensuring compatibility with servers running older TLS versions.

    Secure TLS connections should follow the protocol defined in your TLS certificate, which must also reference a trusted root Certificate Authority (CA) certificate.

    4. Format Your Logo into P/SVG file

    To get the BIMI logo, your logo must be BIMI compliant. Your BIMI logo should have a solid background, be perfectly centered within a square, remain clearly visible when cropped into a circle, and have a small file size, typically under 32KB. Additionally, it cannot be animated or interactive.

    BIMI logos must be in Scalable Vector Graphics (SVG) format, an open-standard image type that ensures clear display at various resolutions. You can create your SVG logo using any compatible application, provided it meets the specified requirements.

    To create an SVG file with Adobe Illustrator and a text editor, follow the below steps:

    1. Open your vector image in Illustrator.
    2. Ensure the image does not contain bitmaps, linked files, text, or grouped objects. If the file includes text, convert it to an object using Illustrator’s Create Outlines feature.
    3. Go to File > Save As.
    4. Enter a filename using only lowercase letters and dashes (e.g., mybrand-bimi.svg), avoiding special characters. Select SVG (svg) as the format, not SVG Compressed (svgz).
    5. Click Save.
    6. Set SVG Profiles to SVG Tiny 1.2. Choose Preserve for Image Location.
    7. Click OK to complete the saving process.
    8. Open the file in your favorite text editor.
    9. Change lines 3 and 4 of the text file.
    10. Make sure the svg version value is 1.2.
    11. Change the base Profile value to tiny-ps.
    12. Remove the x and y attributes and values.
    13. Add a <title> tag and value as shown. The title must come after <svg and before <g>

    14. Save the modified file, ensuring it remains in .svg format.

    5. Contact Certificate Authority (CA) for BIMI certificate

    The BIMI required a digital certificate, which is assigned by the trusted Certificate authority (CA) such as DigiCert. DigiCert offers Mark Certificates based on your organization’s requirements, choose the best fit for you.

    Submit your logo in SVG format and request a VMC or CMC, to the Certificate authority (CA) and apply for the certificate. They did verification from their end, they checked you are fulfilling all the requirements for the certificate.

    After the verification process, you’ll receive a certificate PEM file. Your SVG file (logo) and VMC/CMC are embedded in the PEM file.

    Get the intermediate and root CA certificates from the certificate authority (CA) and append them to the PEM file in the order they were issued.

    The usual sequence is: entity certificate, followed by any intermediate CA certificates, and then the root CA certificate. This file will be added to your public web server in the next step.

    Now upload the PEM file (including all appended files) to your domain’s public web server. Copy the PEM file URL which will be used in uploading in the BIMI TXT record in the DNS server.

    The URL looks something like that, “https://example.com/brand/certificate.pem”

    6. Add a BIMI TXT Record in DNS

    To use on BIMI for your domain, you need to add the BIMI TXT record at your DNS server.

    Follow the below steps to do this:

    1. Create a DNS TXT record for BIMI.
    2. Add TXT record that will look similar to this example: “v=BIMI1;l=;a=https://example.com/brand/certificate.pem
    3. After you add the BIMI record, it can take up to 48 hours for your logo to show in recipients’ email inbox.

    Buy S/MIME Certificates

    Digitally Sign Emails and Encrypt Emails using S/MIME (Email Signing) Certificates and Prevent Phishing and Man-in-the-middle Attacks.

    Starts at Just $9.49/Yr
    Janki Mehta

    Janki Mehta

    Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.