30 Aug
2021

Everything you need to know about BIMI and validated mark certificates, how they increase brand trust, and which companies have adopted them

A range of brands are taking advantage of the Brand Indicators for Message Identification standard, combined with trademark validation through validated mark certificates. In this guest analysis, Jeremy Speres, partner at Spoor & Fisher presents everything you need to know about the offering, and crunches the numbers to reveal which companies are already utilising the system.

Guest analysis

With email-based phishing and other fraud rife, brand owners can now take advantage of an additional layer of email authentication that can increase brand recognition and engagement and impart a heightened sense of trust and security to their emails: the Brand Indicators for Message Identification (BIMI) standard, combined with trademark validation through validated mark certificates (VMCs).

What is BIMI?

BIMI is a new standard that attaches a brand’s logo to emails sent using an authenticated domain name. The logo is displayed alongside emails from the brand in the recipient’s email client as an avatar. See the example below for CNN.

Source: https://bimigroup.org/verified-mark-certificates-vmc-and-bimi/

The benefits to brands are clear:

  • recipients are more likely to trust the source of the email;
  • brand impressions, email open rates and engagement are increased; and
  • emails stand out.

In the past, mailbox providers developed their own individual methods for representing logos in mailboxes. This patchwork approach had the disadvantages of each provider having to maintain its own repository of logos. In addition, brand owners had to liaise with every mailbox provider and meet each provider’s specifications. BIMI was introduced to overcome this.

Interestingly, BIMI was also introduced to incentivise brands to implement proper email authentication, which the BIMI standard requires. As discussed below, brands that do are rewarded with the display of their logo.

The BIMI standard was created as an open, vendor-neutral standard by several large players in the email market including Google, Verizon Media (including Yahoo, AOL and Netscape) and Fastmail. The AuthIndicators Working Group was formed to develop and support an Internet Engineering Task Force (IETF) standard. Support for BIMI among mailbox providers is growing and can be tracked on the AuthIndicators’ site. Google’s announcement in July 2021 that Gmail will support BIMI is sure to spur on other providers. Notably absent from current BIMI supporting providers are Microsoft’s Outlook and Office 365.

How to implement BIMI

Google has published a comprehensive guide on implementing BIMI. To take advantage of BIMI, senders must have certain email authentication protocols in place for the domain in question, in particular:

  • a sender policy framework (SPF), which specifies IP addresses permitted to send emails for the domain;
  • domain keys identified mail (DKIM), which adds a digital signature used to verify that emails are authentic and have not changed during transit; and
  • domain-based message authentication, reporting and conformance (DMARC), which is built on top of SPF and DKIM to essentially tell the receiving mail server what to do if SPF and/or DKIM authentication fails.

For BIMI, it is important that the DMARC policy is configured to at least quarantine or reject emails that fail authentication.

Once these are implemented, the brand must create a logo in the SVG graphical file format and upload it to its webserver. Next, the brand should create a BIMI record in the Domain Name System (DNS) zone for its domain in the form of a TXT record. That DNS record will essentially point to the location of the brand’s logo on its webserver, which is how email clients validate and obtain it.

Where do VMCs fit in?

There are two classes of BIMI records. The simplest is ‘self-asserted’ – the logo is published and associated with a domain without independent third-party verification that the domain’s registrant has any right to the logo. Some email providers accept self-asserted BIMI records and will display the corresponding logos; however, some – notably, Gmail – do not and require that the logo be verified as being associated with a specific domain. To address this, mark verifying authorities (MVAs) confirm:

  • the legitimacy of a logo;
  • that the applicant has rights to it; and
  • that it is associated with the domain name in question.

MVAs issue VMCs, which are analogous to secure sockets layer (SSL)/transport layer security (TLS) certificates used typically to encrypt communication between browsers and websites. The VMC validation process involves rigorous identity and trademark verification to decrease the likelihood of VMCs being used to spoof a brand. Notarised personal identification documents and a live meeting with the MVA are required, and the MVA must verify the trademark registration by consulting the official database of the trademark registry.

The validation process is very similar to that for extended validation certificates – the highest level of SSL/TLS certificates with the most vigorous identity verification requirements. VMCs, like SSL/TLS certificates, provide the cryptographic means to securely authenticate and identify the MVA by verifying the issuance chain and to associate the VMC to the specified domain.

Who are the MVAs?

At present there are two MVAs whose VMCs are broadly accepted: DigiCert and Entrust. AuthIndicators does not accredit MVAs. The decision to accept VMCs generated by any MVA is left to the discretion of each mailbox provider. Information for would-be MVAs can be found here.

The requirements for VMCs are set out in the AuthIndicators’ VMC Guidelines. In order to qualify for a VMC, the applicant must own a trademark registration. Registrations are currently accepted in only eight national/regional trademark registries: Australia, Canada, the EUIPO, Germany, Japan, Spain, the United Kingdom and the United States.

Each VMC can only cover a single logo, but it can cover multiple domains and subdomains. If a VMC is required for more than one logo, an equivalent number of VMCs will be required. DigiCert has published a useful guide on determining the appropriate number of VMCs that an organisation may require.

VMCs can cover design marks (graphical designs without words or letters), word marks or combined marks (both word and design elements). Importantly, the VMC Guidelines appear to require an exact match between the logo that is submitted to the MVA for inclusion in the VMC and the registered mark. This includes any colour restrictions applicable to the registered mark. Entrust, however, appears to accept “substantially identical” matches exhibiting minor variations such as “size/aspect ratio, background color, etc” if an additional confirmatory letter is provided. According to Appendix E of the VMC Guidelines, guidelines are being developed for MVAs on the comparison of registered trademarks with mark representations for VMCs.

VMCs are currently only issued for one-year periods. DigiCert’s cost is $1,499 for a single VMC covering one logo for one year. Entrust’s pricing was not publicly available at the time of writing.

MVAs are required to publish pre-certificates to publicly accessible certificate transparency (CT) logs before issuing VMCs, as with SSL/TLS certificates. Pre-certificates contain all a VMC’s information, including a representation of the logo and trademark registration information, and can be inspected by anyone, which helps to detect mis-issued certificates. The open, public nature of CT logs is to be contrasted with the closed database employed by the Trademark Clearinghouse (TMCH), which verifies trademarks for use with various rights protection mechanisms in the DNS. The secrecy of the TMCH database was recently decried by IP scholars.

CT logs for SSL/TLS certificates are already used by domain name watch services to detect infringing domain names and subdomains. It should be considered whether these watching services should be expanded to monitor new VMC pre-certificates as published in the VMC CT logs for infringing logos, possibly using image recognition technology. Given that domains and subdomains are also contained in VMC pre-certificates, they can also form a new data source to monitor for infringing domains and subdomains.

What do CT logs tell us about brand take-up?

Analysing these VMC CT logs provides interesting information as to VMC uptake. As of 24 August 2021, AuthIndicators had approved one public CT log in Appendix F of the current VMC Guidelines, specifically https://gorgon.ct.digicert.com/log (Gorgon). That URL will return a 404 Not Found response when visited in a browser; Gorgon, as with other CT logs, must be queried using the paths and parameters set out in the CT standard.

Gorgon appears to be maintained separately to the logs for SSL/TLS certificates and seems to contain only VMC pre-certificates. There is no easy way to extract and parse all certificates issued to a particular CT log; thus, some coding was necessary. Working together with my friend and software developer Rickert Mulder, we used the Axeman utility together with a custom Python script relying on the CT standard to retrieve and parse all VMC pre-certificates published to Gorgon.

Analysis of the Gorgon data reveals that 329 VMC pre-certificates have been published as of 24 August 2021, suggesting that an equivalent number of VMCs have been issued. However, further analysis reveals there to be duplicates, or near duplicates, due to certificates having expired, been revoked or been issued with small differences (eg, separate pre-certificates were issued for the same organisation and trademark but for different domains or subdomains). Thus, the true number of unique, issued VMCs, as observed in Gorgon at the time of writing, is something less than 329.

With a view to getting a more accurate indication of actual VMCs issued for unique trademarks, I have removed duplicate entries from the Gorgon list based on trademark registration number and registry. This reveals 125 unique trademarks as of 24 August 2021, suggesting that 125 VMCs have been issued to date, excluding re-issued VMCs due to expiry, revocation and other things. It seems that almost all organisations applied for VMCs for a single trademark, and the total number of unique organisations appears to be 122; three organisations applied for VMCs for two different marks each.

In terms of geographic split of the applicant organisations, as observed in Gorgon, the top countries by percentage are:

  • the United States (59%);
  • the United Kingdom (13%);
  • Germany (4%);
  • Australia (4%);
  • the Netherlands (2%);
  • Sweden (2%);
  • Canada (2%);
  • Japan (1.5%);
  • Denmark (1.5%); and
  • the Czech Republic (1.5%).

My de-duplicated list for Gorgon, showing the unique trademarks and unique organisations, including trademark registry information, can be downloaded here. I will update the list from time to time with the latest data, which can continue to be accessed from that link. If AuthIndicators changes the approved CT logs (currently only Gorgon), the list will be updated at that link to include all approved CT logs.

Separately to the entries in Gorgon, and for the sake of thoroughness, I have also analysed the VMC pre-certificates published by each of DigiCert and Entrust’s MVA-specific certificate authorities to any public CT log, not just Gorgon, using the crt.sh CT search tool. The total is 364 as of 24 August 2021, with a roughly even split between DigiCert and Entrust.

The discrepancy with the total number of VMC pre-certificates in Gorgon (329), as discussed above, can be explained by the fact that in previous iterations of the VMC Guidelines there were multiple approved CT logs, but currently there is only one (Gorgon), and some VMC pre-certificates were not previously published to Gorgon but were published to others. Given the presence of test certificates and duplicates or near-duplicates, the true number of unique, issued VMCs is something less than 364 at the time of writing.

As with the Gorgon list discussed above, I have removed the duplicates as well as the obvious test certificates based on the trademark registration number and registry. This reveals 129 unique trademarks as at 24 August 2021, suggesting that 129 VMCs have been issued to date, excluding re-issued VMCs due to expiry, revocation and other things. Given that not all VMC pre-certificates have been published to Gorgon, this second list, accounting for all VMC pre-certificates published by Digicert or Entrust to any CT log (as far as I can tell), gives one a better indication of the total number of VMCs issued to date.

In total, 127 unique organisations were observed. In terms of geographic split of the applicant organisations, the top countries are:

  • the United States (59%);
  • the United Kingdom (13%);
  • Germany (4%);
  • Australia (4%); and
  • Canada (3%).

My de-duplicated list, with obvious test certificates removed, showing the unique trademarks and unique organisations, including trademark registry information, can be downloaded here. Again, I will update the list from time to time with the latest data, which can continue to be accessed from that link.

Interestingly, according to the public CT logs, the first VMC appears to have been granted to JPMorgan Chase by Entrust, with the pre-certificate having been published to the CT logs on 19 August 2019, based on US Trademark Registration 2015389. DigiCert followed with its first VMC issued to CNN, with the pre-certificate published on 4 October 2019, based on US Trademark Registration 5817930.

As of 23 August 2021, the most recent VMC pre-certificate published by DigiCert was for the US maker of the well-known LEATHERMAN brand of multitools, Leatherman Tool Group, based on US Trademark Registration 5783288, published to the CT log on 22 August 2021 along with four others for four different organisations on the same day. For Entrust, the most recent was published on 20 August 2021 (the only one published by Entrust that day) for UK-based automotive advertising platform CarsVansandBikes, based on UK Trademark Registration UK00003647211.

Other familiar brands appearing in the CT logs that have applied for VMCs include Groupon, Instagram, Netflix, Palantir, Paypal, Pinterest, Stripe, Trek Bicycle Corporation and Wix. Others can be observed in my de-duplicated lists linked to above.

Is brand adoption expected to increase?

I am not a CT log expert or data scientist and my intention was simply to obtain a cursory view on VMC uptake. The data presented above is not guaranteed to be accurate or comprehensive. Based on the CT logs, it appears that the pace of VMC issuance is increasing, with both Digicert and Entrust regularly publishing multiple pre-certificates daily.

BIMI and VMC adoption among brands appears to be low but is predicted to grow significantly given the benefits and Gmail’s recent adoption. BIMI Radar is an interesting platform created by information security firm Red Sift and Entrust to track global BIMI adoption. According to BIMI Radar, at the time of writing:

  • 22% of large global public companies have the required DMARC policy in place to deploy BIMI (BIMI ready);
  • 0.71% have published a self-asserted (unverified) BIMI logo; and
  • 0.17% have implemented BIMI with a verified, trademark protected logo using a VMC.

In the United States:

  • roughly 46% of large publicly traded companies are BIMI ready;
  • 5% have published self-asserted BIMI logos; and
  • 3% have implemented BIMI with a VMC.

Randal Pinto, co-founder and CTO of Red Sift, drew up a custom report for me based on the BIMI uptake of the 100 brands represented in the 2020 Forbes Most Valuable Brands list. The report, based on data obtained on 23 August 2021, can be downloaded here. The report indicates that 40 of the brands have the required DMARC policy in place to deploy BIMI (BIMI ready) whereas only four brands – namely, Bank of America, Ebay, JPMorgan Chase and UPS – have implemented VMCs at the organisational level.

AuthIndicators provides a useful tool to check whether any domain is BIMI ready and whether it has already implemented BIMI, including with a VMC. The same tool can be used to generate a BIMI DNS record, which can assist in the BIMI implementation process.

Will the scope of trademark and IP rights for VMCs be expanded?

Clearly the limitation of VMCs to trademark registrations in only eight trademark registries is problematic – likewise, the absence of protection for unregistered marks and marks protected by statute or treaty (eg, geographical indications). The long-established TMCH is an example of how this could be expanded, although admittedly not everyone is satisfied with the TMCH’s operation. The TMCH has long accepted court-validated unregistered marks and marks protected by statute or treaty.

The requirement of an exact match between the mark representation to be covered by the VMC and the registered mark may also present difficulties for brand owners that have altered their marks since registration.

AuthIndicators is apparently in the process of expanding the list of supported trademark registries for VMCs. It is also considering plans to cover unregistered marks and marks protected by statute or treaty, as well as “slightly altered” trademarks. In its note on these issues, AuthIndicators states: "Our ultimate goal is to encourage secure email best practices. To achieve that goal, we’ll continue to expand features and support for BIMI so brands can exert control over how their logos are displayed (even when they aren’t registered trademarks). While companies with trademarks can apply for a VMC now, we also encourage those without registered trademarks to publish “self-asserted” BIMI records. We look forward to new evaluation processes that support a broader array of logo types."

Given the rigorous identity and trademark verification process set out in the VMC Guidelines, the potential for misuse of VMCs and trademarks by unauthorised third parties is limited, although not impossible, especially given that it is left to the discretion of mailbox providers to decide whether to accept VMCs from any MVA. Section 4.9 of the VMC Guidelines provides for a VMC revocation process and requires MVAs to make an abuse reporting mechanism publicly available and to act on abuse reports within specified timelines. DigiCert’s reporting mechanism can be found here and Entrust’s here.

Based on the DigiCert cost of $1,499 per year, the cost of a VMC is fairly high and thus will not be appealing to many brands. Given the clear benefits to brands as well as consumers and the general safety of email, the hope is that the cost will reduce over time as more MVAs begin to offer VMCs, as happened with SSL/TLS certificates.

Jeremy Speres

Partner | Spoor & Fisher

[email protected]