Apple announced on September 12 that its email clients for iOS 16 and macOS will support a broad industry effort to combat brand spoofing and impersonation by implementing Brand Indicators for Message Identification — BIMI for short. This announcement further reinforces Apple’s commitment to security and privacy for its users and its earlier Lockdown Mode announcement.
This is a big deal given that Apple email clients command a whopping 57% of the market as of July. Support of BIMI means that even users with Outlook, Gmail, and other email accounts reading and interacting with email via an Apple client will be better protected against the bad actors who count on spoofing and impersonation to carry out phishing and business email compromise (BEC) attacks.
BIMI One Year Later: Little Uptake Due To DMARC Implementation Struggles
Launched in July of 2021, BIMI is an email specification that enables the use of brand-controlled logos within supporting email clients. It allows companies and their associated brands to display logos on emails, control the logos that display with email messages, and cultivate brand recognition and enhanced customer experience.
The benefits of BIMI are undeniably appealing to both marketing and security practitioners, but getting a verified BIMI logo is only possible if an organization gets to the enforcement stage of DMARC. Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a process that manages and monitors inboxes to ensure only verified contacts are reaching users’ inboxes. A sender’s DMARC record instructs a recipient of next steps (e.g., do nothing, quarantine the message, or reject it) if suspicious email claiming to come from a specific sender is received.
We’ve been extolling the virtues of DMARC to prevent fraud and phishing attacks since 2020, and the number of firms with DMARC records continues to increase year over year with the most dramatic rise between 2020 and 2022. A recent study from email security solutions provider Valimail found that a majority of US- and EMEA-based enterprises — 64% and 57% respectively — have DMARC records in place, but under 20% of firms in both regions are at the enforcement stage, rendering the DMARC record moot and the ability to offer a verified logo via BIMI impossible. What’s behind this disconnect?
Are You At Enforcement? Double Check.
Getting to DMARC enforcement at an organization allows the domain owner to choose how they want to handle via policy an email that fails authentication. There are three policy choices for domain owners:
- p=none – mail is delivered regardless of authentication status.
- p=quarantine – mail is sent to the spam folder of a user’s inbox.
- p=reject – mail is rejected from the inbox and discarded. No delivery.
Setting DMARC policy to either p=quarantine or p=reject is considered DMARC enforcement. Setting the policy to p=none provides domain owners with reporting on unauthenticated emails and the IP addresses from which they were sent, but no protection! It should be considered for the testing phase of DMARC implementation and used to tune other settings.
So why are so many firms stuck at p=none? It could be due to any number of common errors or to the mistaken notion that just getting to the monitoring phase provided by p=none is actually protecting the firm. Regardless, firms should move out of this policy setting as quickly as possible. Often, a little extra help may be needed in the form of professional services to troubleshoot settings and ensure enforcement
Go To Market On Trust With DMARC + BIMI
The BIMI Group remains adamant that the only way to display a verified company or brand logo in supporting email clients is with DMARC at the enforcement stage. Given the small percentage of firms that have achieved this stage, moving forward with DMARC and adding your verified logo via BIMI is an opportunity, as we stated in our report Bolster Brand Resilience With DMARC, to bring security and marketing teams together behind a shared mission. This can foster harder but more meaningful conversations between functions about the risks associated with email communication and the impact of fraud and attacks on customer trust. It’s also an opportunity for your firm to communicate your commitment to protecting customers, partners, and employees from bad actors and debilitating attacks.
When you’ve achieved DMARC + BIMI, launch a campaign detailing the steps you’ve taken as a firm to deliver secure, authenticated emails to customer inboxes and that only emails with your verified logo are from you. Use this communication to reinforce your secure practices as a company and provide them with actionable guidance for protecting themselves and their families from fraud, credential theft, and data exposure.
It’s time to take advantage of Apple email client’s near-ubiquity and work with your teams to accelerate DMARC and BIMI efforts in your organization. Need help? Reach out and schedule a guidance session with me for best practices and recommendations for providers to help you on your DMARC enforcement and BIMI journey.
