To be honest I found this article to be a bit blog spammy. It’s for developers because they used a startup accelerator analogy? I didn’t see anything particularly differentiated from the equivalent SendGrid/Mailgun/etc blogs that come up.
This is probably the best demo for understanding SPF/DKIM/DMARC that I’ve come across (I am not affiliated): https://www.learndmarc.com/
If you really want to understand DMARC check it out.
I heavily agree. The analogy was distracting at best, confusing at worst. Just explaining what each feature does is perfectly grokkable. We all know what email is.
Note that this is about the use case 'authenticating whether the given mail server is authorized to send mail for the given domain', not the use cases 'authenticating whether the given user of this mailbox actually sent this email' or 'authenticating whether the given message is spam or not', which is probably the reason you clicked on this article :).
The former use case is pretty much solved (in that you can safely ignore email from servers/domains that don't follow best practices), the latter (combining the 2, since they're pretty similar, really) is not, even given recent advances in AI (OpenAI cannot tell you if a message is spam, sorry, unless your prompt engineering skills are much better than mine).
> OpenAI cannot tell you if a message is spam, sorry, unless your prompt engineering skills are much better than mine.
Sometimes an e-mail message itself does not even contain enough information to accurately classify it as spam or phish.
To a degree, spam is subjective. And classifying a phish may not be trivial at all (e.g. message may include legit marketing links, open redirects and server side logic to serve certain pages only to targets, etc.).
Thank you for that comment, I don't think it's something many people really understood. The same is true for phishing websites. So much depends on the context and incomplete background information. Is a website that asks you to put in your username and password bad? Well, it depends on what the website does with that information in the background. I've seen very suspicious websites asking for user information which were, in the end, just sites set up by marketing departments of the larger company who were unaware of the dangerous precedent they were setting.
Yup, when I order something I get really annoyed that I get an email for every fart that the delivery driver lets out. I'll hear the doorbell, I don't need 500 anticipatory emails. It's not a scam, not a phish, and it's 100% factual and "informative". But still junk.
It isn't spam though (being a part of a real commercial relationship, and having a working unsubscribe link), and marking it as such poisons your spam filter.
To further emphasize the point that a mail server being authorized often isn't worth much, or can be counterproductive even: shocking numbers of SMTP providers don't verify anything beyond the login. As a result, each and every one who manages to get an account can send legitimate looking messages for whatever domain allowing that host, e.g. another tenant. Microsoft and Google do perform sender address checks, as well as TransIP that I know of. Apart from them, though...
For reference: in Postfix this can be configured with smtpd_sender_restrictions.
>BIMI (Brand Indicators for Message Identification) is this kind of access in the inbox. It sets you apart from all the others by showcasing your brand and legitimacy to your users in the inbox by displaying your logo and, in some cases, a verified checkmark.
Until I looked at the cost of a Verified Mark Certificate (1-year plan):
>$1,499.00 USD [1]
Yikes.
Small money for big players, but small businesses with valid brands not so much.
$1500 USD / year for something that collides with the logo functionality of Gravatar if the user isn't hovering over the logo?
We used to emphasize domains and everyone understood them. Then the large tech companies de-emphasized domains to the point where people stopped understanding them. Now big tech is going to sell domain validation back to us at a premium? Wow! What innovation.
I know there's trademark verification too, but I've never met a normal person that could tell you a difference between a Gravatar logo like the one I see in my mail client and a VMC logo like the one I see in the screenshots, so what good is showing a trademarked logo? Also, most small businesses I've seen don't even have trademarks, so they'll be completely excluded from this system.
I wonder if this is going to turn out like code signing certificates where they're super expensive for small developers, so they get excluded, but they're totally attainable for scammers and scumbags, so there's plenty of malware and garbage signed by certificates from fly-by-night companies.
Does BIMI help you pass spam filters like EV code signing certificates help you bypass SmartScreen? I can't be the only one that thinks all these things feel like a scam.
One thing I'm certain of based on what we see with SSL certificates. Government agencies will be racing to light money on fire buying them. Every year I watch my taxes get spent on overpriced DigiCert OV certificates and it enrages me. For all intents and purposes, all certificates are identical to normal users. It doesn't matter if DigiCert is taking my DNA for validation, all my mom sees is the lock icon. Nothing else matters.
> I know there's trademark verification too, but I've never met a normal person that could tell you a difference between a Gravatar logo
Current implementations display a blue checkmark in addition to the logo. It's a bit different from what Gmail or Gravatar previously has done.
> Does BIMI help you pass spam filters like EV code signing certificates help you bypass SmartScreen? I can't be the only one that thinks all these things feel like a scam.
Having a proper SPF/DKIM/DMARC setup most likely has the biggest impact, but BIMI might also be taken into account.
> Current implementations display a blue checkmark in addition to the logo. It's a bit different from what Gmail or Gravatar previously has done.
Where that checkmark ends up is important. In the GMail screenshots I saw, it's with the other header information, which is ok. If anyone puts it on the logo as a badge, that'll be bad because we'll start seeing blue checkmark badges on non-VMC logos used for phishing.
If I were a bad actor, I'd put a BIMI like looking header at the top of my phishing emails. Most people I deal with don't know the difference between the application and display parts of the UI. They don't know that one is a trusted area and that the other isn't. Since the large email providers hide so much of the header, I think a fake "certification" at the top of an email would be pretty successful.
> Having a proper SPF/DKIM/DMARC setup most likely has the biggest impact, but BIMI might also be taken into account.
I bet it will be, even if it's not publicly advocated for. I'm sure that's what DigiCert and Entrust want because it sets them up as rent seeking middle men that you have to deal with. $1500 USD per year is a disgusting amount of money for what they're doing.
It reminds me of getting code signing certificates where the prices are astronomical compared to what the issuers are actually doing. Some of the laughable requirements look similar too [1]:
> You will need publicly available proof that your business exists. For newer startups, we found that Yellow Pages or Google Business Profiles were the easiest ways to obtain this.
Neither of those are authoritative and both are filled with fake information based on my experience. It's just a bunch of theatre so DigiCert and Entrust can pretend they're doing something significant while charging an exorbitant amount of money for something that could be automated after the first year (until trademark expiration).
I've personally had people doing the "verification" (not DigiCert or Entrust) for a code signing certificate ask me to provide links to local business listings to prove I exist. I could have sent them anything and they wouldn't know the difference. Instead I told them there aren't any official listings like that and asked them to cancel my order. Magically they didn't need it.
I want code signing to change and, since this is the same awful scheme, I hope it fails to gain adoption. I plan to push harder to abolish DigiCert as a vendor next time I get a chance. This kind of egregious pricing isn't the type of innovation I'm looking for in tech companies.
We only just had Lets Encrypt shutdown the EV nonsense from the CA industry, and BIMI, which is only currently able to be signed by two super expensive providers, is their comeback.
Aside from the fact it's just unnecessary, I'm seeing a range of various "domain security checks" services now test for BIMI, meaning lack of BIMI is something I'm already seeing showing up on low rate "penetration tests".
Note it's not even supported on Office 365, meaning all those business customers you're aiming for won't see it.
I’m wondering if it is worth it for most medium-large organization or if this is specifically worth it if you are doing a lot of commerce and sending e-mails to customers etc.
Furthermore, (stating the obvious) DKIM, SPF and DMARC are also implemented by malicious parties and only authenticate that the server was allowed to send using a particular domain name. BIMI seems to require a VMC (Verified Mark Certificate). Is this verified and is it effective in preventing unauthorized parties from BIMI verifying their domains using stolen brand logo’s etc.
Also, is Microsoft Outlook (still) not supporting/adopting BIMI?
BIMI is worthless. It's a carrot to get your marketing department on board with setting up DMARC because they are the most likely to push back due to fears of the project affecting their email deliverability. You have to fully deploy DMARC to setup BIMI.
Now, BIMI and the costs to "verify" your mark is pushed by exactly the same people who tried to sell you extended validation SSL that would turn your browser address bar green when you visited a site that had gone through this verification.
Just like with EV SSL, BIMI has no positive impact on user security. They're just as likely to open / not open an email with BIMI as they are to visit a site with or without EV SSL. In some cases, it's actually worse.
The only benefit to BIMI is it gives you another place for the marketing department to stick the logo so they'll stop fighting the DMARC rollout. That's it. Otherwise it's total waste of money and time.
DMARC roll-out in itself could also attract the marketing department because it improves deliverability under the hood. I also think implementing SPF, DKIM and DMARC can be done without compromising availability by planning and monitoring well.
BIMI looks to be exactly as broken as EV, in that it assumes that company names and logos are unique - which they are not. It also suffers from the vast majority of legitimate emails not having it.
The only people who benefit from BIMI are the ones selling the quite expensive certificates.
As an end user, this is gimmicky to me, and I wouldn’t want to use an email client that causes the respective emails to appear more prominent by showing their BIMI logo. It would be similarly annoying as emojis in the subject line.
Here’s what we wrote about BIMI. Some selected excerpts:
> To ensure that logos are actually truly representative of the brand involved, and more cynically, to make money and penalize small senders, an optional Verified Mark Certificate can be added to the DNS records, which some mailboxes will validate before showing the logo.
> Unfortunately VMC certificates cost upwards of $1000 USD to purchase. Which puts them out of reach for casual or small senders (of which we are big supporters here at MailPace), and undermines the BIMI effort overall.
I think it's a good initiative, it's obviously there for CAs to make a buck but it's finally a way to arguably curb phishing emails that rely on similar domain names or IDN characters all the while making your brand identity more prominent.
It seems to also have learned from one of Extended Certificate's shortcomings by relying on trademark instead of company name. I actually wish something similar was created to replace EV certificates as it's easier than ever to perform phishing attacks now that everyone and their grandmas has a DV certificate on their site (which is a good thing).
Trademarks still aren't 100% unique, though. For example, Apple Records is easily confused with Apple Music - both have a similar name, and both use an apple as logo. It is better, but not foolproof.
Maybe not intentionally, but a basically-dormant company like Apple Records could very well provide a really attractive attack vector. Their security is probably going to be orders of magnitudes worse than Apple Music, so why not just hack Apple Records instead?
Registering a domain and hosting a phishing website usually comes at a small price (around 10$) which is just 1% of the VMC (I just learned that).
“Expensive” is very subjective, I think it highly depends on the financial standard of the actor and the expected value.
In the case of Apple: if it is expected to aid in phishing an interesting iCloud user, or scamming 100 users for 10$, then I expect that there will be actors that will pay this initial cost to make more later on.
I agree that the classic mass-mail LQ phish actors would probably not go here, but the same holds for smaller organizations. With the current price-tag, end users then still have to trust non-BIMI and BIMI verified e-mails daily.
That seems to leave plenty room for phishing. Also, if VMC prices drop, it will also attract more phish actors.
Though I see your point, I do not think that a financial bar is effectively combatting phishing.
I do not know how valid the paper trail concern is; I haven’t gone through the VMC procedure(s).
You don't just need the VMC itself, you have to get a registered trademark, which is also probably up there in the thousands.
> I do not know how valid the paper trail concern is; I haven’t gone through the VMC procedure(s).
You can currently steal a credit card, lie to a registrar and start your phishing campaign. Having to have a legal entity for a phish paints a nice target on your back.
I haven’t been through the trademarking process myself, but I would assume that a LOT of them exist.
Would it be possible to register a trademark that looks similar to another company’s and impersonate them? I can’t imagine the process would be 100% effective.
Sure the company would probably notice pretty quickly, but not before you’ve spear phished a couple clients.
BIMI solves various problems DMARC/DKIM/SPF still leave open. In that sense, I applaud the initiative.
The $1000 certificate makes it unusable for anyone but the most annoying marketeers, though. Any EV certificate would've worked to serve the "business verified by a trusted third party" requirement, but CAs being CAs, they had to invent a new certificate for business reasons.
The process is further complicated by leaving it open to recipient servers whether or not they actually trust you after buying the special certificate. This does make sense for the small number of companies actually using BIMI, but it does hurt the scalability of the solution.
It's helpful to raise the priority on fixing DMARC in an organization.
It is annoyingly expensive, but I'm expecting it to change with additional CAs entering the market. Very "EV" vibes though, but it is literally for that, so.
End users might also appreciate something nicer than autogenerated one-letter icons. Matter of taste.
It also makes phish stand out more than usual, if the user has grown accustomed. We'll see its efficacy long-term though, too early to say.
>BIMI (Brand Indicators for Message Identification) is this kind of access in the inbox. It sets you apart from all the others by showcasing your brand and legitimacy to your users in the inbox by displaying your logo and, in some cases, a verified checkmark.
Apparently this can help me promote my brand. Unfortunately I don't have a brand so I fear that this would be used to promote the brands of others at my expense.
One additional (non-security) feature that this guide missed is a reverse PTR record for your server's IP address. You'll have to set this on the side where you get your IP address from rather than in your own DNS, but lacking it will get your email classified as spam even if you implement all the other protocols. Basically, when your mail server says "EHLO mail.chamaris.tld", the other side will try to validate that the IP address you're connecting from actually points to mail.chamaris.tld.
Furthermore, you need to pick a host that takes action when their IP addresses appear on blacklists. Microsoft, particularly, uses UCEPROTECT as a blacklist source, and that particular company will blacklist and entire ASN if they receive too much spam from a particular IP address block (that doesn't get resolved in time).
Glad you're pointing it out. I still have problems, indeed, having my emails flagged as spam when sent to outlook.com. On gmail.com they go straight to the inbox.
If I understand correctly though, I should have to set a reverse PTR record in the case of setting up my own mail server, right? And I should configure it on the mailserver's side, correct? That's not my case though, I'm just using a custom domain with the MX records pointing to the mail service that I'm using.
I'll just wait a few days cause the domain is new and I guess that's the reason outlook.com flags it.
> Microsoft, particularly, uses UCEPROTECT as a blacklist source, and that particular company will blacklist and entire ASN if they receive too much spam from a particular IP address block (that doesn't get resolved in time)
Exactly: a non-blacklisted IP with good reputation, correct mailname and valid PTR record is the foundation, ideally augmented with SPF. I've been running an e-mail service without DKIM and DMARC for many years without any delivery issues, only adding those very recently.
This is probably the best demo for understanding SPF/DKIM/DMARC that I’ve come across (I am not affiliated): https://www.learndmarc.com/
If you really want to understand DMARC check it out.