Gmail announces support for email logo authentication effort

Google, Yahoo, AOL and Fastmail inboxes will now display sender-designated logos for authenticated messages.

You may now see brand logos in your Gmail inbox thanks to a new agreement between Google and the AuthIndicators Working Group, which created the Brand Indicators for Message Identification (BIMI).

The developers of BIMI describe it as an "email specification that enables the use of brand-controlled logos within supporting email clients." 

BIMI is meant to leverage the work an organization puts into deploying DMARC protection by bringing brand logos to a customer's inbox, according to the developers behind the project. The group is made up of a committee of companies working to add more authentication to inboxes as a way to offer more security to users. 

Google, Mailchimp, Fastmail, Proofpoint, Twilio SendGrid, Validity, Valimail, and Verizon Media are some of the companies working on developing BIMI.

Valimail chief product officer Seth Blank, chair of the AuthIndicators Working Group, said Vailmail employees are responsible for founding, naming and resourcing the BIMI standard. 

"We've been an avid supporter of BIMI since Valilmail's founding in 2015. With a goal to improve the ecosystem for everyone, BIMI enables brands to deliver their logos alongside email messages to billions of inboxes worldwide, increasing customer engagement with those messages and boosting brand trust," Blank said. 

He went on to explain that in addition to the security benefits, BIMI allows companies and brands to customize their logos on email, newsletters, receipts and offers. 

BIMI was available to Yahoo users but is now available to Gmail users, representing a massive expansion for the effort. BIMI will now be available to more than 2 billion inboxes through Gmail, AOL, Yahoo Mail and Fastmail. 

On top of offering companies a "secure, global framework in which inboxes display sender-designated logos for authenticated messages," the effort is also meant to stop people from "spoofing" the logos of different enterprises. BIMI's developers claim companies that use their system have seen a 10% average increase in engagement. 

Google's Neil Kumaran and Wei Chuang wrote a blog post announcing the move, explaining that BIMI "provides email recipients and email security systems increased confidence in the source of emails, and enables senders to provide their audience with a more immersive experience."

"This is just the start for BIMI. The standard expects to expand support across logo types and validators. For logo validation, BIMI is starting by supporting the validation of trademarked logos, since they are a common target of impersonation," the two wrote. 

Blank said many brands are now targeted by cybercriminals for spoofing and phishing, adding that BIMI was an "industry-wide effort to advance email authentication and help all brands protect themselves." 

"It provides protection for users at scale and makes the email ecosystem better and safer for everyone," Blank explained, adding that DMARC was an "essential safeguard" against most phishing attacks.

"For the brand's logo to be displayed, the email must pass DMARC authentication checks, ensuring that the organization's domain has not been impersonated," the tool's creators explained. "By displaying the sending company's logo next to an email, BIMI provides a visual cue to the recipient that the email has been authenticated and the sender is not spoofed."

The AuthIndicators Working Group said that for an enterprise's logo to be eligible for being displayed in Gmail messages, companies need to get a BIMI certificate -- which they called a Verified Mark Certificate -- that confirms their right to use the image. 

"While VMCs are currently tied to registered trademarks from select jurisdictions, future plans seek to expand access to include both additional jurisdictions and options for unregistered trademark logos," the group said. 

Valimail also said it was partnering with certificate providers Entrust and DigiCert to create a "streamlined process for companies to enforce DMARC and earn a VMC, both essential steps for BIMI compliance."

"DigiCert's partnership with Valimail simplifies BIMI compliance with VMCs and DMARC enforcement -- a strategy designed to deliver more consistent, secure email for businesses and consumers," said Dean Coclin, DigiCert's senior director of business development. 

"We anticipate growing demand for digital certificates displaying verified logos in email and are developing scalable solutions to help companies be ready on day one." 

​Spammer's delight: Gmail weirdly doesn't see spoofed @gmail.com addresses as junk

Spammers could have a field day with Gmail users, simply by spoofing real Gmail accounts, according to a security researcher.

Read More