Graph and PowerShell Blog

Over the last few years, DMARC has been adopted by more and more domains. It has helped reduce spam significantly and to secure mail domains. But if you ask your average mail user how to identify an authenticated email it's not something they are interested in or know about.

This is where an extension of DMARC can help: Brand Indicators for Message Identification or BIMI for short. It allows a company's logo to be displayed beside a received email.

↑ In Gmail for Android we can see some companies have adopted this while others have not.

As with DMARC, the BIMI specification utilizes DNS to allow mail admins to upload an SVG image to a web URL. Just getting the SVG can be difficult as programs like Photoshop will save the image as a JPEG within an SVG, whereas the BIMI standard is looking for the image described in XML format.

Once you have your BIMI DNS record and SVG image in place you can test to see if this works in Yahoo Mail. If you check the email in Gmail you will see that there is no image, this is because Google also requires that your company logo be certified with a Verified Mark Certificate (VMC).

These certs cost around €1,200 per year and you must have your company logo already trademarked before you can get certified. On the one hand, this can be both expensive for a medium-sized company and yet another step to overcome, on the other hand, it does make the BIMI specification stronger and less likely to be spoofed.

Currently, I'm waiting to find out if the company I work for wants to commit to this. We use Office 365 and Exchange Online for email and as per usual Microsoft came up with their own version of BIMI that nobody will ever use. So we probably need to wait a few years before it's finally added to Office 365.

Update - 06-Jun-24:
It took a few months, but we finally got the Verified Mark Certificate (VMC) from DigiCert, apparently the rollout is still in beta. The .pem file is created out of 3 certs in DER encoding, so copy the text into Notepad and rename with a .pem extension.

Then upload the file to your website and update the BIMI DNS record to the URL where the file is stored.

After this it took a couple of hours before Gmail would start showing the logo, really quite simple once you get the actual cert.

↑ .pem file is basically 3 certs in DER format.

Graph and PowerShell Blog	Articles 2024 Installing Exchange 2019 in Azure Landing Zone Upgrading PHP on Windows Adding a Postfix server for relay to O365 O365 Integrated Apps troubleshooting Domino and O365 Co-existence Delegate Control in AD App mail relay via HVE Setting up Mail Relay with HVE Getting BIMI certified Orbea Occam SL H30 Installing FreeSat and Saorview Changing broadband provider Replacing a DIN timer on fuseboard Outlook Desktop Notifications stop working Outlook folders keep moving sort order Teams report uploading to SharePoint with Runbooks Teams PowerShell module can't run CS cmd as App 2023 Cannot map new Shared Mailboxes in O365 Renewing an Exchange 2016 certificate Connect to Compliance PowerShell behind a Proxy Sensitivity Label not shown in Outlook Client Room Finder Error in Outlook Teams not showing Rooms Teams unable to open file Unable to review quarantined mails for shared mailbox Set Locale for various Apps Delegate Sent Items placed into external Tenant Overview of Microsoft Support cases When centralized mail sends via O365 Cleaning up your Windows DNS server Set OneDrive for Business Locale O365 Migration Tips Reporting on successful Azure logons IIS Mapi Queue full with NetScaler Secure Office365 reports with a certificate Using Graph to send emails with inline images Visualizing Graph data with Google Charts Keeping a log of NetScaler AlwaysON connections \| About \| Links

Getting BIMI certified 19-Feb-24 Over the last few years, DMARC has been adopted by more and more domains. It has helped reduce spam significantly and to secure mail domains. But if you ask your average mail user how to identify an authenticated email it's not something they are interested in or know about. This is where an extension of DMARC can help: Brand Indicators for Message Identification or BIMI for short. It allows a company's logo to be displayed beside a received email. ↑ In Gmail for Android we can see some companies have adopted this while others have not. As with DMARC, the BIMI specification utilizes DNS to allow mail admins to upload an SVG image to a web URL. Just getting the SVG can be difficult as programs like Photoshop will save the image as a JPEG within an SVG, whereas the BIMI standard is looking for the image described in XML format. Once you have your BIMI DNS record and SVG image in place you can test to see if this works in Yahoo Mail. If you check the email in Gmail you will see that there is no image, this is because Google also requires that your company logo be certified with a Verified Mark Certificate (VMC). These certs cost around €1,200 per year and you must have your company logo already trademarked before you can get certified. On the one hand, this can be both expensive for a medium-sized company and yet another step to overcome, on the other hand, it does make the BIMI specification stronger and less likely to be spoofed. Currently, I'm waiting to find out if the company I work for wants to commit to this. We use Office 365 and Exchange Online for email and as per usual Microsoft came up with their own version of BIMI that nobody will ever use. So we probably need to wait a few years before it's finally added to Office 365. Update - 06-Jun-24: It took a few months, but we finally got the Verified Mark Certificate (VMC) from DigiCert, apparently the rollout is still in beta. The .pem file is created out of 3 certs in DER encoding, so copy the text into Notepad and rename with a .pem extension. Then upload the file to your website and update the BIMI DNS record to the URL where the file is stored. After this it took a couple of hours before Gmail would start showing the logo, really quite simple once you get the actual cert. ↑ .pem file is basically 3 certs in DER format.