Skip to content

Problems with BIMI

Noted by .

Everything about Brand Indicators for Message Identification (BIMI) feels so half-baked.

Lukewarm take: BIMI should mandate DMARC with DKIM and just ignore SPF. It could also require supporting TLS 1.3+. After all, one of the stated goals of BIMI was to increase adoption of better email standards like DMARC. This could have entirely prevented recent spoofing issues.

Putting the HTTPS URL of an SVG icon in a new DNS TXT record to associate a whole domain with a logo makes no sense. Several better standards exist for associating a user@domain with an image, allowing different logos for different emails at the same domain. Webfinger and Libravatar come to mind.

Hell, even its special SVG Tiny Portable/Secure standard could be simplified further. usvg can convert nearly any SVG to a tiny subset of the SVG Tiny P/S standard while preserving their appearance.

Of course, none of this is too relevant to the BIMI group. The real purpose of BIMI was always to give certificate authorities a new source of income after their losses from Let’s Encrypt’s (lack of) pricing, the rise of ACME-based automation, and browsers’ deprecation of EV features.