How to activate the BIMI standard to authenticate emails and improve deliverability

Email authentication as an essential deliverability best practice is hardly a new topic here on the MailUp blog.

We have already taken a long look at how deliverability is linked to the concept of reputation. It is therefore fundamental to resort to technologies and security protocols that certify message and sender authenticity, known as email authentication methods.

One of the most recent standards related to authentication protocols, is BIMI, which stands for Brand Indicators for Message Identification.

The latest update of the BIMI guidelines was published on 31 March 2022. Let’s go over the topic and try to understand the steps to activate BIMI, starting from our own configuration.

How to activate BIMI: the MailUp experience

After reviewing all the aspects, MailUp also decided to activate a Verified Mark Certificate on its registered figurative trademark.

As support for customers who want to activate the BIMI with their logo, below we share the key steps and all the information we have learned about the BIMI standard.

1. Enable a DMARC policy

The first thing to do is to verify that a restrictive DMARC policy (quarantine or reject) is enabled for the domain in question on the main domain. This means that even if newsletters are sent from a subdomain (e.g., marketing.mailup.com), the policy applied is the main domain (for example, mailup.com). Implementation notably sensitive if it hasn’t been done yet.
Based on our experience it can take 8-12 weeks on average but may take longer.

In our case, the DMARC policy was enabled several years ago. Given the timing of implementation, our customers should remember that if they haven’t yet set a DMARC policy to seriously consider doing so, because it is not immediate and is likely to be a fundamental requirement to enable any new “feature” available in the Email Marketing ecosystem.

With our MailUp platform you can choose to protect your domain with DMARC at any time. To do so, you can rely on the assistance of our experts, who will guide you step by step in activating the policy. Fill out the form to receive information and request MailUp support!

2. Register your brand name

Once DMARC authentication is approved, the next step is to register (or have registered) a logo at one of the supported offices.

There are currently 8 approved registers:

1. European Union Intellectual Property Office
2. United States Patent and Trademark Office (USPTO)
3. Canadian Intellectual Property Office
4. UK Intellectual Property Office
5. Deutsches Patent- und Markenamt
6. Japan Trademark Office
7. Spanish Patent and Trademark Office O.A.
8. IP Australia

Our MailUp brand was already registered at several offices, so there was no need to wait any longer. Companies about to start the process of trademark registration should remember that, for the purposes of BIMI, the logo approved must be the same as the registered one: partial logos or with different proportions will not be accepted.

Evaluate therefore if you need a brand that is “mailbox provider friendly”, i.e., that you can see in typical webmail/mobile views

3. Create your logo’s SVG image

Once the most appropriate logo registration is verified, pass to the stage of SVG image realization compliant with the SVG specifications:

BIMI records: final validation procedures

Ready? Set? Go!

Not really… to obtain the CMV you must undergo a series of validation procedures like those needed for an EV SSL
certificate. During the process, the validation of an individual’s identity and face to face confirmation by a notary and via a video call directly with a member of the validation team are required.
Recent changes have been made in the process and in person confirmation with a notary is no longer necessary. This will certainly help speed up the process, but there are still several things that could be improved.

Considering however that these certificates are rather recent and there is still not much “competition”, with time this process will be standardized and efficient.

Once our verification was completed, activation of the Verified Mark Certificate confirmed and the BIMI record updated, Gmail also started to correctly show the logo on both desktop (webmail) and mobile clients in a couple of days.

The propagation of BIMI also occurs on subdomains if the indicated rules are respected. On this topic, the FAQs section of the BIMI Working Group can be very useful in finding further information, clarification and explanations.

Just one last remark: after successfully publishing the BIMI record we noticed a singular side effect.

On Gmail/Gsuite, the BIMI logo also replaces the user profile image, where set:

that is no problem, since our flows provide subdomains and alignment different DKIM depending on whether we have one to one “corporate” or mass communications, as per best practice. It took only one change to the internal configuration to return to the optimal situation: our BIMI logo for automatic communications and our profile image for direct/one to one.

That is proof, where needed, that a correct email authentication strategy adhering to best practices is always a winner, especially in case of “unforeseen” situations.