The Intersection of Authentication: where security and BIMI meet

This week’s blog comes from Matthew Vernhout, VP of Deliverability at Netcore Cloud and Founder of the Canadian Email Summit. With two decades of experience in email marketing, and a deep understanding of email authentication and deliverability, Matthew is an industry veteran on improving digital marketing programs worldwide.

“Being the last to authenticate leaves your business open to being used as a tool of fraud and phishing”

As an email deliverability and compliance consultant I’ve lost count how many times I’ve talked with a brand’s marketing team only to have them tell me “we’re too small to be phished”, “we’re not in ecommerce, so we’re not a target”, “that’s a job for our security team”, or “it’s too hard to get authentication configured properly”. While in reality, domains of all sizes and verticals are targets for abuse, even domains that are not configured to send email. Being the last to authenticate leaves your business open to being used as a tool of fraud and phishing. It also means you miss out on all the benefits that are tied to authentication. 

I get it, email is hard. But it’s never been easy and it won’t ever get easier. Marketing teams need to work closer with security groups to protect their brands from spoofing or phishing attacks, the privacy or legal groups to ensure that the messages are compliant with the GDPR, CCPA and any other laws. And, they still need to reach consumers with compelling messages to drive the business’ goals. Keep in mind that your business succeeding is a team effort and each group has a part to play in the business’ success.

“Never forget your brand is a target”

Your staff, customers and infrastructure are also targets. Implementing a strong defence with email authentication takes major steps to protecting your business, clients and staff. Implementing strong email authentication solutions like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are all going to help you. These also lead to enabling the use of Brand Indicators for Message Identification (BIMI) which puts your brand logo into the consumers email client. 

But why authenticate? Beyond protecting your brand’s authentication this is a tool to help build your domain reputation. Cleaning up old email solutions that have been forgotten and fixing broken or outdated authentication records also leads to better delivery, consumer engagement, and most importantly conversions. An additional benefit of authentication is that the implementation project helps to reduce the potential of your brand identity being used for fraudulent purposes that contribute to dragging your reputation down. 

Don’t forget to implement these same authentication solutions on your own inbound email solutions to protect your organization from receiving and accepting fraudulent emails as well. If you’re using a hosted solution like Google WorkSpaces or Office 365, your provider is already running these tests inbound on your behalf.

“Make use of the tools which enable authentication”

Netcore built the GradeMyEmail tool to help any brand easily understand the technical configurations of their email domains. Are your domains properly authenticated? Are your systems properly configured? Are your IPs or domain names blocked? Once you’ve established a baseline you can start planning your road to enforced authentication.

There are several ways to understand the scope of work you need to plan for. Start with publishing your DMARC record with a p=none policy. Look to use a professional set of tools like OnDMARC to help with this part of the process, you’ll thank me later. After you’ve published this record you’ll start to receive reports on where mailbox providers are receiving email associated with your domains from and the current state of authentication. From these reports you can start to tease out the legitimate emails from your corporate email domains and IPs, your marketing email domains and IPs, and you might even find other legitimate or forgotten sources along the way. This first step always takes the longest, but is also the most important as it sets everything one the right path. 

From here you can then make all the required adjustments to your email domains. This involves configuring SPF and DKIM records for each domain/subdomain without the fear of causing any delivery issues. You’ll need to talk to your IT teams, ESP, ticketing providers, and anyone else that sends mail on your behalf to get them properly configured. After identifying all of the legitimate email sources you can move to more restrictive settings of p=quarantine and eventually on to p=reject. This is where the magic starts to happen and the option to implement BIMI is now available. 

“Implementing BIMI is a major branding win for the marketing team”

BIMI requires that a domain be using DMARC with an enforcement policy in order to have a minimum level of confidence in the sender’s messaging. Some MBPs will have different levels of support for BIMI such as having a good reputation, sending a specific type of email message (i.e. marketing and transactional vs personal email). Google requires a Verified Mark Certificate (VMC) for use of BIMI in Gmail. BIMI also requires that a brand hold a specific logomark on the design that is to be displayed in the email client. Implementing BIMI is a major branding win for the marketing team as your logo will now appear next to the from name in the user’s inbox, and in the list view on mobile devices.

“Email takes a village, and your partners are looking to help protect your brand”

Remember that email is hard, it takes a village to get it right and your internal and external partners are looking to help you protect your brand and consumers. Taking the time to properly configure your email with all the right authentication records now ends with the added benefit of your logo in the consumers inbox. This builds true win-win scenarios for organizations, your customers, and the mailbox providers looking to stop the influx of spam and fraud being sent to their networks. 

About Matthew Vernhout:

Matthew Vernhout (@emailkarma) is Netcore’s Vice President Deliverability North America. He is a digital marketing and privacy advocate, and also acts as chairperson of the Email Experience Council (eec), director at large with the Coalition Against Unsolicited Commercial Email (CAUCE), Marketing Chair with the AuthIndicators Working Group, founder of the Canadian Email Summit, co-founder of Privacy Summit North and He is a trusted industry expert, recognized as the 2019 EEC thought-leader of the year and is a Certified International Privacy Professional (Canada) (CIPP/C). Matthew speaks frequently at email marketing and technology conferences around the globe, and maintains his celebrated blog,


Red Sift

8 Jul. 2021



Recent Posts


Red Sift Recognized on Deloitte’s EMEA Fast 500™ List

Francesca Rünger-Field

We’re thrilled to share that Red Sift has been included in Deloitte’s 2023 EMEA Fast 500 list. This recognition stems from 389% revenue growth over three years, $54 million in Series B funding, acquiring ASM innovator Hardenize, and introducing the Red Sift Pulse Platform. Read the press release here. About the award The Deloitte Technology Fast…

Read more
Brand Protection

The vital role of cybersecurity for Nonprofits: A deep dive 

Sean Costigan

Save the Children, a beacon of hope and change, has been dedicated to improving the lives of children for over a century. Founded in London, it now has a presence in 29 nations, employing 844 staff members in the UK alone and engaging over 3600 formal volunteers. As charities and nonprofits like Save the…

Read more

Red Sift brings DMARC data to the SOC with new Cisco XDR…

Rebecca Warren

Today, we’re thrilled to announce that we’re extending our partnership by joining the Cisco Security Technical Alliance and integrating Red Sift OnDMARC with Cisco XDR. This integration builds on the Domain Protection partnership we announced in November 2023 to bring visibility of business email compromise into the SOC (security operations center). At release, Red…

Read more

Preventing certificate related violations in cybersecurity frameworks:  A guide to certificate monitoring…

Rebecca Warren

TLS is one of the most widely adopted security protocols in the world allowing for unprecedented levels of commerce across the internet.  At the core of the TLS protocol is TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably…

Read more