What is BIMI/VMC?

BIMI (Brand Indicators for Message Identification) is a standard that allows companies to display their brand logos in emails they send. By implementing BIMI, recipients can visually confirm that an email was sent from a legitimate company by recognizing its logo, reducing the risks of phishing and spam. To display the brand logo, a Verified Mark Certificate (VMC) issued by a certification authority is required.

Explanation of BIMI/VMC

Expectations and Effects of 
BIMI/VMC

While various cybersecurity measures exist, BIMI/VMC stands out for offering visual security. Users gain confidence when they see a familiar brand logo in the email icon.
For companies, increased email open rates are an effective marketing indicator. Since email addresses are often used to log in to services, allowing users to verify the legitimacy of the brand before opening the email is highly beneficial.

1

Anti-Spoofing and Phishing Protection

Combined with DMARC, it prevents fraudulent email delivery and reduces the risk of phishing attacks.

2

Increased Trust

Recipients can confidently open emails and review their content, knowing the brand is verified visually.

3

Enhanced Brand Awareness

Recipients can immediately recognize trusted brands, improving brand recognition.

How BIMI Works

How BIMI/VMC Works

Major Companies Using BIMI/VMC

Domestic Companies
  • Rakuten
  • Yahoo
  • Sumitomo Mitsui Banking Corporation
Overseas Companies
  • Amazon
  • NVIDIA

Email Clients Supporting BIMI/VMC

  • Gmail
  • Yahoo Mail
  • Apple Mail
  • Fastmail

Why is BIMI/VMC 
Necessary?

Issue: The Rise of Spoofing and Phishing Emails

Since 2019, phishing reports have skyrocketed. In 2018, there were about 20,000 reported cases, but by 2023, this number surged to approximately 1.2 million, an increase of about 60 times in six years.
One of the reasons for the sharp increase is the spread of COVID-19. As economic activities and communication shifted online, criminal activities such as spoofing and phishing also became more prevalent in the digital space.
Before COVID-19, groups such as the elderly and elementary and middle school students, who did not actively use the internet, began using it due to the pandemic. However, due to their lack of digital literacy, the number of victims has sharply increased.

Number of phishing reports.

The number of reports to the Anti-Phishing Council has sharply increased.


Number of phishing reports
Source: Created by our company using the monthly reports provided by the Anti-Phishing Council.

Phishing-related damage

Fraudulent money transfer damages related to internet banking have surged (approximately 8.7 billion yen in 2023).

Phishing-related damage
Source: Created by our company using the comprehensive anti-fraud measures (draft) from the Cabinet Secretariat's Office of Assistant Chief Cabinet Secretary.

What are the conditions for 
using BIMI/VMC?

Step 1DMARC Setup

DMARC is an authentication protocol designed to prevent domain spoofing in email sending. Due to the enforcement of Google's email sender guidelines, the DMARC policy, which controls the sending level, is often set to "none" (no action), but to enable BIMI, the DMARC policy needs to be raised to "quarantine" or "reject."
It is important to check DMARC reports and ensure that raising the DMARC policy does not cause issues, such as emails failing to be sent.

Step 2Trademark Registration

The certified brand logo will be displayed in the email thumbnail, and it must be a registered trademark. As long as the trademark is registered in a country or region that belongs to the World Intellectual Property Organization (WIPO), it is acceptable. The classification and designated goods of the trademark do not matter.

Step 3Apply for VMC

To apply for a VMC, you will need to provide application information and various documents.
1)Specify the domain name of the email address to be verified.
2)Prepare the registered trademark information to be displayed in the thumbnail. If the trademark is licensed, you will need to obtain a letter of consent from the registered trademark owner.
3)Prepare the logo file (SVG Tiny 1.2 version). Refer to this Google support page.
4)Prepare documents to prove you are the site operator. Below is a list of key documents:

  • Certified copy of the company registry (Certificate of all current matters)
  • Invoice from a telephone company
  • Balance certificate
  • Proof of employment for the contract signatory
  • Tax certificates for the last three years
  • Personal identification documents of the person in charge

Step 4Review

The review process involves domain, organizational, and trademark verification, similar to the EVSSL validation in SSL/TLS, with the addition of trademark verification.
1)Domain Verification
This verifies that the domain name is being used by its legitimate owner. The verification can be done by either approving an authorization email sent to the domain’s public email address or by adding a specific string issued by the certification authority to the DNS.
2)Organizational Verification
This process confirms the existence of the organization and the authority of those involved in its operation. In addition to objective information, this verification may include phone calls or interviews to assess the organization’s legitimacy.
3)Trademark Verification
This ensures that the brand logo (SVG file) matches the trademark registration. The trademark must be registered in a country or region that is a member of the World Intellectual Property Organization (WIPO). The classification and designated goods of the trademark do not matter, but the brand logo must match the registered trademark. If the logo differs from the registered trademark (e.g., a standard character mark), a trademark application may be required.

Step 5VMC Issuance

The VMC is issued by the certification authority in PEM file format. A PEM (Privacy Enhanced Mail) file is a file format used primarily for storing digital certificates or private keys for encryption and authentication purposes.

Step 6BIMI Setup

The process for setting up BIMI is as follows:
1)Upload the PEM file and the brand logo (in SVG format).
2)Enter the BIMI record.
The PEM file and brand logo (in SVG format) should be uploaded to the designated location.
It is required that the URL be static.

Example:
https://www.〇〇.co.jp/bimi/vmc/〇〇.pem
https://www.〇〇.co.jp/bimi/logo/〇〇_logo.svg
Next, configure the BIMI record as follows:
FieldValueDescription
TypeTXTDNS Record Type
Hostdefault._bimi.[Verified Domain]Please enter the verified domain after "default._bimi.".
ValueV=BIMI1; l=[URL of the SVG file]; a=[URL of the PEM file]This is your BIMI record
TTL3600 secondsSet it to 1 hour
By using the https://bimigroup.org/bimi-generator/, you can create it accurately.

By utilizing BIMI/VMC,
users can confidently interact with emails.
As a result, companies can enhance their brand trustworthiness.

Contact Us / Request Information

Reasons to choose GMO BRAND SECURITY’s BIMI/VMC

Point 1
Trademark Services
with 20 Years of Experience

GMO BRAND SECURITY has extensive expertise in trademarks. You can confidently rely on us for the crucial trademark verification needed for VMC issuance.

Point 2
The root certificate authority
is GlobalSign, the largest
SSL/TLS provider in Japan

With GlobalSign, part of the GMO Internet Group, acting as the root certificate authority, stable BIMI operations are possible with all email vendors.

Point 3
We also provide additional services
such as brand infringement monitoring

We also offer solutions in case of brand infringement or cybersecurity risks. (Examples: brand infringement monitoring, site takedown, vulnerability assessment).

Point 4
Our experienced staff
designs solutions tailored
to your company's specific challenges

We work with 2,000 companies, primarily large corporations, and specialize in providing solutions tailored to their specific challenges.

Contact Us / Request Information

How to apply

How to apply

Feel free to contact us for more information

Contact Us / Request Information

Page Top