Each year, phishing becomes more entrenched as the most prevalent form of cyber attack. In the first quarter of 2022, the Anti-Phishing Working Group observed the most phishing attacks in history, as the quarterly volume of attacks exceeded one million for the first time (1,025,968 in total). Despite this, organizations around the world have two secret weapons to help stem the tide: DMARC and BIMI.
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It’s an inbound and outbound email security protocol that protects domains against exact domain impersonation, i.e. when a bad actor pretends to be your domain to send phishing emails to your employees, customers, and supply chain.
BIMI (Brand Indicators for Message Identification) builds on DMARC by letting businesses show their registered logos on DMARC authenticated emails. It holds tremendous promise for the industry for several reasons.
Why does BIMI matter?
First and foremost, BIMI is the future of email security as it strengthens our email ecosystem as a whole. To qualify for BIMI, an organization’s sending and apex domains must be DMARC compliant (a policy of quarantine 100 or reject). Obtaining a VMC (Verified Mark Certificate) from an approved Certificate Authority (CA) such as Entrust is the best way to maximize the reach of BIMI for logo display in email clients. As a result, BIMI with VMC secures visual trust in email.
It’s because of the email authentication requirements of DMARC that the widespread adoption of BIMI helps to improve the health of the entire email ecosystem. If more organizations adopt BIMI, it means more organizations within the ecosystem become DMARC protected, and the more difficult it is for cybercriminals to carry out domain impersonation (spoofing), a precursor to many cyberattacks.
Beyond its importance to email security, BIMI offers a host of other benefits for businesses, including improved brand visibility, increased trust in email legitimacy, and better brand recall. It’s even been shown to have an impact on consumer buying behavior.
Apple now supports BIMI, bringing it to 90% of consumers
In September, Apple joined Google, Yahoo, La Poste, and Fastmail as major mail providers supporting BIMI. As a result, it will be possible for almost 90% of consumers to gain the visual trust mentioned above by viewing logos in emails natively in iOS 16 and macOS Ventura from organizations that have implemented DMARC to secure their domains and mailbox providers that support the VMC via Apple’s specifications.
How ready are companies for BIMI?
Given the significant promise that DMARC with BIMI holds in stopping phishing attacks, the natural question is, why is the volume of attacks and the damage they inflict increasing?
To answer this question, we conducted a comprehensive study to understand the state of BIMI readiness and implementation across domains, enterprises, and brands. Using proprietary data from BIMI Radar, we found that the adoption of BIMI is poised for growth given the continued adoption of DMARC we’ve seen in recent years.
It’s now been four years since the BIMI working group was formed and a year since it reached implementation phase. But based on data from over 66 million apex domains, only 2.2% are BIMI ready, i.e. domains that have the DMARC policy in place to support BIMI.
Zooming in further, however, we see that large public companies have made significantly more progress on BIMI readiness:
- Among 2,380 domains owned by the largest publicly traded companies in the largest economies in the world, 30.4% are BIMI-ready.
- The top 10 countries for BIMI readiness based on company headquarters location are the following:
Country | BIMI Readiness (% of publicly traded companies) |
India | 64% |
United States | 58.7% |
Netherlands | 52.5% |
United Kingdom | 50% |
France | 47.7% |
Australia | 45.1% |
Canada | 38.1% |
Sweden | 35.9% |
Norway | 35.4% |
Switzerland | 33% |
- Examining the largest public companies in the U.S., as measured by the Fortune 500, we see an even greater degree of investment in BIMI readiness, as 49.9% of companies have a DMARC policy in place in order to fully implement BIMI. Similarly, 51.2% of companies in the S&P 500 are BIMI-ready.
The last mile is a road less traveled
While it’s logical to conclude that the largest companies will make the more substantial investments in DMARC as part of a comprehensive security strategy, a massive gap still exists between BIMI readiness and full implementation.
To completely take advantage of the benefits of BIMI logo display in email clients, companies must obtain a Verified Mark Certificate (VMC) from an approved certificate authority such as Entrust. This is the last mile, so to speak, but as the table below illustrates, very few companies have yet to complete the journey.
Market Index | BIMI Readiness (% of companies with DMARC policy in place) | BIMI with VMC |
U.S. S&P 500 | 51.2% | 2.4% |
Fortune 500 | 49.9% | 3.21% |
CAC 40 | 50.0% | 0% |
DAX 30 | 40.0% | 3.33% |
Euronext | 37.2% | 1.35% |
FTSE 100 | 47% | 1.0% |
FTSE 250 | 42.1% | 0% |
S&P Pan Arab Index | 52.6% | 0% |
Figure 3: Percentage of DMARC readiness vs. full BIMI implementation among publicly traded companies represented by global stock indices
Conclusion: seeing is believing
While the data here shows that most organizations around the world have yet to reach the last mile of BIMI adoption, we’ve reached a pivotal moment that signals the immediate future of email security.
Apple’s support for BIMI in iOS 16 represents a seismic shift in the importance of ensuring visual trust in email utilizing the VMC digital certificate. The support is important for a number of reasons:
- Apple’s support extends the reach of BIMI into a new mailbox provider and email clients
- Apple’s support is a sign of increasing market confidence in BIMI
- Apple’s native support in iOS expands adoption beyond just webmail clients and mobile apps (i.e. Yahoo/Google)
- Apple will bring BIMI to many more consumers with this change
- Apple is indicating support for email security and DMARC
We are now seeing more evidence that businesses are following suit as VMC adoption is now outpacing BIMI alone (figure 4). This shows that they care about the security benefit of BIMI through DMARC above and beyond the benefits to a brand, and VMC is the only way of ensuring maximized support for BIMI.
Interestingly, we are also seeing that VMC growth is being fueled by smaller organizations, as more than 50% of VMCs are issued to companies with less than $50M in revenue and less than 250 employees (figure 5).
Finally, we are seeing adoption spread across both B2C and B2B industries, which shows that BIMI is not driven strictly as a way to reach more consumers. In fact, business services, manufacturing and tech are leading the way among B2B sectors.
All of these statistics show clear evidence that the carrot of logo display in email offered by the world’s largest email platform providers to domain owners is just now starting to motivate organizations of all sizes to take the leap of faith that BIMI is indeed the future of email security.
We are on an early adopter curve and the good news is that DMARC has been driving ~ 50% growth rate on Apex domains, so as companies look to implement DMARC, VMC adoption will accelerate.
Red Sift’s end-to-end DMARC, BIMI & VMC solution
Email security is a universal issue and BIMI with VMC is a clear indicator of where email security is headed. Red Sift is the leading market provider of the complete BIMI & DMARC solution, in partnership with Entrust. This makes DMARC and BIMI implementation through Red Sift’s OnDMARC easy, straightforward, and fast.
