Editorial
The Gist
- Verification builds trust. In an era of increasing email scams, verification through tools like BIMI is crucial for marketers to ensure their campaigns are trusted.
- Google supports BIMI and CMC. Google's support for Common Mark Certificates (CMC) broadens the accessibility of BIMI, helping more senders authenticate their emails.
- Setting up BIMI enhances security. Implementing BIMI requires certain steps but ultimately strengthens brand messaging and protects against phishing attacks.
Verification is the name of the customer-trust-building game these days. With scammers increasing spoofing emails, marketers must share signs that their campaigns are the Real McCoy.
The Real McCoy of email verification is Brand Indicators for Message Identification (BIMI). BIMI is a format standard for an organization’s logo so that email clients recognize incoming email messages as one officially sent from the organization.
Google brought its spotlight to the value of BIMI by announcing it would support Common Mark Certificates (CMC), a new type of BIMI certificate being issued by Certificate Authorities (CA). The support means a broader range of senders can utilize BIMI to let their email recipients know that a given email is from a trusted source.
The support also impacts a planned email communication strategy that involves Gmail personal accounts – accounts that end in @gmail.com or @googlemail.com. Users sending to these accounts must send emails that have elements that meet the BIMI requirements.
So let’s look at why BIMI is a key security feature for delivering customer experiences through email campaigns and how it would work with Google Gmail accounts.
Google’s Road to BIMI: How BIMI Works
BIMI as a Verification Tool
BIMI works as a text file with a specific format that displays credentialed icons — kind of like a police detective badge shown whenever approaching a citizen regarding police business. Email clients that support BIMI recognize the format and store it on the server that is meant to send the emails.
Authenticating Emails With Logos
When the email is sent, the email client service of the recipient checks for the BIMI text file. The client displays the company logo along with your organization’s messages in the recipient's mailbox. This helps assure email recipients that they are receiving an authentic email, instead of a malicious one containing a copied logo and a different phishing email address.
Google’s introduction of CMC arrives as a follow-up to last year’s introduction of a credentialed icon – a blue checkmark – to the Google Gmail webmail service. The checkmark protects its Gmail users, many of which are also enterprise mail services through Gmail. Email has become a vector for cybersecurity attacks. Popular office solutions, such as Gmail, are a popular target.
Related Article: Google Adds Blue Checkmark Verification to Gmail. Here's What Marketers Need to Know
BIMI Arrives as Email Spoofing Rises
The Growing Threat of Email Scams
Google’s decision comes at a time when cyber thieves increasingly see email as a viable way to trick unsuspecting users into giving permission details of accounts and stealing associated data. Email is the most valuable medium for thieves because users often trust the source without examining the email address closely.
Challenges in Identifying Phishing Emails
Moreover, the ability to copy a logo has become easier, thanks to advances in graphics and image creation being more widely accessible.
As a result, professionals of all industries have been facing a rising challenge to distinguish real emails from phishing emails. The incidents have been frequent enough to rival the scams sent through social media messaging. According to Statista, web-based software services and webmail are the second most common phishing methods, behind social media, with around 21% of registered phishing attacks.
Email Platforms Fighting Back
The leading email platforms have begun to fight back. Back in February, Google introduced authentication protocols for bulk email senders. Bulk email senders, according to Google, are organizations that send more than 5,000 emails every day. Yahoo introduced similar requirements. The protocols were meant to address outgoing email authentication, spam rates and user ability to easily unsubscribe from email lists.
Benefits of BIMI Compliance
The BIMI compliance is a result of providing bulk senders and recipients protection from malicious messages, such as spoofing and phishing messages. It reduces the likelihood of an individual or an organization being impersonated. The result is stronger brand messaging because your logo consistently displayed alongside your emails. This increases brand recognition and recall, an especially valuable benefit within crowded inboxes where catching recipient attention is crucial.
The brand recognition influences any analytics initiative for email campaigns. The compliance reduces the likelihood of emails being rejected or marked as spam within Gmail. This strengthens the likelihood of achieving high open rates and email campaign success, instead of increased unsubscribe rates for email campaigns mistaken as phishing attempts.
How to Set up a BIMI Logo
Preliminary Steps for BIMI Implementation
If you are planning to step up your authentication game, you should complete three preliminary steps before setting up a BIMI according to Google. You must have a Verified Mark Certificate (VMC) or CMC for your domain from a third-party certificate authority. VMC is a certificate issued for logos trademarked with an intellectual property office that VMC issuers recognize. The certificates verify that the logo displayed with an email comes from the sender's organization and is legitimate. Google recommends working with your legal team or a lawyer to get your logo trademarked because the trademark process can take 6 to 12 months to complete.
Setting Up DMARC, SPF and DKIM
Next, you need to set up a Domain-based Message Authentication, Reporting, and Conformance (DMARC) record for your domain. DMARC is an email reporting standard that handles unauthenticated messages based on a policy that you determine. To set up DMARC, you must first set up a Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) for your domain. DKIM is an email security standard, while SPF is a text file that authenticates the mail servers that are allowed to send email for a given domain. DMARC is meant to work as a secondary verification check behind SPF and DKIM.
Verifying BIMI Support and Preparing Your Logo
Finally, you need to verify that the public web server supports BIMI. Most servers have adopted BIMI support, but given that Google mandated compliance this year, it is a good idea to verify that your email server is included. The verification should be a low-effort task.
With the steps completed, you can begin to prepare your BIMI logo. To do so, start with creating your logo in the Scalable Vector Graphics (SVG) file format. SVG is an open-standard image format that can display your logo at different resolutions.
Gmail Requirements for BIMI SVG Files
The Gmail requirements for BIMI SVG files are image specifications in addition to BIMI standard requirements. There is an image size limit, specified in pixels, in which the logo must have a minimum height and width of 96 pixels. So an example of a BIMI logo image 104 by 104 would specify image width as width ”104” and height”104”.
In addition, the logo image should be centered in a square, appearing on a solid color background with a file size of 32 KB or smaller. The SVG file should include the HTML element <desc>, which is an accessibility description.
Submitting Your Logo for Certification
You can then send your logo in for the VMC or CMC. All of this is a general overview: You can learn more details about sending the logo on this Google page.
Webinar
Sep
25
CMS Briefing: A Live Look at What’s Next in AI-Driven Platforms
Learn how leading organizations are using AI‑driven tools to publish faster, personalize smarter and stay secure.
Register
Webinar
Sep
25
Call Spoofing Trends Financial Institutions Can't Afford to Ignore
Don't let robocalls sabotage your customer relationships. Learn how to secure your voice channel.
Register
Webinar
On demand
Ready or Not: How Data-First Organizations Are Unlocking Agentforce Potential
Learn how to cut through the noise, activate Agentforce and build a Salesforce AI strategy that actually delivers.
Watch Now
Webinar
On demand
CX Reality Check: What Your Customers Are Really Thinking
Register now and get the insights you need to not just meet rising expectations, but exceed them.
Watch Now
Webinar
On demand
Content Leaders Collective: What a Good CCMS Actually Looks Like
Discover how content leaders transform clunky systems into growth engines — and why your competitors are ahead.
Watch Now
Webinar
On demand
From Hype to High-Impact CX Strategies That Actually Scale
Turn buzzworthy AI and outsourcing trends into measurable CX wins with fresh 2025 data.
Watch Now
Email's All About Personalization
As Bailey International marketing manager Brianna Langley Henderson explained in her interview with CMSWire Editor-in-Chief Dom Nicastro, email message strategies are increasingly personalized.
Email has been a long-trusted avenue to connect with customers, so naturally, the need to upgrade the protection measures to that avenue must reflect the evolving nature of cybersecurity.
Learn how you can join our contributor community.
