Google targets phishing with full BIMI email logo authentication support

Gmail will tie logos to DMARC authentication

Brand Indicators for Message Identification (BIMI), a standard for visually proving an email’s legitimacy, got a boost today with the launch of a new automation tool from email security company Valimail and official support from Google

Launched as a formal specification in 2019, BIMI is a standard that lets companies define what marketing image is displayed next to emails sent from their servers. This image, which the BIMI working group calls a “brand assertation,” serves as visual proof that the message is authentic. 

BIMI uses DNS records to define the image, and it also relies on the Domain-based Message Authentication, Reporting, and Performance (DMARC) standard, which helps protect against phishing. This, in turn, relies on two other technologies: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). 

DMARC and its underlying technologies help to prevent email spoofing, in which phishing attackers fake a sender’s domain in an email’s “From:” field. DMARC enables administrators to publish their policy for authenticating and rejecting emails. 

When a DMARC-supporting email server receives an email, it uses DNS to look up the DMARC record for the alleged sender's domain. It then checks the mail's DKIM digital certificate to ensure it matches the alleged sender's DKIM certificate. It also verifies the message came from IP addresses listed in the SPF record. 

While not a security solution, BIMI uses these technologies to verify the image attached to an email is really from the sender. 

An incoming email server uses DMARC to authenticate the message. If the email passes the DMARC authentication, the email server uses DNS to retrieve the sender's BIMI image. The BIMI image then shows up next to the company's name in emails. 

Boosting its legitimacy, BIMI also got official support from Google following a year-long pilot project. The company will now officially support BIMI in Gmail, according to the AuthIndicators Working Group, which manages the BIMI effort. 

This official acceptance by Google means for an organization's logo to be eligible for display in Gmail, a brand must obtain a BIMI certificate confirming its right to use the image. These certificates are tied to registered trademarks from select jurisdictions. 

Related Resource

Aberdeen Report: How a platform approach to security monitoring initiatives adds value

Integration, orchestration, analytics, automation, and the need for speed

White text against a pink-red background - whitepaper from IBMFree download

Several other companies also support BIMI in pilot mode, including Yahoo!, AOL, Netscape, and Fastmail. Comcast was also planning BIMI support as of last October. Microsoft, however, still has not signed on to the program. 

To help streamline this process, email security company Valimail, which claims to have “founded, named, and resourced the BIMI standard,” announced Amplify, a tool that automates BIMI support. With Amplify’s release, Valimain looks to make BIMI the baseline for all email security. 

Along with the new product, Valimail debuted partnerships with certificate providers DigiCert and Entrust to develop BIMI further and create a straightforward process for companies to enforce DMARC and Verified Mark Certificate (VMC).

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Graylog launches new cyber security solution to address legacy issues
cyber security

Graylog launches new cyber security solution to address legacy issues

21 Oct 2021
US to ban surveillance software exports to authoritarian governments
cyber security

US to ban surveillance software exports to authoritarian governments

21 Oct 2021
A quarter of all malicious JavaScript is obfuscated
hacking

A quarter of all malicious JavaScript is obfuscated

20 Oct 2021
Almost 70% of CISOs expect a ransomware attack
ransomware

Almost 70% of CISOs expect a ransomware attack

19 Oct 2021

Most Popular

Alibaba unveils custom Arm-based server chip
components

Alibaba unveils custom Arm-based server chip

19 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021