I just heard of BIMI for the first time a few weeks ago. Most of the resources I can find are trying to sell DMARC management services. While these services are useful and valuable I was trying to figure out some rules of thumb to self manage my own DNS with regard to DMARC/DKIM/SPF/BIMI compliance.
First thing to note is that in order to get your email logo on the inbox, you need to comply with BIMI standards. That means you need to:
- Create a BIMI record
- Configure domain names
- Configure DKIM & SPF
- Create your DMARC rules
- Monitor your DMARC
- Lock down your DMARC
Set up your BIMI record
I have this step early in the blog because you can set it’s the simplest step. You won’t get the snazzy BIMI logo until you complete all of the steps.
Create an SVG version of your logo and upload it somewhere on your CDN or wherever you serve your images. You can probably put it in the same directory as the ubiquitous favicon.ico file.
Add a TXT record to your DNS that points to the newly uploaded SVG file.
Configure your domain names
If you’re putting together your email system from scratch, (i.e. you work for a 1-10 person startup and you happen to be the devops guy) see other post for guidance on how to Setup your email domains and SPF records. This is a hairy process that IT people need to be involved with because it requires mucking with DNS and planning out how you will send emails in the future. Do it right early!
Configure DKIM & SPF for your domains.
In order to pass DMARC both your SPF and DKIM need to validate.
The SPF record means that you added the 3rd party services to your DNS, as described above.
The DKIM is a signature key that you share with your email sending service(s). These services will add the DKIM signature to the email headers of every message they send for you so that recipient ISPs can verify that emails that have your domain on it are coming from you.
In order to qualify for BIMI, you need to make sure the SPF and DKIM are “aligned“. For example, f you use Sendgrid, you should have sengrid in your SPF and sendgrid in the DKIM signature.
Create your DMARC rules
In order for your logo to show up on emails, your DMARC must be set to “quarantine” or “reject”.
Now, monitor the results of your DMARC (SPF+DKIM) configuration
Using a service such as Valimail, you can get reports of which domains and IP addresses are attempting to send mail using your domain names. If you recognize IP addresses or domains that are “failing” that should not be, then you need to check configuration of those services. In keeping with the Sendgrid example, if you are using them as your provider and you see a sendgrid.net in your “Mostly failing IPs” box then something is wrong with your SPF/DKIM DNS configuration.
Once DMARC you have quarantine on, and your SPF and DKIM are “aligned” your BIMI logo might start showing up!
I say “might” because not all email providers suppport the the BIMI standard. Anecdotally, as of 2020, I do believe Hotmail, Yahoo mail have logos in emails. Gmail has its own brand of JSON-LD syntax to jam logos into the inbox