> On 10.01.2024 at 17:21 Olga Fischer via mailop wrote: > > Many bigger mailers are blogging about BIMI. > As far as I see its exclusively for brands. > It has 2 big barriers for entry: > - Expensive bespoke cert oids > - Registered trademark logos > > As from my perspective of independent mailing between humans: I fear this > might be not just a carrot for doing DMARC, but also making independent > mailers less credible in the UX of mainstream mailer users.
Carrot or not, BIMI can actually be a good incentive to increase the adoption of DMARC. For ESPs a widespread usage of DMARC is a welcome addition to their filtering process, as it makes the impersonation of foreign domains more difficult. At the same time setting up DMARC on the sender side can be a lot of work, especially for large enterprises, which have hundreds of sources where emails are being generated or sent. Finding and adding proper authentication to all of them before being able to enable a DMARC reject policy requires a non-negligible amount of resources. If you can present a direct and clear benefit in return („our logo is going to be displayed next to our messages“), the management might be more willing to grant approval for it. I don’t see the fact that BIMI is currently not available to single users as a real problem, as their identity is usually not used in phishing campaigns anyway. Nobody sends phishing messages that try to impersonate Bob the builder. Neither SPF, nor DKIM nor DMARC are suitable to identify single users, so BIMI which builds upon them cannot magically add this feature. If you want to authenticate single users there’s S/MIME. > Do you have input on how non-marketing mailers deal with this? > Because obviously its for brand-logos, as in marketing mails. Not for user 2 > user. Not at all. BIMI is about DMARC authenticated emails. Their content doesn’t matter. If I‘d send you a personal email off-list and you use a MUA that supports BIMI a logo will be displayed next to it. > Its also may be yet another reader-engagement tracker. Why do those things > always have to be out of band. Well, there’s no automated way to connect a logo to a domain. The BIMI group has decided to build upon the work of trademark offices to connect logos to companies and then set up a manual verification process to connect the company to a domain. There might be other ways to do this, but you cannot just use DNS or a message header to link a logo to a domain as this would be trivial to exploit. Either way, BIMI is not suitable for reader tracking as you cannot provide different logo URIs for each recipient. — BR Oliver ________________________________ dmTECH GmbH Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe Telefon 0721 5592-2500 Telefax 0721 5592-2777 [email protected]<mailto:[email protected]> * www.dmTECH.de<http://www.dmtech.de> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927 Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher ________________________________ Datenschutzrechtliche Informationen Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
