Apple’s new BIMI support changes everything, but they need the other mailbox providers to play ball. Here’s how they’ll be able to work together to do that.
Not everyone has iCloud accounts so you may not have noticed the new(ish) header:
Authentication-Results: bimi.icloud.com; bimi=skipped reason=“insufficient dmarc”
Knowing Apple was moving to support BIMI this fall, this header was likely tied to that. Then Spam Resource published an article sharing that Apple launches BIMI support page. After spending some time with Apple’s dev page, the new header made a lot of sense.
Apple’s dev page is written for the operators of email servers and what they need to do with the headers if they want to pass along the information needed by Apple to display the BIMI logos. Let me emphasize a few words there, operators of email servers.
Phew! This is not a list of additional steps for senders to implement BIMI and have it displayed in Apple. But it is a list of things needed for those receiving the mail. The end result is that Apple wants them to ‘stamp’ their authentication results and BIMI details into the headers.
If the mail is then IMAP’d into Apple’s email user interface, Apple Mail, Apple will have enough information available in the headers to make a decision on if they should display the BIMI logo and also mark it as “Digitally Certified Email”.
Image sourced from: https://www.macrumors.com/2022/06/22/ios-16-mail-app-supports-bimi-brand-logos/
And although these requirements are for Apple, they are not so specific that other mail apps can’t use the foundation being built here to implement BIMI logo display in their interfaces.
What impact does this have on BIMI?
The huge population of Apple users that use Apple’s Mail app will now be able to see BIMI, meaning BIMI is no longer exclusive to just those providers supporting BIMI. The exclusivity of and lack of depth in BIMI support by providers was often a deterrence for senders to take the next step to finalize DMARC settings, getting to DMARC enforcement, or investing in a VMC (Verified Mark Certificate).
Apple’s move to support BIMI for senders sending directly to their system AND for those sending to other accounts is a huge step forward and incentive for senders to get all their ducks in a row.
But again, there are a few additional requirements needed for this to make its full impact.
Additional Requirements for BIMI in Apple
Apple has four additional requirements receiving servers need to take in order for BIMI logos to be pulled in from providers that are outside of Apple’s environment (with exceptions as you’ll read below). Why? Because anything and everything can be abused. I say this taking feedback from someone that feels this is an aggressive approach that disadvantages small businesses. Sadly, bad actors ruin it for everyone.
The email servers receiving the mail need to take action
What is detailed in Apple’s dev page is not for senders and marketers. The actions needed reside with the providers receiving mail for your customers. However, during Beta, these requirements are not required. AND until further notice, those providers that are participating in BIMI via bimigroup.org are exempt.
The question that remains is then, will there be enough motivation for those providers not yet participating in BIMI to take these next steps? Will this be easier for them then participating or will it not matter to them or their user base?
Although I don’t have answers for that yet, the majority of consumer brands will be well covered by those currently participating and, perhaps, the biggest question mark will then be, what about Microsoft?
Surprisingly not all providers include the authorization results in their headers, even if the email authorization protocols are checked and used in filtering. Apple not only requires the results from the base authorization methods of SPF, DKIM, and DMARC, but also BIMI—Does DMARC authentication pass? Is DMARC at enforcement? Is there an SVG? Is there a VMC?
Authentication-Results: bimi.example.com; bimi=pass header.d=examplesender.com header.selector=default policy.authority=pass policy.authority-uri=https://lnkd.in/etCsaDtb
Authentication-Results: dmarc.example.com; dmarc=pass header.from=examplesender.com
Authentication-Results: dkim-verifier.example.com; dkim=pass (2048-bit key) header.d=examplesender.com firstname.lastname@example.org header.b=GyICAm88
Authentication-Results: spf.example.com; spf=pass smtp.mailfrom=”email@example.com“
BIMI indicator and location information
Apple is also requiring the receiver to post the BIMI logo location and assertion record, as detailed in the BIMI RFC (technically a draft specification), as well as the BIMI indicator, which is the “SVG of the Indicator encoded as base64.”
BIMI-Location: v=BIMI1; l=https://lnkd.in/ebin9w7n a=https://lnkd.in/etCsaDtb
DKIM sign authorization results
In other words, not only do the receivers need to post the authentication results for SPF, DKIM, DMARC, and BIMI, but they need to digitally sign those results (so Apple can confirm that the receiver was the one that did run the checks and entered it into the headers) and set the length (l=) attribute to 0.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=foo1234; t=1645949369; bh=bYktD+FKmAvkst9op6KYg+JHRznF/tB4agLqrbfatKo=; l=0;
—Full Authentication Header Example as Pulled from Apple’s Dev Page—
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=foo1234; t=1645949369; bh=bYktD+FKmAvkst9op6KYg+JHRznF/tB4agLqrbfatKo=; l=0; h=Authentication-Results:Authentication-Results:Authentication-Results:Authentication-Results:From; b=tpMLTXB...kQ== Authentication-Results: bimi.example.com; bimi=pass header.d=examplesender.com header.selector=default policy.authority=pass policy.authority-uri=https://lnkd.in/etCsaDtb Authentication-Results: dmarc.example.com; dmarc=pass header.from=examplesender.com Authentication-Results: dkim-verifier.example.com; dkim=pass (2048-bit key) header.d=examplesender.com firstname.lastname@example.org header.b=GyICAm88 Authentication-Results: spf.example.com; spf=pass smtp.mailfrom="email@example.com" BIMI-Indicator: eZvIB...kQ== BIMI-Location: v=BIMI1; l=https://lnkd.in/ebin9w7n a=https://lnkd.in/etCsaDtb
When will BIMI be ready on Apple devices?
Realistically, today! But if you are in Beta you may see more than those in production as some of the exemptions will be removed once in production. Then it’s a matter of considering if your customers sit with the providers that are listed in the BIMI initiative. If they do, there isn’t much more that needs to be done.
As with anything, there will be an adoption curve on Apple’s side and on the download side of the end user. The unknowns sit with those providers outside of the BIMI initiative and if they have enough incentive to add the additional authentication checks and headers.
And with the foundation Apple is laying now, this may be the stepping stone to help other MUAs adopt BIMI.