What is BIMI/VMC?
BIMI (Brand Indicators for Message Identification) is a standard that allows companies to display their brand logos in emails they send. By implementing BIMI, recipients can visually confirm that an email was sent from a legitimate company by recognizing its logo, reducing the risks of phishing and spam. To display the brand logo, a Verified Mark Certificate (VMC) issued by a certification authority is required.
Expectations and Effects of
BIMI/VMC
While various cybersecurity measures exist, BIMI/VMC stands out for offering visual security. Users gain confidence when they see a familiar brand logo in the email icon.
For companies, increased email open rates are an effective marketing indicator. Since email addresses are often used to log in to services, allowing users to verify the legitimacy of the brand before opening the email is highly beneficial.
1
Anti-Spoofing and Phishing Protection
Combined with DMARC, it prevents fraudulent email delivery and reduces the risk of phishing attacks.
2
Increased Trust
Recipients can confidently open emails and review their content, knowing the brand is verified visually.
3
Enhanced Brand Awareness
Recipients can immediately recognize trusted brands, improving brand recognition.
How BIMI Works
Major Companies Using BIMI/VMC
Domestic Companies
- Rakuten
- Yahoo
- Sumitomo Mitsui Banking Corporation
Overseas Companies
- Amazon
- NVIDIA
Email Clients Supporting BIMI/VMC
- Gmail
- Yahoo Mail
- Apple Mail
- Fastmail
Why is BIMI/VMC
Necessary?
Issue: The Rise of Spoofing and Phishing Emails
Since 2019, phishing reports have skyrocketed. In 2018, there were about 20,000 reported cases, but by 2023, this number surged to approximately 1.2 million, an increase of about 60 times in six years.
One of the reasons for the sharp increase is the spread of COVID-19. As economic activities and communication shifted online, criminal activities such as spoofing and phishing also became more prevalent in the digital space.
Before COVID-19, groups such as the elderly and elementary and middle school students, who did not actively use the internet, began using it due to the pandemic. However, due to their lack of digital literacy, the number of victims has sharply increased.
Number of phishing reports.
The number of reports to the Anti-Phishing Council has sharply increased.
Phishing-related damage
Fraudulent money transfer damages related to internet banking have surged (approximately 8.7 billion yen in 2023).
What are the conditions for
using BIMI/VMC?
Step 1DMARC Setup
DMARC is an authentication protocol designed to prevent domain spoofing in email sending. Due to the enforcement of Google's email sender guidelines, the DMARC policy, which controls the sending level, is often set to "none" (no action), but to enable BIMI, the DMARC policy needs to be raised to "quarantine" or "reject."
It is important to check DMARC reports and ensure that raising the DMARC policy does not cause issues, such as emails failing to be sent.
Step 2Trademark Registration
The certified brand logo will be displayed in the email thumbnail, and it must be a registered trademark. As long as the trademark is registered in a country or region that belongs to the World Intellectual Property Organization (WIPO), it is acceptable. The classification and designated goods of the trademark do not matter.
Step 3Apply for VMC
To apply for a VMC, you will need to provide application information and various documents.
1)Specify the domain name of the email address to be verified.
2)Prepare the registered trademark information to be displayed in the thumbnail. If the trademark is licensed, you will need to obtain a letter of consent from the registered trademark owner.
3)Prepare the logo file (SVG Tiny 1.2 version). Refer to this Google support page.
4)Prepare documents to prove you are the site operator. Below is a list of key documents:
- Certified copy of the company registry (Certificate of all current matters)
- Invoice from a telephone company
- Balance certificate
- Proof of employment for the contract signatory
- Tax certificates for the last three years
- Personal identification documents of the person in charge
Step 4Review
The review process involves domain, organizational, and trademark verification, similar to the EVSSL validation in SSL/TLS, with the addition of trademark verification.
1)Domain Verification
This verifies that the domain name is being used by its legitimate owner. The verification can be done by either approving an authorization email sent to the domain’s public email address or by adding a specific string issued by the certification authority to the DNS.
2)Organizational Verification
This process confirms the existence of the organization and the authority of those involved in its operation. In addition to objective information, this verification may include phone calls or interviews to assess the organization’s legitimacy.
3)Trademark Verification
This ensures that the brand logo (SVG file) matches the trademark registration. The trademark must be registered in a country or region that is a member of the World Intellectual Property Organization (WIPO). The classification and designated goods of the trademark do not matter, but the brand logo must match the registered trademark. If the logo differs from the registered trademark (e.g., a standard character mark), a trademark application may be required.
Step 5VMC Issuance
The VMC is issued by the certification authority in PEM file format. A PEM (Privacy Enhanced Mail) file is a file format used primarily for storing digital certificates or private keys for encryption and authentication purposes.
Step 6BIMI Setup
The process for setting up BIMI is as follows:
1)Upload the PEM file and the brand logo (in SVG format).
2)Enter the BIMI record.
The PEM file and brand logo (in SVG format) should be uploaded to the designated location.
It is required that the URL be static.
https://www.〇〇.co.jp/bimi/vmc/〇〇.pem
https://www.〇〇.co.jp/bimi/logo/〇〇_logo.svg
Next, configure the BIMI record as follows:
| Field | Value | Description |
|---|---|---|
| Type | TXT | DNS Record Type |
| Host | default._bimi.[Verified Domain] | Please enter the verified domain after "default._bimi.". |
| Value | V=BIMI1; l=[URL of the SVG file]; a=[URL of the PEM file] | This is your BIMI record |
| TTL | 3600 seconds | Set it to 1 hour |
By utilizing BIMI/VMC,
users can confidently interact with emails.
As a result, companies can enhance their brand trustworthiness.
Reasons to choose GMO BRAND SECURITY’s BIMI/VMC
Point 1
Trademark Services
with 20 Years of Experience
GMO BRAND SECURITY has extensive expertise in trademarks. You can confidently rely on us for the crucial trademark verification needed for VMC issuance.
Point 2
The root certificate authority
is GlobalSign, the largest
SSL/TLS provider in Japan
With GlobalSign, part of the GMO Internet Group, acting as the root certificate authority, stable BIMI operations are possible with all email vendors.
Point 3
We also provide additional services
such as brand infringement monitoring
We also offer solutions in case of brand infringement or cybersecurity risks. (Examples: brand infringement monitoring, site takedown, vulnerability assessment).
Point 4
Our experienced staff
designs solutions tailored
to your company's specific challenges
We work with 2,000 companies, primarily large corporations, and specialize in providing solutions tailored to their specific challenges.
