The image has to be specified in the DNS, and it has to be certified w/ a VMC. The VMC certification process includes checking if it's trademarked. So, in order for a trusted brand's BIMI logo to get spoofed, the email would have to be DMARC-authenticated and the logo specified in the DNS would be the one presented to the mailbox provider when they do DNS lookups on the authentication domains. IOW, the only real way to do it would be with account takeovers. If you can hack into the ESP account of a trusted brand, then you can send fully-authenticated email for that brand, with its BIMI logos.
The biggest spoofing risk here is with really inclusive SPF records that include an entire cloud SMTP provider's IP ranges, where other senders also send from those ranges, and they can then send SPF-authenticated email w/ a trusted brand's return-path domain, which would then pass DMARC and BIMI. But that's a security risk already, BIMI doesn't make it worse. Cloud SMTP providers need to do a better job of locking down the sending domains their clients can use to prevent that. However, even there, if the DNS accounts of domain owners can be hacked into, authorization of domains can be faked, too. But, again, that's an existing risk, which BIMI doesn't make any worse. -Tim On Thu, Jan 11, 2024 at 2:35 PM Bastian Blank via mailop <mailop@mailop.org> wrote: > On Thu, Jan 11, 2024 at 01:45:19PM -0600, Tim Starr via mailop wrote: > > To elaborate on Marcel's answer, so he doesn't have to waste time > > explaining it all over again, the "different logo" won't be displayed by > > the mailbox providers, because it's not the authenticated one. > > What prohibits them from making it authenticated? A trademark check? > > Bastian > > -- > Extreme feminine beauty is always disturbing. > -- Spock, "The Cloud Minders", stardate 5818.4 > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop