On Thu, Nov 20, 2025 at 7:25 AM Andrew C Aitchison via mailop < [email protected]> wrote:
> Can I trust that the DKIM2 and BIMI people are talking and that when > these specifications are released they will work together to ensure the > best safety for all email users, including those with independent MUAs ? > I can't speak for the DKIM2 and BIMI people, but I will say that personally I reject the premise that BIMI has a role to play in email user safety. In my judgment, telling people that a logo showing in a specific place in the email client means the email is safe is going to be heard by those people as "logo means safe", with no differentiator on where that logo appears. To steal a phrase that I believe I've heard Mr. Levine use before, that's just teaching people to be phished, because bad guys can figure out ways to get a logo in a message somewhere, even if it's not the location that a BIMI logo would show up. BIMI was designed as a carrot for marketers to incentivize them to adopt DMARC at a policy level beyond "p=none". The theory was that logos showing in the folder list view would drive recipients to recognize the email as being wanted email from a known brand, and they would then be more likely to open and engage with the mail. Domain owners who went through the relatively hard work of ensuring their email streams authenticated properly and publishing DMARC records reflecting that would therefore be rewarded with more opens and maybe more clicks, which might lead to more revenue. Not all mailbox providers that support BIMI do so in a way that can be said to drive engagement however; as this infographic shows, they don't all show the logo in the folder list, but instead sometimes wait till after the message is opened - https://bimigroup.org/where-is-my-bimi-logo-displayed/ - If you can't see the logo till you've opened the message, you can't really claim that the BIMI logo was the reason the message was opened. If you're a marketer, and you can't demonstrate a positive ROI from doing a thing (like BIMI), you're probably not going to do the thing. I know there are companies out there who stand to make money from helping domain owners do BIMI, and some of those companies are touting BIMI as part of a safety/security toolbox. I just don't share that view. -- Todd
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
