We looked into it and publish our own default BIMI record even
though we didn't pay the enormous amount money required to one of two
Certificate Authorities.
If anyone is curious to see what the record looks, use this command:
dig txt default._bimi.inter-corporate.com
The results should include:
;; ANSWER SECTION:
default._bimi.inter-corporate.com. 3600 IN TXT
"v=BIMI1;
l=https://www.inter-corporate.com/images/logo60bimi-iccns.svg; a=;"
It basically just links to an SVG version of the logo from our main
web site (which is also in the same DNS zone).
Note: The "a=" portion normally includes a URI to what's called the
"VMC/Assertion record" in the form of a typical .pem file. Ours is
blank because we don't have the needed file for this.
We decided to keep this because I read that some webmail clients are
planning to support BIMI without checking for certificates, or,
perhaps, also displaying a little lock icon in the corner of the
sender's BIMI-style logo image where certification is verified.
The BIMI Group provides an online checking tool that displays our
logo (just search for "inter-corporate.com" to see ours):
BIMI LookUp & Generator :: Check compliance w/ BIMI standards
https://www.bimigroup.org/bimi-generator/
Our logo is shown near the end of the report, and for ours there's
an indication that we comply, but there's also this warning:
"Note: While your BIMI record is compliant, it doesn't include
a
Verified Mark Certificate that may be required by some mailbox
providers."
What's missing from BIMI in its current form? The option for mail
server oparators to use the same TLS certificates that we're already
using for our mail servers (and web servers, and FTP servers, etc.).
It makes less sense to me to involve a different CA just for one
tiny little image because then that's more technology that has to be
administered, managed, troubleshooted, implemented, etc., and paid
for separately. For eMail systems that host mlutiple domains and
clients, BIMI is not an attractive option in its current state.
If BIMI is to be taken as an open standard, then it needs to embrace
openness so that the TLS certificates issued by all CAs (including
commercial and free CAs {e.g., Let's Encrypt}) can contribute to BIMI
gaining wider adoption.
The "must be a Registered Trademark" requirement is too expensive
for a lot of small businesses. A copyrighted logo is already
sufficient to provide legal protections in many scenarios (depending
on jurisdiction, etc.), so the bar is too high as it is -- DMCA
violation notices should be taken seriously regardless of whether the
intellectual property (such as an organization's logo) is protected
under copyright, servicemark, or trademark property mechanisms.
Another problem with limiting the scope of intellectual property
protection to a Registered Trademark is that trademark applications
can also be rejected even though a logo is already copyrighted, and
the reasons can vary based on a variety of factors, including
different jurisdictional regulations, local and/or national laws that
limit free expression, cultural sensitivity policies, delays due to
fraudulent disputes submitted by intellectual property trolls, etc.
Also: How does BIMI intend to resolve valid Registered Trademarks
from two different countires that look almost the same? Is there a
mechanism that will only allow BIMI logos to be displayed in cerrtain
countries where said Registered Trademark is protected? Will there
be enforcement to make sure all vendors adhere to implementing BIMI
correctly in this manner? Or, if a Registered Trademark is only
registered in one country, will vendors still be able to display it
in other countries? Or will the source be the determining factor (in
which case, what reliable solution does BIMI propose for a company
using service provider in some other country to deliver their eMail)?
Keeping things simpler, open, and lowering the bar to be more
inclusive are, in my opinion, some of the more important factors in
BIMI's future success. Otherwise, it just looks like an attempt to
make money (which is how at least some people who've looked into it
seem to perceive it at present).
(If BIMI doesn't lower the bar, then perhaps someone will be
motivated to create an alternative standard that is simpler, open,
and more inclusive.)
> Hi mailops,
>
> I am new here because I want to collect some opinion.
>
> Many bigger mailers are blogging about BIMI.
> As far as I see its exclusively for brands.
> It has 2 big barriers for entry:
> - Expensive bespoke cert oids
> - Registered trademark logos
>
> As from my perspective of independent mailing between humans: I fear this
> might be not just a carrot for doing DMARC, but also making independent
> mailers less credible in the UX of mainstream mailer users.
>
> Do you have input on how non-marketing mailers deal with this?
> Because obviously its for brand-logos, as in marketing mails. Not for user 2
> user.
> How will common platforms show user2user?
> Will they use platform logos? No logos?
>
> It seems infeasible to do the logo-ing per user.
>
> Can we influence the mailing world to use the standard differently?
> Like accepting BIMI logos only depending on valid bog standard cert and
> DMARC, boycotting the moneygrab scheme?
>
> Its also may be yet another reader-engagement tracker. Why do those things
> always have to be out of band.
>
> I wish y'all a happy new year and good mailing weathers!
>
> Olga
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
--
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
