Re: [mailop] BIMI pilot @ Google

Wed, 22 Jul 2020 17:33:13 -0700 


Maybe this is a stupid question but

as BIMI is a txt record in dns

An example BIMI TXT record.

"v=BIMI1; l=https://images.example.com/somedir/logo.svg;";


What exactly keeps someone from publishing their own BIMI TXT record and 
simply copying your image.



How exactly does this improve fraudulent email protection.  It would seem 
that it would do the opposite.  You are training your users to trust based 
on the image provided rather than the actual email address.



Ted



On Wed, 22 Jul 2020, Marcel Becker via mailop wrote:




On Wed, Jul 22, 2020 at 4:49 PM Jim Popovitch via mailop <mailop@mailop.org> 
wrote:

      Good, DMARC is good, but we don't need yet another standard to get DKIM
      and SPF into the wider use.


Based on the data I see on the receiving side I disagree. But that's ok. 
 
      I hope you understand that most providers don't care if your logo
      service is alive and well.  Surely we don't need a spec for that.


Exactly. I see this went over your head. 

      Whether you understand it or not, if a proxy or cache fetches your logo,
      you can get very valuable data about inbox hit rate data, eg tracking.


No, if you care about your users' privacy you would not implement anything 
which would allow senders to do what you say BIMI
enables.

This means in our case: If you -- as a sender -- publishes a BIMI logo all you 
can track is when our logo service is fetching
your logo.  Which might be exactly once (ie: one time) when you update it. Our 
MUAs don't fetch BIMI logos from the source. 

So all it well tell you is

1: Our MTA saw mail coming in from your domain
2: We probably trusted you enough to see if you have a BIMI logo
3: We fetched that BIMI logo
4: A Verizon Media IP connected to your hosting server
5: Our system is alive and working (well, at least it's requesting logos)

That's it. 





_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop






















					Reply via email to