The state of BIMI readiness in 2022: room to run

Each year, phishing becomes more entrenched as the most prevalent form of cyber attack. In the first quarter of 2022, the Anti-Phishing Working Group observed the most phishing attacks in history, as the quarterly volume of attacks exceeded one million for the first time (1,025,968 in total). Despite this, organizations around the world have two secret weapons to help stem the tide: DMARC and BIMI.

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It’s an inbound and outbound email security protocol that protects domains against exact domain impersonation, i.e. when a bad actor pretends to be your domain to send phishing emails to your employees, customers, and supply chain.

BIMI (Brand Indicators for Message Identification) builds on DMARC by letting businesses show their registered logos on DMARC authenticated emails. It holds tremendous promise for the industry for several reasons.

Why does BIMI matter?

First and foremost, BIMI is the future of email security as it strengthens our email ecosystem as a whole. To qualify for BIMI, an organization’s sending and apex domains must be DMARC compliant (a policy of quarantine 100 or reject). Obtaining a VMC (Verified Mark Certificate) from an approved Certificate Authority (CA) such as Entrust is the best way to maximize the reach of BIMI for logo display in email clients. As a result, BIMI with VMC secures visual trust in email.

It’s because of the email authentication requirements of DMARC that the widespread adoption of BIMI helps to improve the health of the entire email ecosystem. If more organizations adopt BIMI, it means more organizations within the ecosystem become DMARC protected, and the more difficult it is for cybercriminals to carry out domain impersonation (spoofing), a precursor to many cyberattacks.

Beyond its importance to email security, BIMI offers a host of other benefits for businesses, including improved brand visibility, increased trust in email legitimacy, and better brand recall. It’s even been shown to have an impact on consumer buying behavior.

Apple now supports BIMI, bringing it to 90% of consumers 

In September, Apple joined Google, Yahoo, La Poste, and Fastmail as major mail providers supporting BIMI. As a result, it will be possible for almost 90% of consumers to gain the visual trust mentioned above by viewing logos in emails natively in iOS 16 and macOS Ventura from organizations that have implemented DMARC to secure their domains and mailbox providers that support the VMC via Apple’s specifications.

How ready are companies for BIMI?

Given the significant promise that DMARC with BIMI holds in stopping phishing attacks, the natural question is, why is the volume of attacks and the damage they inflict increasing?

To answer this question, we conducted a comprehensive study to understand the state of BIMI readiness and implementation across domains, enterprises, and brands. Using proprietary data from BIMI Radar, we found that the adoption of BIMI is poised for growth given the continued adoption of DMARC we’ve seen in recent years. 

It’s now been four years since the BIMI working group was formed and a year since it reached implementation phase. But based on data from over 66 million apex domains, only 2.2% are BIMI ready, i.e. domains that have the DMARC policy in place to support BIMI. 

Figure 1: BIMI readiness among 66 million apex domains as of September 8, 2022

Zooming in further, however, we see that large public companies have made significantly more progress on BIMI readiness: 

  • Among 2,380 domains owned by the largest publicly traded companies in the largest economies in the world, 30.4% are BIMI-ready.
  • The top 10 countries for BIMI readiness based on company headquarters location are the following:
Country
BIMI Readiness (% of publicly traded companies)
India
64%
United States
58.7%
Netherlands
52.5%
United Kingdom
50%
France
47.7%
Australia
45.1%
Canada
38.1%
Sweden
35.9%
Norway
35.4%
Switzerland
33%
Figure 2: BIMI readiness among publicly traded companies by country as of September 8, 2022
  • Examining the largest public companies in the U.S., as measured by the Fortune 500, we see an even greater degree of investment in BIMI readiness, as 49.9% of companies have a DMARC policy in place in order to fully implement BIMI. Similarly, 51.2% of companies in the S&P 500 are BIMI-ready.

The last mile is a road less traveled

While it’s logical to conclude that the largest companies will make the more substantial investments in DMARC as part of a comprehensive security strategy, a massive gap still exists between BIMI readiness and full implementation. 

To completely take advantage of the benefits of BIMI logo display in email clients, companies must obtain a Verified Mark Certificate (VMC) from an approved certificate authority such as Entrust. This is the last mile, so to speak, but as the table below illustrates, very few companies have yet to complete the journey.

Market Index
BIMI Readiness (% of companies with DMARC policy in place)
BIMI with VMC
U.S. S&P 500
51.2%
2.4%
Fortune 500
49.9%
3.21%
CAC 40
50.0%
0%
DAX 30
40.0%
3.33%
Euronext 
37.2%
1.35%
FTSE 100
47%
1.0%
FTSE 250
42.1%
0%
S&P Pan Arab Index
52.6%
0%

Figure 3: Percentage of DMARC readiness vs. full BIMI implementation among publicly traded companies represented by global stock indices

Conclusion: seeing is believing

While the data here shows that most organizations around the world have yet to reach the last mile of BIMI adoption, we’ve reached a pivotal moment that signals the immediate future of email security. 

Apple’s support for BIMI in iOS 16 represents a seismic shift in the importance of ensuring visual trust in email utilizing the VMC digital certificate. The support is important for a number of reasons: 

  • Apple’s support extends the reach of BIMI into a new mailbox provider and email clients
  • Apple’s support is a sign of increasing market confidence in BIMI
  • Apple’s native support in iOS expands adoption beyond just webmail clients and mobile apps (i.e. Yahoo/Google)
  • Apple will bring BIMI to many more consumers with this change
  • Apple is indicating support for email security and DMARC 

We are now seeing more evidence that businesses are following suit as VMC adoption is now outpacing BIMI alone (figure 4). This shows that they care about the security benefit of BIMI through DMARC above and beyond the benefits to a brand, and VMC is the only way of ensuring maximized support for BIMI.

Figure 4. Verified Mark Certificates Issued, 2017-2022, Entrust.

Interestingly, we are also seeing that VMC growth is being fueled by smaller organizations, as more than 50% of VMCs are issued to companies with less than $50M in revenue and less than 250 employees (figure 5).

Figure 5. Number of VMCs issued by company revenue and number of employees, as of August 2022.

Finally, we are seeing adoption spread across both B2C and B2B industries, which shows that BIMI is not driven strictly as a way to reach more consumers. In fact, business services, manufacturing and tech are leading the way among B2B sectors.  

Figure 6. Companies with a valid VMC by industry.

All of these statistics show clear evidence that the carrot of logo display in email offered by the world’s largest email platform providers to domain owners is just now starting to motivate organizations of all sizes to take the leap of faith that BIMI is indeed the future of email security.

We are on an early adopter curve and the good news is that DMARC has been driving ~ 50% growth rate on Apex domains, so as companies look to implement DMARC, VMC adoption will accelerate.

Red Sift’s end-to-end DMARC, BIMI & VMC solution 

Email security is a universal issue and BIMI with VMC is a clear indicator of where email security is headed. Red Sift is the leading market provider of the complete BIMI & DMARC solution, in partnership with Entrust. This makes DMARC and BIMI implementation through Red Sift’s OnDMARC easy, straightforward, and fast.

PUBLISHED BY

Brian Westnedge

29 Sep. 2022

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Winter wins: Red Sift OnDMARC wraps up 2024 as a G2 DMARC…

Francesca Rünger-Field

The season of giving has brought us another reason to celebrate! Red Sift OnDMARC continues its winning streak in G2’s Winter 2025 report, earning Leader status in the DMARC category for another consecutive season. This recognition reflects our strong market presence and the unwavering satisfaction of our customers. Cheers to wrapping up 2024 on…

Read more
AI

Text classification in the age of LLMs

Phong Nguyen

As natural language processing (NLP) advances, text classification remains a foundational task with applications in spam detection, sentiment analysis, topic categorization, and more. Traditionally, this task depended on rule-based systems and classical machine learning algorithms. However, the emergence of deep learning, transformer architectures, and Large Language Models (LLMs) has transformed text classification, allowing for…

Read more
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more