How Brand Indicators for Message Identification (BIMI) will restore user trust and improve the security of email.
FEATURED INSIGHT | MAY 2023
Email security has long lacked a simple visual cue to inspire user confidence, similar to what is commonplace in modern web browsers. Brand Indicators for Message Identification (BIMI) is an emerging industry standard designed to address this issue by authenticating an email's sender and enabling organisations to display their brand logo alongside email messages.
Built on top of existing email authentication standards, BIMI not only increases the user confidence in email, research has shown it can significantly improve email marketing metrics and boost deliverability.
However, despite its potential to significantly enhance email security by preventing sender impersonation and phishing attempts , few Australian organisations have adopted this basic verification measure. In this report, we explore the benefits of BIMI and outline the steps required for implementation.
On the Internet, Nobody Knows You're a Dog
The famous 1993 New Yorker cartoon that coined the phrase 'On the Internet, Nobody Knows You're a Dog' highlights the challenges of privacy and anonymity on the Internet. This challenge extends to email where despite all the progress the internet has made, it is still difficult to ascertain the true identity of a sender.
During the early 2000s, Verisign served as a symbol of trust for the internet, enhancing user confidence, driving traffic, and supporting transactions for emerging e-businesses. The Verisign trust mark become a common feature across much of the web, often alongside the much maligned and now-outdated website visitor counter. Websites seeking to demonstrate their trustworthiness to a generation of internet users proudly displayed a Verisign tick mark. Over time, this symbol of trust evolved into the familiar green padlock or 'https' indicating that a website was secured with an SSL certificate. This widespread adoption was made possible through the efforts of tech giants like Google and Mozilla.
Fast forward to 2020, when a consortium that included Google, Mailchimp, and SendGrid released a final specification for ‘Brand Indicators for Message Identification’ (BIMI) to address the trust gap in email communication.
Email Security Meets Branding
BIMI (pronounced: Bih-mee) is an email authentication standard that enables organisations to display their brand's logo alongside their authenticated emails. When recipients receive an email in a supported mail client, the logo is displayed, allowing them to instantly trust that the email is genuine and the organisation sending it has been verified. This not only enhances brand recognition and visibility but also helps recipients quickly identify legitimate messages, eliminating any concern about phishing or spoofing attempts.
An example showing how the Telstra logo would appear having implemented BIMI
BIMI is an evolution of existing email standards and has been developed to work in conjunction with other standards, such as Domain-based Message Authentication, Reporting & Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF). While these standards helped validate the authenticity of the technical infrastructure behind an email sender and were a boon for mail protection services like Mimecast, they offered little visible assurance to end-users in an inbox filled with hundreds of messages.
BIMI operates by linking a brand's verified logo to its authenticated email messages, providing recipients with a visual cue that enhances trust & engagement. Here’s how -
Impact on Brand Perception and Customer Trust
The primary objective of BIMI is to simplify the experience of identifying genuine emails and restoring trust in the content of a users inbox. BIMI is the first user-centric standard that significantly improves email engagement and offers the following benefits -
Enhanced brand visibility : allows organisations to display their brand logo alongside authenticated email messages, reinforcing brand recognition and ensuring a consistent brand experience for recipients
Improved email deliverability: recipients of emails from brands with verified logos are more likely to trust the email, leading to better open rates and increased sender reputation which can improve email deliverability.
Increased customer trust: for healthcare and financial services where trust is paramount, a logo in recipients' inboxes easily identifies legitimate emails from the organisation.
Reduced phishing and spoofing risks: reduces the ability for cyber criminals to impersonate organisations, as only authenticated emails with valid records can display an organisations logo in supported mail clients..
Better customer engagement : early reports have demonstrated recipients are more likely to engage with messages accompanied by a logo leading to improved marketing effectiveness and email performance metrics.
Competitive advantage : adopting BIMI early can assist in differentiating your organisation from competitors and improve marketing performance.
What brand’s have adopted BIMI?
As with any emerging standard, there are both leaders and laggards. The leading group is typically dominated by customer-focused technology firms and organisations with a heightened need for improving email authenticity. As of April 2023, AH&O has identified only one major Australian organisation to have implemented BIMI - Telstra. Organisations that are looking to adopt BIMI will join the ranks of prominent global brands including :
BIMI protects brands and customers
High-profile cyber breaches against Optus, Medibank, Australian Clinical Labs, and Latitude Financial should have prompted these organisations to adopt BIMI as one of the first customer-facing security measures. Data breaches of this magnitude often precede phishing attacks against both the targeted organisation and others including financial and government services.
While a plethora of mail protection services exist, email still remains the primary route of attack, with phishing attempts still the most common form of intrusion into corporate networks, alongside identity theft and financial fraud. During 2022, phishing attempts increased by a staggering 61% making them the most widespread form of email-borne attacks.
For organisations whose brands have been exploited by cybercriminals to launch phishing scams, BIMI is a simple and effective means to minimise phishing risk, protecting your customers and your brand reputation. Organisations, including Australia Post, the Australian Tax Office, Energy Australia, and the Commonwealth Bank, are frequently impersonated by cybercriminals to send seemingly legitimate emails that gather personal and financial information. This often results in a largely ineffective response from corporate communications, relying on websites and social media to alert customers about potential scams.
It is surprising that the Australian Centre for Cyber Security to date has not recommend BIMI adoption or informed organisations about its benefits in advisories and other resources it has released in the aftermath of these breaches.
Industry support is no longer a barrier to adoption
If there is one shortcoming of BIMI, it's the lack of public awareness about the change and the benefits it brings. Considering that 90% of cyberattacks start with email, it's genuinely surprising how slow major organisations have been to implement this security initiative. To date, awareness has largely been driven through accidental feature discovery or left to marketers and email providers to communicate the benefits to a security-fatigued public.
In late Q4 2022, the BIMI specification received a significant boost in support and awareness. Apple's release of iOS16 brought support for BIMI to the email client with the largest market share - Apple Mail. Between Apple and Google, it is estimated that more than 85% of the world's inboxes now support BIMI (See Figure 1).
The only notable holdout is Microsoft, which has steadfastly refused to indicate support or provide a timeline for implementing the BIMI standard into Outlook. While Microsoft's lack of support is undoubtedly problematic for any standard's acceptance, Outlook's market share continues to decline long-term and is now a distant third behind Apple and Google.
The path forward
Implementing BIMI is surprisingly straightforward and requires minimal changes if your organisation has previously adopted earlier email security measures, specifically DMARC. Additionally, if you’ve deployed Mimecast, Sophos, or other mail protection services, you're likely ready to meet BIMI requirements due to the DMARC standard upon which BIMI is built. From our experience, the average organisation can plan, test, and implement BIMI in under a week. There are four requirements for BIMI :
A Verified Mark Certificate (VMC) is issued by a BIMI provider like DigiCert or Entrust, which validates your ownership and right to use a logo. Much like an SSL certificate, there is an annual license fee (approx. USD$1,400) that covers all domains associated with the logo. The requirement for a VMC is currently left to the discretion of mailbox providers, with Apple and Google mandating it as a requirement for their services.
One reason why a VMC has not been universally mandated is the requirement that an organisation's logo be a registered trademark. This requirement is currently under review, and indications suggest it may be expanded at a later date to include non-trademarked logos. While this increases the barrier to entry for smaller organisations, given that tech giants like Google and Apple have mandated it for their respective services, the trademark requirement might remain mandatory for some providers.
If you're considering implementing BIMI, we strongly recommend that organisation signal their intentions to customers in advance of making the change, across all channels and customer touchpoints.
Conclusion
After seven years of development, BIMI is poised to make a significant impact on restoring trust in email, where previous initiatives have fallen short. Past efforts struggled to gain traction because they either failed to integrate seamlessly with existing email standards or did not garner widespread support from mailbox providers. However, BIMI has successfully overcome these challenges and achieved a breakthrough in adoption by securing the backing of industry leaders like Apple.
Whether you’re a marketer or an IT professional, this simple, visual verification that recipients can recognise holds great potential to enhance customer experience, boost marketing performance, and crucially, restore trust in email as a communication channel.
In due course, BIMI's influence on reducing the prevalence of phishing and other email-driven scams will become more evident. For now, though, it represents a crucial first step in assisting users in distinguishing authentic emails from malicious ones, marking a promising new chapter in email security and trustworthiness.
Thanks for Reading
We publish monthly insights that analysis emerging trends alongside in-depth reports on a quarterly basis.
If you're interested in a custom report to suit you needs, get in touch below.
TREND | ADTECH | MARKETING
Friend or Foe? Amazon's Advertising platform is misunderstood by Australian retailers.
The majority of Australia’s retailers and e-commerce players are still reliant on Meta & Google for customer acquisition. The reasons for this are varied, often it is the perceived threat that Amazon will directly compete for a share of wallet, or that Meta still provides the most cost-effective ROAS. It’s a little appreciated fact amongst Australian advertisers that Amazon is now the third largest ad network in the world, behind Google and Meta. It now accounts for 89% of all U.S. retail media spend. Read Article →
Change begins with a conversation around your organisation's digital goals and culture. Provide a few details and we'll be in touch →
AH&O Advisory
Level 5 / 1 Margaret Street
Sydney, Gadigal NSW
Australia 2000
+61 2 9099 1604
© 2019-2024 A. Hopper & Others ABN 53 288 759 965
™ and ® property of their respective owners.
Privacy Policy Cookie Policy Terms of Use