The Google BIMI Pilot Is Here!

July 21, 2020
Written by

Google BIMI Pilot

In January of this year, Twilio became a part of the Authindicators working group, joining numerous other entities in the email ecosystem including Google, Yahoo!, Comcast, Valimail, and Validity in an effort to bring Brand Indicators for Message Identification (BIMI) to life. BIMI is a standard that attempts to increase the wide adoption of email authentication in the ecosystem while simultaneously providing senders with a way to provide their customers with a more immersive experience.

With two of the three biggest North American free mailbox providers, as well as one of the largest ISP's committing to supporting the development of the standard, the importance of BIMI is abundantly clear and we wanted to ensure that we brought BIMI to the community of senders that view email as a crucial communication tool. This couldn’t be more true today as the global community struggles with the ongoing effects of the COVID-19 pandemic. In an age of physical distance it's important to leverage technology with a global reach to preserve business continuity and strengthen the ties that bind us all together.

Today Google announced that a BIMI pilot on Gmail is launching in the coming weeks, and that major brands are participating in the pilot to help Google tune their implementation as well as validate the fundamentals of the  BIMI standard ahead of its general availability.

BIMI Presents Different Advantages to Different People

One of the things that’s incredibly important to understand about BIMI is that it presents multiple advantages that differ depending on who you are speaking to. For mailbox providers like Gmail, BIMI is an effort to strengthen and broaden the adoption of email authentication technologies among the world’s sending community. The benefit of more senders publishing SPF, DKIM and DMARC at enforcement (all of which are basic requirements of BIMI), is that those brands become harder to spoof and help separate signal from noise in the inbox.

For marketers, BIMI represents the opportunity to further brand emails and obtain an improved user experience for their recipients. What CMO doesn’t want to see their logo beside one of their emails? BIMI is the latest chapter in the long storied evolution of email and the inbox experience from a recipient point of view. There was a time (many years ago) when reading panes in email clients were a novel and welcome experience. Today the browser inbox is replete with customizable features. While BIMI appears to be one of those features, it is at its foundation, a keen standard to help improve the security of email by increasing the use of existing email authentication technologies and providing incentives to everyone in the email ecosystem.

BIMI Requirements

BIMI will require senders to take a number of steps in order to have their logos show up within Gmail when BIMI becomes generally available. First and foremost senders must have a good sending reputation.

  • Senders will have to authenticate their email using SPF and DKIM
  • Senders must publish a DMARC policy at enforcement which means either “p=quarantine” or “p=reject” on the organizational domain
  • No sp=none or pct<100
  • Senders will need to create and publish a Scalable Vector Graphic (SVG) Tiny 1.2 logomark
  • Senders will need to publish a BIMI record (check it out using this BIMI Generator)
  • Senders will be required to obtain a Verified Mark Certificate (BIMI certificate) for the logo
  • VMCs exist to validate ownership of an organization’s logo; the certificates are based on registered trademarks of the logo/image
  • VMCs will be issued by two BIMI-qualified Certificate Authorities - Entrust DataCard and DigiCert (currently, VMCs are a Google-specific requirement for BIMI)

Although BIMI is not generally available it’s not too early to begin thinking about how to move your DMARC to enforcement. Given the complexity of large organizations that might be leveraging numerous third party senders on their behalf, achieving DMARC enforcement could be non trivial. As DMARC is a basic requirement for BIMI now’s a good time to review how you’re authenticating all of your email.

To prepare for the post-pilot launch of BIMI and to generally help secure the ecosystem, we encourage all senders to start adopting DMARC. To learn more about BIMI, visit the working group’s website.

Len Shneyder is a 15+ year email and digital messaging veteran and the VP of Industry Relations at Twilio SendGrid. He can be reached at lshneyder [at] twilio.com.