We looked into it and publish our own default BIMI record even though we didn't pay the enormous amount money required to one of two Certificate Authorities.
If anyone is curious to see what the record looks, use this command: dig txt default._bimi.inter-corporate.com The results should include: ;; ANSWER SECTION: default._bimi.inter-corporate.com. 3600 IN TXT "v=BIMI1; l=https://www.inter-corporate.com/images/logo60bimi-iccns.svg; a=;" It basically just links to an SVG version of the logo from our main web site (which is also in the same DNS zone). Note: The "a=" portion normally includes a URI to what's called the "VMC/Assertion record" in the form of a typical .pem file. Ours is blank because we don't have the needed file for this. We decided to keep this because I read that some webmail clients are planning to support BIMI without checking for certificates, or, perhaps, also displaying a little lock icon in the corner of the sender's BIMI-style logo image where certification is verified. The BIMI Group provides an online checking tool that displays our logo (just search for "inter-corporate.com" to see ours): BIMI LookUp & Generator :: Check compliance w/ BIMI standards https://www.bimigroup.org/bimi-generator/ Our logo is shown near the end of the report, and for ours there's an indication that we comply, but there's also this warning: "Note: While your BIMI record is compliant, it doesn't include a Verified Mark Certificate that may be required by some mailbox providers." What's missing from BIMI in its current form? The option for mail server oparators to use the same TLS certificates that we're already using for our mail servers (and web servers, and FTP servers, etc.). It makes less sense to me to involve a different CA just for one tiny little image because then that's more technology that has to be administered, managed, troubleshooted, implemented, etc., and paid for separately. For eMail systems that host mlutiple domains and clients, BIMI is not an attractive option in its current state. If BIMI is to be taken as an open standard, then it needs to embrace openness so that the TLS certificates issued by all CAs (including commercial and free CAs {e.g., Let's Encrypt}) can contribute to BIMI gaining wider adoption. The "must be a Registered Trademark" requirement is too expensive for a lot of small businesses. A copyrighted logo is already sufficient to provide legal protections in many scenarios (depending on jurisdiction, etc.), so the bar is too high as it is -- DMCA violation notices should be taken seriously regardless of whether the intellectual property (such as an organization's logo) is protected under copyright, servicemark, or trademark property mechanisms. Another problem with limiting the scope of intellectual property protection to a Registered Trademark is that trademark applications can also be rejected even though a logo is already copyrighted, and the reasons can vary based on a variety of factors, including different jurisdictional regulations, local and/or national laws that limit free expression, cultural sensitivity policies, delays due to fraudulent disputes submitted by intellectual property trolls, etc. Also: How does BIMI intend to resolve valid Registered Trademarks from two different countires that look almost the same? Is there a mechanism that will only allow BIMI logos to be displayed in cerrtain countries where said Registered Trademark is protected? Will there be enforcement to make sure all vendors adhere to implementing BIMI correctly in this manner? Or, if a Registered Trademark is only registered in one country, will vendors still be able to display it in other countries? Or will the source be the determining factor (in which case, what reliable solution does BIMI propose for a company using service provider in some other country to deliver their eMail)? Keeping things simpler, open, and lowering the bar to be more inclusive are, in my opinion, some of the more important factors in BIMI's future success. Otherwise, it just looks like an attempt to make money (which is how at least some people who've looked into it seem to perceive it at present). (If BIMI doesn't lower the bar, then perhaps someone will be motivated to create an alternative standard that is simpler, open, and more inclusive.) > Hi mailops, > > I am new here because I want to collect some opinion. > > Many bigger mailers are blogging about BIMI. > As far as I see its exclusively for brands. > It has 2 big barriers for entry: > - Expensive bespoke cert oids > - Registered trademark logos > > As from my perspective of independent mailing between humans: I fear this > might be not just a carrot for doing DMARC, but also making independent > mailers less credible in the UX of mainstream mailer users. > > Do you have input on how non-marketing mailers deal with this? > Because obviously its for brand-logos, as in marketing mails. Not for user 2 > user. > How will common platforms show user2user? > Will they use platform logos? No logos? > > It seems infeasible to do the logo-ing per user. > > Can we influence the mailing world to use the standard differently? > Like accepting BIMI logos only depending on valid bog standard cert and > DMARC, boycotting the moneygrab scheme? > > Its also may be yet another reader-engagement tracker. Why do those things > always have to be out of band. > > I wish y'all a happy new year and good mailing weathers! > > Olga > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Postmaster - postmas...@inter-corporate.com Randolf Richardson, CNA - rand...@inter-corporate.com Inter-Corporate Computer & Network Services, Inc. Vancouver, British Columbia, Canada https://www.inter-corporate.com/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop