The biggest problem with the internet is that anyone can claim to be anyone. When I was a boy all an organisation needed to prove that a piece of communication was from them was a stamp. They would write stuff on a piece of paper and at the end, someone with authority would sign and the organisation would impress its stamp. Now Gmail is rolling a digital version of the stamp-authenticated logos.
What are aunthenticated logos and why do we need them
When communicating online it’s always hard for an ordinary person like me and you to verify that a certain email or message is really from the organisation that it purports to be from. Social media came up with a clever solution to this problem. Verified badges are used to mark accounts that have gone through a verification process.
This means that when you see a message, post or tweet from an account with a badge it probably means that the communication is official. At the very least it was made by a representative of the person who owns the verified account. Of course, it’s not foolproof, we have seen hackers exploit this trust chain in the past by going after verified accounts and scamming people using them but it’s better than nothing.
Such an easy way to verify accounts did not exist for emails until now. Ironically there are tools such as SPF records, DMARC records and DKIM records that make it possible for systems to filter emails and verify that they are from authorised accounts but these are highly technical concepts beyond the reach of most people. The only time people click on email headers is when they want to see the “from address” and thanks to automatic address books most people don’t even do that anymore.
Authenticated logos are an extension of these existing email authentication technologies. Organisations will need to set up their SPF, DKIM and DMARC records as usual but in addition, they will have to provide Google with their verified organisational logos using what is known as a Verified Mark Certificate (VMC). Once this is done, the official logo of the company that sent the email is displayed instead of an avatar with a letter in it.
BIMI is a fancy name for the whole thing
The whole process/technology is known as BIMI (Brand Indicators for Message Identification). It probably won’t be limited to Gmail as there are other parties to the whole initiative. If you are a Gmail user with an up to date client you should already be seeing this live in your inbox. You don’t have to do anything special. Companies like PayPal, WordFence, Stack Overflow seem to have already signed up. The service will probably be rolled to the web version of Gmail soon too.
If you are an organisation and want to be part of BIMI, banks and other big organisations should be scrambling to join this in my opinion, follow these steps:
- Set up SPF, DKIM and DMARC by following our guides to these specifications. DMARC has to be at least quarantine or reject.
- Create an SVG Portage Secure version of your logo
- Create a BIMI (a special TXT) record for your domain. The format of which is default._bimi.[domain] IN TXT “v=BIMI1; l=[SVG URL]; a=[PEM URL] make sure to replace the [domain] part with your root domain e.g. default._bimi.techzim.co.zw and then pointing to your PEM bundle.
That’s it, next time your email lands in someone’s Gmail inbox your logo is automatically displayed.