The state of BIMI readiness in 2022: room to run

Each year, phishing becomes more entrenched as the most prevalent form of cyber attack. In the first quarter of 2022, the Anti-Phishing Working Group observed the most phishing attacks in history, as the quarterly volume of attacks exceeded one million for the first time (1,025,968 in total). Despite this, organizations around the world have two secret weapons to help stem the tide: DMARC and BIMI.

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It’s an inbound and outbound email security protocol that protects domains against exact domain impersonation, i.e. when a bad actor pretends to be your domain to send phishing emails to your employees, customers, and supply chain.

BIMI (Brand Indicators for Message Identification) builds on DMARC by letting businesses show their registered logos on DMARC authenticated emails. It holds tremendous promise for the industry for several reasons.

Why does BIMI matter?

First and foremost, BIMI is the future of email security as it strengthens our email ecosystem as a whole. To qualify for BIMI, an organization’s sending and apex domains must be DMARC compliant (a policy of quarantine 100 or reject). Obtaining a VMC (Verified Mark Certificate) from an approved Certificate Authority (CA) such as Entrust is the best way to maximize the reach of BIMI for logo display in email clients. As a result, BIMI with VMC secures visual trust in email.

It’s because of the email authentication requirements of DMARC that the widespread adoption of BIMI helps to improve the health of the entire email ecosystem. If more organizations adopt BIMI, it means more organizations within the ecosystem become DMARC protected, and the more difficult it is for cybercriminals to carry out domain impersonation (spoofing), a precursor to many cyberattacks.

Beyond its importance to email security, BIMI offers a host of other benefits for businesses, including improved brand visibility, increased trust in email legitimacy, and better brand recall. It’s even been shown to have an impact on consumer buying behavior.

Apple now supports BIMI, bringing it to 90% of consumers 

In September, Apple joined Google, Yahoo, La Poste, and Fastmail as major mail providers supporting BIMI. As a result, it will be possible for almost 90% of consumers to gain the visual trust mentioned above by viewing logos in emails natively in iOS 16 and macOS Ventura from organizations that have implemented DMARC to secure their domains and mailbox providers that support the VMC via Apple’s specifications.

How ready are companies for BIMI?

Given the significant promise that DMARC with BIMI holds in stopping phishing attacks, the natural question is, why is the volume of attacks and the damage they inflict increasing?

To answer this question, we conducted a comprehensive study to understand the state of BIMI readiness and implementation across domains, enterprises, and brands. Using proprietary data from BIMI Radar, we found that the adoption of BIMI is poised for growth given the continued adoption of DMARC we’ve seen in recent years. 

It’s now been four years since the BIMI working group was formed and a year since it reached implementation phase. But based on data from over 66 million apex domains, only 2.2% are BIMI ready, i.e. domains that have the DMARC policy in place to support BIMI. 

Figure 1: BIMI readiness among 66 million apex domains as of September 8, 2022

Zooming in further, however, we see that large public companies have made significantly more progress on BIMI readiness: 

  • Among 2,380 domains owned by the largest publicly traded companies in the largest economies in the world, 30.4% are BIMI-ready.
  • The top 10 countries for BIMI readiness based on company headquarters location are the following:
BIMI Readiness (% of publicly traded companies)
United States
United Kingdom
Figure 2: BIMI readiness among publicly traded companies by country as of September 8, 2022
  • Examining the largest public companies in the U.S., as measured by the Fortune 500, we see an even greater degree of investment in BIMI readiness, as 49.9% of companies have a DMARC policy in place in order to fully implement BIMI. Similarly, 51.2% of companies in the S&P 500 are BIMI-ready.

The last mile is a road less traveled

While it’s logical to conclude that the largest companies will make the more substantial investments in DMARC as part of a comprehensive security strategy, a massive gap still exists between BIMI readiness and full implementation. 

To completely take advantage of the benefits of BIMI logo display in email clients, companies must obtain a Verified Mark Certificate (VMC) from an approved certificate authority such as Entrust. This is the last mile, so to speak, but as the table below illustrates, very few companies have yet to complete the journey.

Market Index
BIMI Readiness (% of companies with DMARC policy in place)
U.S. S&P 500
Fortune 500
CAC 40
DAX 30
FTSE 100
FTSE 250
S&P Pan Arab Index

Figure 3: Percentage of DMARC readiness vs. full BIMI implementation among publicly traded companies represented by global stock indices

Conclusion: seeing is believing

While the data here shows that most organizations around the world have yet to reach the last mile of BIMI adoption, we’ve reached a pivotal moment that signals the immediate future of email security. 

Apple’s support for BIMI in iOS 16 represents a seismic shift in the importance of ensuring visual trust in email utilizing the VMC digital certificate. The support is important for a number of reasons: 

  • Apple’s support extends the reach of BIMI into a new mailbox provider and email clients
  • Apple’s support is a sign of increasing market confidence in BIMI
  • Apple’s native support in iOS expands adoption beyond just webmail clients and mobile apps (i.e. Yahoo/Google)
  • Apple will bring BIMI to many more consumers with this change
  • Apple is indicating support for email security and DMARC 

We are now seeing more evidence that businesses are following suit as VMC adoption is now outpacing BIMI alone (figure 4). This shows that they care about the security benefit of BIMI through DMARC above and beyond the benefits to a brand, and VMC is the only way of ensuring maximized support for BIMI.

Figure 4. Verified Mark Certificates Issued, 2017-2022, Entrust.

Interestingly, we are also seeing that VMC growth is being fueled by smaller organizations, as more than 50% of VMCs are issued to companies with less than $50M in revenue and less than 250 employees (figure 5).

Figure 5. Number of VMCs issued by company revenue and number of employees, as of August 2022.

Finally, we are seeing adoption spread across both B2C and B2B industries, which shows that BIMI is not driven strictly as a way to reach more consumers. In fact, business services, manufacturing and tech are leading the way among B2B sectors.  

Figure 6. Companies with a valid VMC by industry.

All of these statistics show clear evidence that the carrot of logo display in email offered by the world’s largest email platform providers to domain owners is just now starting to motivate organizations of all sizes to take the leap of faith that BIMI is indeed the future of email security.

We are on an early adopter curve and the good news is that DMARC has been driving ~ 50% growth rate on Apex domains, so as companies look to implement DMARC, VMC adoption will accelerate.

Red Sift’s end-to-end DMARC, BIMI & VMC solution 

Email security is a universal issue and BIMI with VMC is a clear indicator of where email security is headed. Red Sift is the leading market provider of the complete BIMI & DMARC solution, in partnership with Entrust. This makes DMARC and BIMI implementation through Red Sift’s OnDMARC easy, straightforward, and fast.


Brian Westnedge

29 Sep. 2022



Recent Posts


The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more