Thursday, June 23, 2022

Verified Brand Logos in Apple Mail

Joe Rossignol:

iOS 16 and macOS Ventura add support for the Brand Indicators for Message Identification (BIMI) standard in the Mail app, helping users to easily verify authenticated emails sent by brands by displaying the brand’s logo alongside the email’s header.


For a brand’s logo to be displayed, the sender’s domain must pass DMARC authentication checks, according to the BIMI Group website. If the email passes authentication, the Mail app queries the DNS for a corresponding BIMI record.

Maybe this will help with phishing.


3 Comments RSS · Twitter

Unfortunately, the BIMI records require a $1000+/year certificate and essentially also for the logos to be trademarked or protected. At some point, something has to be validated and verified by someone for this scheme to work, but this way puts a floor on how small you can be to realistically use this. I guess the idea is either that small actors don't get that many phishing expeditions targeted towards them anyway so this is less of a concern, or "screw the small actors".

This could likely have been made to work with some form of public web of trust. The dynamics of sneaking something past a public web of trust is not yet well-known and proven for graphical elements - but neither is it for centralized trusted authorities. (See: and extend it into graphical identity.)

More centralisation. Sigh. I always knew we'd get email authentication, but I could have fervently wished for something better than DMARC (itself based on the highly flawed SPF and DKIM), BIMI, and ARC. The triumph of the sharks is upon us.

DMARC should never have used RFC5322.From as the authenticated identifier, but reserved another header for that purpose, to be used by consent of all concerned including MUAs. They can certify that until they're blue in the face, but instead, today every mailing list manager must work around the hideous disaster area by rewriting headers so the From header no longer actually indicates the author of the message. Ugh.

At best, this is a slight win against phishing (then again, we've tried this approach before for similar scenarios with EV certificates, and that failed so hard, browsers stopped putting the green company name in the address bar). At worst, it's another way for certificate companies to make a little extra cash.

Leave a Comment