The state of BIMI readiness in 2022: room to run

Each year, phishing becomes more entrenched as the most prevalent form of cyber attack. In the first quarter of 2022, the Anti-Phishing Working Group observed the most phishing attacks in history, as the quarterly volume of attacks exceeded one million for the first time (1,025,968 in total). Despite this, organizations around the world have two secret weapons to help stem the tide: DMARC and BIMI.

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It’s an inbound and outbound email security protocol that protects domains against exact domain impersonation, i.e. when a bad actor pretends to be your domain to send phishing emails to your employees, customers, and supply chain.

BIMI (Brand Indicators for Message Identification) builds on DMARC by letting businesses show their registered logos on DMARC authenticated emails. It holds tremendous promise for the industry for several reasons.

Why does BIMI matter?

First and foremost, BIMI is the future of email security as it strengthens our email ecosystem as a whole. To qualify for BIMI, an organization’s sending and apex domains must be DMARC compliant (a policy of quarantine 100 or reject). Obtaining a VMC (Verified Mark Certificate) from an approved Certificate Authority (CA) such as Entrust is the best way to maximize the reach of BIMI for logo display in email clients. As a result, BIMI with VMC secures visual trust in email.

It’s because of the email authentication requirements of DMARC that the widespread adoption of BIMI helps to improve the health of the entire email ecosystem. If more organizations adopt BIMI, it means more organizations within the ecosystem become DMARC protected, and the more difficult it is for cybercriminals to carry out domain impersonation (spoofing), a precursor to many cyberattacks.

Beyond its importance to email security, BIMI offers a host of other benefits for businesses, including improved brand visibility, increased trust in email legitimacy, and better brand recall. It’s even been shown to have an impact on consumer buying behavior.

Apple now supports BIMI, bringing it to 90% of consumers 

In September, Apple joined Google, Yahoo, La Poste, and Fastmail as major mail providers supporting BIMI. As a result, it will be possible for almost 90% of consumers to gain the visual trust mentioned above by viewing logos in emails natively in iOS 16 and macOS Ventura from organizations that have implemented DMARC to secure their domains and mailbox providers that support the VMC via Apple’s specifications.

How ready are companies for BIMI?

Given the significant promise that DMARC with BIMI holds in stopping phishing attacks, the natural question is, why is the volume of attacks and the damage they inflict increasing?

To answer this question, we conducted a comprehensive study to understand the state of BIMI readiness and implementation across domains, enterprises, and brands. Using proprietary data from BIMI Radar, we found that the adoption of BIMI is poised for growth given the continued adoption of DMARC we’ve seen in recent years. 

It’s now been four years since the BIMI working group was formed and a year since it reached implementation phase. But based on data from over 66 million apex domains, only 2.2% are BIMI ready, i.e. domains that have the DMARC policy in place to support BIMI. 

Figure 1: BIMI readiness among 66 million apex domains as of September 8, 2022

Zooming in further, however, we see that large public companies have made significantly more progress on BIMI readiness: 

  • Among 2,380 domains owned by the largest publicly traded companies in the largest economies in the world, 30.4% are BIMI-ready.
  • The top 10 countries for BIMI readiness based on company headquarters location are the following:
Country
BIMI Readiness (% of publicly traded companies)
India
64%
United States
58.7%
Netherlands
52.5%
United Kingdom
50%
France
47.7%
Australia
45.1%
Canada
38.1%
Sweden
35.9%
Norway
35.4%
Switzerland
33%
Figure 2: BIMI readiness among publicly traded companies by country as of September 8, 2022
  • Examining the largest public companies in the U.S., as measured by the Fortune 500, we see an even greater degree of investment in BIMI readiness, as 49.9% of companies have a DMARC policy in place in order to fully implement BIMI. Similarly, 51.2% of companies in the S&P 500 are BIMI-ready.

The last mile is a road less traveled

While it’s logical to conclude that the largest companies will make the more substantial investments in DMARC as part of a comprehensive security strategy, a massive gap still exists between BIMI readiness and full implementation. 

To completely take advantage of the benefits of BIMI logo display in email clients, companies must obtain a Verified Mark Certificate (VMC) from an approved certificate authority such as Entrust. This is the last mile, so to speak, but as the table below illustrates, very few companies have yet to complete the journey.

Market Index
BIMI Readiness (% of companies with DMARC policy in place)
BIMI with VMC
U.S. S&P 500
51.2%
2.4%
Fortune 500
49.9%
3.21%
CAC 40
50.0%
0%
DAX 30
40.0%
3.33%
Euronext 
37.2%
1.35%
FTSE 100
47%
1.0%
FTSE 250
42.1%
0%
S&P Pan Arab Index
52.6%
0%

Figure 3: Percentage of DMARC readiness vs. full BIMI implementation among publicly traded companies represented by global stock indices

Conclusion: seeing is believing

While the data here shows that most organizations around the world have yet to reach the last mile of BIMI adoption, we’ve reached a pivotal moment that signals the immediate future of email security. 

Apple’s support for BIMI in iOS 16 represents a seismic shift in the importance of ensuring visual trust in email utilizing the VMC digital certificate. The support is important for a number of reasons: 

  • Apple’s support extends the reach of BIMI into a new mailbox provider and email clients
  • Apple’s support is a sign of increasing market confidence in BIMI
  • Apple’s native support in iOS expands adoption beyond just webmail clients and mobile apps (i.e. Yahoo/Google)
  • Apple will bring BIMI to many more consumers with this change
  • Apple is indicating support for email security and DMARC 

We are now seeing more evidence that businesses are following suit as VMC adoption is now outpacing BIMI alone (figure 4). This shows that they care about the security benefit of BIMI through DMARC above and beyond the benefits to a brand, and VMC is the only way of ensuring maximized support for BIMI.

Figure 4. Verified Mark Certificates Issued, 2017-2022, Entrust.

Interestingly, we are also seeing that VMC growth is being fueled by smaller organizations, as more than 50% of VMCs are issued to companies with less than $50M in revenue and less than 250 employees (figure 5).

Figure 5. Number of VMCs issued by company revenue and number of employees, as of August 2022.

Finally, we are seeing adoption spread across both B2C and B2B industries, which shows that BIMI is not driven strictly as a way to reach more consumers. In fact, business services, manufacturing and tech are leading the way among B2B sectors.  

Figure 6. Companies with a valid VMC by industry.

All of these statistics show clear evidence that the carrot of logo display in email offered by the world’s largest email platform providers to domain owners is just now starting to motivate organizations of all sizes to take the leap of faith that BIMI is indeed the future of email security.

We are on an early adopter curve and the good news is that DMARC has been driving ~ 50% growth rate on Apex domains, so as companies look to implement DMARC, VMC adoption will accelerate.

Red Sift’s end-to-end DMARC, BIMI & VMC solution 

Email security is a universal issue and BIMI with VMC is a clear indicator of where email security is headed. Red Sift is the leading market provider of the complete BIMI & DMARC solution, in partnership with Entrust. This makes DMARC and BIMI implementation through Red Sift’s OnDMARC easy, straightforward, and fast.

PUBLISHED BY

Brian Westnedge

29 Sep. 2022

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DKIM

First look at DKIM2: The next generation of DKIM

Red Sift

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records. Now in 2024, DKIM is ready for…

Read more
Security

Securing our world: For a safer internet

Jack Lilley

October is Cybersecurity Awareness Month, a time for industries to unite in promoting digital security within today’s complex landscape. Bad actors are leveraging increasingly sophisticated methods—such as email phishing and Business Email Compromise (BEC)—to exploit vulnerabilities, impersonate legitimate contacts, and access sensitive information. CISA Director Jen Easterly advises us to “always think before you…

Read more
Cybersecurity

Boosting email security amid recent Coinbase phishing attempts

Jack Lilley

In recent weeks, there have been reports of sophisticated phishing attacks disguised as official communication from the cryptocurrency platform, Coinbase. These phishing emails closely mimic Coinbase’s branding and language to build recipient trust and prompt clicks on malicious links. The subject lines of these emails generally follow a format: the sender’s address starts with…

Read more
Product Release

Red Sift’s Fall 2024 Quarterly Product Release

Francesca Rünger-Field

Building on the momentum of our Summer Release, we’ve taken another big step forward in AI-driven security with our Fall 2024 updates.  Over the last few months, we’ve been focused on developing our skilled up large language model (LLM), Red Sift Radar – now fully integrated with OnDMARC – making it the first LLM…

Read more