Digital brand protection and exploitation in online communications – the value of BIMI, VMC and CMC certification

While still not adopted by many brand owners, in recent years there has been a growth in use of the BIMI certification programme (discussed below) to enable brand owners to use their logos more visibly and systematically as the icons attached to email communications. 

Research shows this can lead to increased engagement, open-rate of email communications, and brand trust and security. This highlights the importance and value of protection of brands in a digital context to enable brand owners to build their reputation and ensure consumers can continue to rely on them as indicators of origin.

Here we discuss the benefits and requirements of BIMI which can allow brand owners to better control and exploit use of their branding assets in digital communications with customers and strategic steps brand owners should take to address this.

What is BIMI?

BIMI (Brand Indicators for Message Identification) is an email specification which enables businesses to display their logos next to authenticated emails in recipients’ inboxes. First conceived in 2019, BIMI gained traction in 2021 following implementation by Google into the Gmail platform, and again in 2022 when Apple announced support for BIMI in Apple Mail. 

How does BIMI work?

BIMI is supported by a large number of the biggest email providers in the world^[1] – including Gmail, Apple Mail and Yahoo Mail. The notable current exception is Microsoft Outlook.

When an inbox receives an email, the server will perform a series of standard authentication checks (SPF, DKIM, DMARC). If the email message is DMARC compliant and the platform supports BIMI, the server will then perform an additional check as to whether a valid BIMI record exists in relation to the sending domain. If a BIMI record is identified and validated, the inbound server will display the associated brand logo in the recipient’s inbox. 

There are a number of prerequisites^[2] to set up a BIMI record, including DMARC compliance and an SVG (Scalable Vector Graphics) version of the logo to be displayed. Another step in setting up a BIMI record is to obtain a Mark Certificate from one of the Mark Verifying Authorities^[3] (discussed in further detail below). Mark Certificates are mandated by platforms such as Gmail and Apple Mail, but others such as Yahoo Mail and Fastmail do not strictly require these in order to implement BIMI.

Mark Certificates

As defined by BIMI Group, “MCs (Mark Certificates) assert a cryptographically verifiable and auditable binding between an identity, a logo, and a domain^[4].” These digitally issued certificates are provided by a range of trusted authorities^[5] that verify the ownership of a logo, and form part of a brand’s BIMI record. 

There are currently two types of mark certificate: VMC (Verified Mark Certificate) and CMC (Common Mark Certificate) as summarised below: 

What are the benefits?

Whilst BIMI is not currently supported by all email platforms, it is available for implementation with some of the largest providers in the world including Apple Mail (estimated to have around a 60% market share^[6]) and Gmail (estimated to have around a 30% market share^[7]), meaning that BIMI authenticated emails will reach a large audience. 

Research by Red Sift and Entrust^[8] shows that BIMI implementation can result in increased email open rates, improvement in brand recall amongst consumers, and higher purchase rates compared to brands that do not display their logos in emails. 

Using BIMI can also increase consumer trust by demonstrating a brand’s commitment to online security and reduce the risk of consumers falling victim to email impersonation attacks and phishing attempts. The visual cue of a brand’s logo next to an email is a quick way to indicate to consumers that the communication is genuine and to allow consumers to quickly distinguish between safe and potentially dangerous emails. 

Gmail’s blue tick (available to those with a VMC) and Yahoo Mail’s purple tick verification symbols go one step further and provide an additional visual cue to those consumers who may not be as familiar with the BIMI system. Other providers such as Apple Mail, for example, confirm to their users that “if the sender or your email service provider hasn't met the [BIMI] requirements, email messages will not display logos in Apple Mail clients^[9].” 

Example: Gmail

As mentioned above, Gmail’s blue tick symbol will only be activated in emails from brands with a VMC in their BIMI record.

It is worth noting that it is also possible for users to set a “profile picture” in Gmail without any verification checks. When sending emails to other Gmail users, this image will then appear in the same location as a BIMI authenticated logo in the recipient’s inbox. Therefore, there is a risk that bad actors could impersonate brands within the Gmail network by using a brand’s logo as a profile picture to appear legitimate. 

In theory, it may also be possible for a malicious third party to demonstrate the necessary 12+ months’ worth of use of a logo to obtain a CMC if there is wider ongoing infringement activity either on- or offline. 

It is therefore important for brands to consider the additional level of authentication offered by a VMC (the only type of certificate that enables the Gmail blue tick visual) - particularly as the stringent checks involved make it much more difficult for bad actors to abuse the VMC process – and, once complete, to actively educate their consumers to only trust emails displaying a brand’s logo that also feature the blue tick in Gmail.  

Trade mark considerations – brand protection and enforcement strategy

In order to obtain a VMC (which offers the highest level of brand authentication), brands must have a trade mark registration for the specific logo that they intend to display alongside their emails. This will often mirror a brand’s favicon (the icon displayed, for example, in a web browser address bar or in a list of website bookmarks) and may also be a simplified version of a brand’s main logo. 

Therefore, it is important for brands to review their trade mark portfolios to ensure that they have the correct protection in place to pass the strict VMC verification checks and, if not, to take the necessary steps to put registered trade protection in place for the logo that they intend to use for BIMI emails. When a brand’s logo is changed, alongside implementing the necessary new trade mark protection, it is important to update the associated BIMI record and Mark Certificate to ensure ongoing authentication for logos used in email communications. 

Having this trade mark protection in place, particularly where a BIMI logo is a simplified version of a brand’s main logo and existing trade mark protection may not be sufficient, will also facilitate enforcement action against third parties who may maliciously use these brand identifiers as part of impersonation schemes or phishing attacks, or on email platforms that support “self-asserted” BIMI records without the need for a Mark Certificate (such as Yahoo Mail and Fastmail). 

It would also be prudent for brands to set up trade mark watching services in respect of their BIMI logos to identify any attempts by bad actors to obtain registered trade mark protection for these. 

SMEs could consider obtaining a CMC as a starting point given that the upfront cost is lower, and progressing to a VMC as part of their wider branding and trade mark protection strategy.

Brand owners also need to remain vigilant in monitoring misuse of their brands in digital communications in this way and to consider expanding their trade mark monitoring activities to identify third parties attempting to register their branding assets to try and obtain control of their brand in the context of digital communications.