Google targets phishing with full BIMI email logo authentication support

Gmail will tie logos to DMARC authentication

Brand Indicators for Message Identification (BIMI), a standard for visually proving an email’s legitimacy, got a boost today with the launch of a new automation tool from email security company Valimail and official support from Google

Launched as a formal specification in 2019, BIMI is a standard that lets companies define what marketing image is displayed next to emails sent from their servers. This image, which the BIMI working group calls a “brand assertation,” serves as visual proof that the message is authentic. 

BIMI uses DNS records to define the image, and it also relies on the Domain-based Message Authentication, Reporting, and Performance (DMARC) standard, which helps protect against phishing. This, in turn, relies on two other technologies: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). 

DMARC and its underlying technologies help to prevent email spoofing, in which phishing attackers fake a sender’s domain in an email’s “From:” field. DMARC enables administrators to publish their policy for authenticating and rejecting emails. 

When a DMARC-supporting email server receives an email, it uses DNS to look up the DMARC record for the alleged sender's domain. It then checks the mail's DKIM digital certificate to ensure it matches the alleged sender's DKIM certificate. It also verifies the message came from IP addresses listed in the SPF record. 

While not a security solution, BIMI uses these technologies to verify the image attached to an email is really from the sender. 

An incoming email server uses DMARC to authenticate the message. If the email passes the DMARC authentication, the email server uses DNS to retrieve the sender's BIMI image. The BIMI image then shows up next to the company's name in emails. 

Boosting its legitimacy, BIMI also got official support from Google following a year-long pilot project. The company will now officially support BIMI in Gmail, according to the AuthIndicators Working Group, which manages the BIMI effort. 

This official acceptance by Google means for an organization's logo to be eligible for display in Gmail, a brand must obtain a BIMI certificate confirming its right to use the image. These certificates are tied to registered trademarks from select jurisdictions. 

Related Resource

Aberdeen Report: How a platform approach to security monitoring initiatives adds value

Integration, orchestration, analytics, automation, and the need for speed

White text against a pink-red background - whitepaper from IBMFree download

Several other companies also support BIMI in pilot mode, including Yahoo!, AOL, Netscape, and Fastmail. Comcast was also planning BIMI support as of last October. Microsoft, however, still has not signed on to the program. 

To help streamline this process, email security company Valimail, which claims to have “founded, named, and resourced the BIMI standard,” announced Amplify, a tool that automates BIMI support. With Amplify’s release, Valimain looks to make BIMI the baseline for all email security. 

Along with the new product, Valimail debuted partnerships with certificate providers DigiCert and Entrust to develop BIMI further and create a straightforward process for companies to enforce DMARC and Verified Mark Certificate (VMC).

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022