Emails are most fraudsters’ number one choice when it comes to fooling and baiting users. We’ve seen many phishing scams that start with a simple email that claims to be an official email (but isn’t) and end up putting the security of the entire organization at risk. This is an area where BIMI and Verified Mark Certificate (VMC) will play a crucial part.
There are quite a few BIMI validators available online – some are great, some good, some outright useless. Since we are knee-deep as a company in BIMI validation on a daily basis perfecting our validator, we have decided it’s time to write an ultimate guide to getting your BIMI record ready.
As many of you may know, BIMI is still in its development phase with a publicly available support already available at Yahoo! and a closed pilot at Gmail. It’s about time your brand started looking into getting ready for BIMI as it’s not all smooth sailing.
Let’s start with a recap of what BIMI is: Brand Indicators for Message Identification is an upcoming specification for display of logos in email clients.
As the recipient of email, you may say that your email client is already showing brand logos so what’s the deal?
The main difference is in who’s in control of the logos. Usually, logos are automatically pulled from various sources and curated by the email client vendors. As a result different logos show up depending on email client and device. With BIMI, the brands are in control of their official displayed logos – no matter the brand size. Symbols are a succinct and efficient way of communicating information about your business. A logo is an important part of your company's brand, and makes a significant impact on a company's public perception. In fact, a logo is one of the most important branding investments a business can make. It grabs attention, makes a strong first impression, is the foundation of your brand identity, security, is memorable, separates you from competition, fosters brand loyalty, and is expected by your audience.
The BIMI specification builds upon existing email authentication standards such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC),. Brands that properly deploy email authentication using DMARC will be able to take advantage of BIMI. DMARC is a standard that allows domain owners (brands) to protect their domains by setting email authentication policies. DMARC also provides reports which help set up the email authentication using SPF and DKIM on all sources.
Once all valid sources are identified and authenticated, a restrictive (i.e. p=quarantine or p=reject) DMARC policy can be set. By using this policy, domain owners can control what happens to unauthenticated (untrusted) messages – whether they end up in spam or will be rejected altogether by the receiving mailbox provider. DMARC helps brands protect themselves from various, but common types of domain abuse and phishing attacks. Put simply - you eventually want to have your DMARC records with a quarantine or reject policy for your brand’s domain no matter whether you’ll be implementing BIMI or not.
You may think this favors large companies but it’s quite the opposite – it’s much easier to deploy DMARC for a small business with a simple email infrastructure than it is for an enterprise with multiple providers and email services.
Now that you presumably have your brand’s email authentication in place we can get to BIMI deployment. This one is considerably easier than the authentication itself by design. Think of a BIMI as the prize you are getting for doing the hard work to protect your domain. Remember, your logo is much more than just an image; it is a point of recognition for clients and an important foundation for the branding and security of your company.
Just like many other email related authentication standards, BIMI will reside in your domain as a text (TXT) record. You can even have multiple BIMI records by using different selectors, or on subdomains... but let’s not complicate things just yet. The records themselves will reside in the “_bimi” space of your domain with the default BIMI record being “default._bimi”. The text part holds the identifier of the record version (v=BIMI1), url to the logo (l=) and url to the logo certificate (VMC) if available (a=). A complete record would look like this:
default._bimi IN TXT “v=BIMI1;l=https://url.to/your.file.svg;a=https://url.to/certificate.pem”
The URL of the logo in "l" attribute as well as the optional VMC url in "a" attribute must use secure https protocol and the server must respond with HTTP status code 200 (Found). HTTP Redirects using status code 302 are not permitted.
The Verified Mark Certificate (VMC) is an optional digital certificate that authenticates your organization as the owner of the logo will be required by most Inbox providers. If no VMC is available the "a" attribute in the record must be omitted or set to "a=self".
VMCs are critical for businesses that want to enhance their online reputation and demonstrate the quality of their products. By providing a level of security to delivered emails, companies that adopt the BIMI and VMC standards reinforce trust among their clientele and create a sense of confidence in their brand. In other words, VMCs put your customers’ minds at ease. Currently VMCs are being issued as part of a pilot and are not available to general public yet.
Adding the record to your DNS is very simple and won’t take much time but you have to make sure that its contents are valid too. Let’s look at the main obstacles of getting validated.
Very little has been said about the most critical parts of BIMI - the requirements for the logo file. The logo must be in a format called SVG and meet certain requirements.
SVG stands for Scalable Vector Graphic - the format that drives many elements of modern websites and mobile applications. As the name suggests its advantage lies in scalability. Unlike the most popular GIF, JPG and PNG which are bitmap formats, the vector graphics are made out of lines and curves which can be easily scaled without loss of detail. SVG is light, loads quickly and adjusts to responsive sizing perfectly.
The very basic requirement is that the logo must be square. The exact dimensions don’t matter as it’s scalable, but the aspect ratio must be 1:1 - whether it will be 100x100 pixels or 140x140 makes no difference.
The second requirement is that it must meet the SVG BIMI profile. SVG standard itself is very versatile and has many flavors - SVG 1.0, 1.1, 1.1 Tiny, 1.2 Tiny, 2.0. The one that is closest to the SVG BIMI profile is called SVG 1.2 Tiny which was originally created as a subset of SVG intended for mobile devices. The SVG BIMI profile is a limited version of SVG Tiny 1.2. The limitations are in place for both practicality and security reasons.
As SVG has been created with the 21st century Internet needs like mobile usage in mind it has support for a lot of fancy stuff - scripts, animations, sounds, hyperlinks, texts, effects, references to other SVGs, etc. To make sure the logo can not be abused all of these interactive elements that could be potentially abused are banned. SVG can also act as a container for bitmap images which do not scale. The image content is banned as well. Essential - the BIMI SVG is the graphic only variant of SVG Tiny 1.2.
Now that we have outlined the main specifications we can focus on preparing our logo. Make sure you start with a proper vector graphic. If you cut corners here you won't be able to export a proper SVG.
Let’s take a look at how to export proper SVG using the most popular tool among graphic designers - Adobe Illustrator (AI)..
Open the logo in AI and inspect its objects. Make sure there are no rasterized elements (bitmaps), linked files, texts or groups. To inspect your file, first make sure that the Control toolbar is switched on in the Window menu.
Linked files are displayed in the control toolbar as “Linked File”. You’ll need to convert all layers with Linked files into objects by selecting individual layers and clicking the Embed button in the Control toolbar.
Bitmap images are identifiable in the Control toolbar by showing as “Image”. Find images by selecting individual layers and checking if the Control toolbar is identifying the object as “Image”.
Logos rarely contain images and if yours does, it’s most likely because you don’t have the original graphic design file. Images are not scalable and as such not practical for logos and banned by BIMI SVG specification.
Your logo may be image-based if it has been originally designed on paper and never properly redesigned into a graphic. In such a case you may try to use the Trace Image button and try if the logo can be converted into a graphic. You can try different Image tracing presets to see if an acceptable tracing result can be achieved. Once you are happy with the trace just click the Expand button. The resulting vector graphic will most likely require touch ups by a professional graphic designer.
Next up is to find any text objects. These will show in the Control toolbar as “Type”.If there is a text in your logo, you will need to convert it into curves as text may be in different fonts and BIMI SVG can’t support that. Luckily this is a common task and there is a tool for that in the Type menu. Select your text layer and select the “Create Outlines” option from the “Type” menu. You’ll notice that the control toolbar will no longer identify the object as “Type” but as a “Group” instead.
At this point you should have all the objects as proper vector elements but many will still be in groups. Groups are displayed in the Layers panel with an expandable indicator.
While very practical for design work, groups cause all types of trouble when exported to SVG. We will have to make sure to “Ungroup” all groups.
The fastest way to do that is by selecting all objects in your file by selection option “All” in menu Select or by keyboard shortcut Ctrl+A. With all objects selected and highlighted you will have to navigate to the “Ungroup” option of the “Object” menu or use the Shift+Ctrl+G shortcut. You will have to repeat this multiple times until all groups in the document are ungrouped.
Your document structure should only contain objects inside one or more layers by now. We still need to make sure the output will meet the BIMI SVG specifications including square dimensions. To avoid any additional issues with artboards and such, we will start by creating a new file (do not close your current working file).
Create a new file with square dimensions - make sure the width and height are equal. Make sure the color mode selected is RGB color and not CMYK color.
Now that you have your new document ready, switch to the original document and select all objects by navigating to the “All” menu item in the “Object” menu or by keyboard shortcut Ctrl+A. Copy all the objects to clipboard using Ctrl+C or by selecting the “Copy” option in the “Edit” menu.
Switch to the new empty document and paste all objects using Ctrl+V or by selecting “Paste” option in the “Edit menu”.
Adjust the sizing of the graphics using the control toolbar to fill the document. Make sure to alway select the layers and not individual objects and make sure the “Constrain Width and Height proportions” is enabled when resizing.
Once your document is ready, select the “Save as” option from the “File” menu. Navigate to the destination folder and set the file format under “Save at type” to “SVG” (not SVG compressed). Make sure to have the “Use Artboards” checkbox selected.
In the next step you will be presented with the SVG Options dialog. Under SVG Profiles select SVG Tiny 1.2 as it is the closest you can get to the format for BIMI SVG. Extra options can be displayed by clicking the More Options button. The one option that may need adjustment is the “Decimal Places”. Depending on how complex your logo is you may want to increase the number of decimal places. For most exports the default value of 1 will suffice but in some cases you may want to increase the decimal places to 2 or maybe even 3 to preserve the necessary detail.
Click the “SVG code” button to review the code. It will open the file in a file editor (usually notepad). Make sure the line starting with <svg contains version=”1.2” and baseProfile=”tiny”. Also check that there is no base64 anywhere in the content as that would mean that AI was unable to create vector only representation of your drawing. If everything checks out feel free to close the editor and click the “OK” button in the dialog to save the file.
Open it in your browser by double clicking and visually inspect to make sure the logo meets your expectations. Sometimes it’s good to zoom in on the logo to see more detail. If you find any problems in the details return to Adobe Illustrator and repeat the export with an increased amount of “Decimal Places” set.
Now that you have your SVG exported, it’s time to do some manual cleanup. You can use any text editor for this task as SVG is a text file. First you want to make sure the file has been exported as a vector graphic and contains no images. Some small bitmap elements may have slipped the visual inspection so you have to search the file for presence of the image element and base64 content. You can do this by simply searching using the Find command or using Ctrl+F (in most text editors) and searching for “image” and “base64”. Next look for external references by searching for “href”. If your search found no instances of any of these strings you are in a good position to start the cleanup.
Start by removing the highlighted section with the information about the used version of Adobe Illustrator. Next find the x=”0px” y=”0px” from the line starting with <svg as seen on the image. The same element also often contains overflow=”visible” attribute that needs to be removed. This is very important as the coordinate and overflow attributes are not permitted in the BIMI SVG standard. Next find the baseProfile=”tiny” and replace the “tiny” with “tiny-ps” resulting in baseProfile=”tiny-ps”. The last step is to add the required <title> tag into your SVG below the <svg ...>. The purpose of the title is to provide accessibility so it should reflect your brand. In our case the line reads <title>Mailkit</title> and yours should contain your brand name too.
Save the file and use our validator to make sure your SVG validates correctly. Hopefully it will and you are good to go for BIMI record deployment.