A smartphone showing a list of emails with company logos next to each message.🅭

Common mistakes in BIMI early-adopter implementations

Two weeks ago, I wrote about the new Brand Indicators for Message Identification (BIMI) draft internet standard. BIMI enables businesses to get their logos displayed next to their email messages in compatible email apps and webapps. As part of the research for that article, I queried the top 3 million domains to see how many had adopted the standard. I found 6647 domains with a default brand indicator, but far from all meet the BIMI requirements.

I only tested pay-level domains (e.g. example.com) and not subdomains. I only evaluated the default domain-level brand indicator (e.g. default._bimi.example.com. Domains may use other brand indicators, e.g. the Ctrl blog newsletter uses newsletter._bimi.ctrl.blog. However, I can’t guess what the indicators might be without examining an outgoing email message from the domain. Domains like Ctrl blog without a default BIMI won’t be included in these results.

I queried the Domain Name System (DNS) for the default BIMI records for the top 3 million domains. I evaluated the responses, and fetched the BIMI image for domains with a valid BIMI record. I also evaluated other email policy DNS records used by BIMI; including Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Sender Policy Framework (SPF). The DomainKeys Identified Mail (DKIM) records were not evaluated because this would require me to examine an email message sent from the domain.

Okay, on to the results! As mentioned, I found 6647 BIMI-like DNS records. This means any DNS text (TXT) record that contained the magic eyecatcher string v=BIMI1. The presence of that string was assumed to be an intention of wanting to publish a BIMI.

198 domains contained the magic string but didn’t match the required syntax. Almost all syntax errors contained the full line from the DNS zone file as the value in the TXT record. 6 contained a serialized JSON version of the expected DNS record.

BIMI has a few specific requirements for the image file indicated by the BIMI record. The image files must be square SVG version 1.2 image with the SVG Tiny Portable/Secure (Tiny-PS) profile. The image should work with a square and circle mask applied.

2156 domains linked to SVG images that didn’t use the Tiny PS profile. This was the most common problem with all the published BIMI records. 2002 of the images could have met the requirements of the Tiny-PS profile as-is with the addition of the required metadata.

1074 of the SVG images weren’t square. The median proportion of these images was 4:1. Anecdotally, most of the square images contained a rectangle with a lot of vertical padding. 1404 images would cut off pixels other than the background color when applying a circle mask. (I’m not 100% confident about my test methodology on this last metric.)

702 images were irretrievable with a web browser-like User-Agent. HTTP 404 Not Found was the most common error, followed by Cloudflare protection pages. An additional 5 images were irretrievable with a mail-agent like User-Agent.

73 domains linked to PNG and 2 to JPEG bitmap image files instead of SVG vectors as required by BIMI. 479 image files contained bitmaps within the SVG container.

17 domains served their images over the HyperText Transfer Protocol (HTTP) instead of Secure HTTP (HTTPS) as required by BIMI. 1 domain served the image over the legacy File Transfer Protocol (FTP). FTP support was removed from web browsers in 2020.

42 domains contained explicit opt-outs. A BIMI opt-out is a valid BIMI record that contains an image address that points to an empty string. Publishing an explicit opt-out is essentially pointless, but it might enable clients to make better and longer-lasting caching decisions.

1343 domains had not published a DMARC policy. 308 domains had a too weak DMARC policy. All but 1 domain with a DMARC policy that contained a provision about SPF had published an SPF policy. 2708 domains contained a weak SPF policy (didn’t end with -all).

As mentioned in my earlier article about BIMI, Google Mail (GMail) requires that BIMI records also publish a Verified Mark Certificates (VMC). A VMC is a certificate file that is cryptographically signed by a Certificate Authority (CA). The CA verifies that the BIMI image is a logo that is a registered trademark belonging to the domain owner.

988 domains included a VMC parameter in their BIMI records. 568 linked to a certificate file as required by BIMI. I did not evaluate the validity of these certificates. 420 domains contained a VMC parameter with “self” as the value, presumably a left-over from an earlier draft of the BIMI standard.

Only 2324 domains (34,9 %) met all the requirements (excluding VMC). Apps and services consuming BIMI records can make their own decisions about which requirements to enforce. As mentioned, only GMail requires VMCs. Given these results, it would make sense to lift the SVG Tiny-PS profile requirement and apply a server-side conversion process.

Curious about your domain? You can check conformance and preview your image within the context of an email inbox (with a square and round mask) using the BIMI Inspector. The same tool can be used to generate a BIMI record.