On 2024-01-12 19:53, Louis Laureys via mailop wrote:
I don't see how that's the fault of the BIMI spec. It's just another
tool that should help communicate email authenticity somewhat clearer
(while also being quite attractive to adopt for many businesses, who
doesn't want their logo next to the email saying it's verified).
I'm not sure why people seem to be taking this all or nothing approach,
where either it solves everything or it's useless.
(A) SOMEWHAT CLEARER IS NOT CLEAR ENOUGH
If you find "somewhat clearer" useful, feel free to send your credit
card details to amaz0n.com. Disclosure: if I was the spammer operating
such phishing scheme, I would not tell you.
Seriously: anything in the "somewhat" range is, for all practical
purpose, useless. Or otherwise stated: not authentic. This is the
internet of 2024, not of 1969. By default, everything is unauthentic
until proven different. Not "somewhat" different. Spammers find the
vulnerabilities and implement the authentication schemes better and
faster than most legitimate sender. The end result is that the extra
schemes make things murkier, not clearer.
(B) DETRIMENTAL REDUNDANCY
It is less expensive and more effective for a brand to own a domain
(which it already does in most cases) and to protect it with DMARC,
making BIMI redundant.
While sometimes redundancy is good (backup), this is not the case here.
There are too many "tools that should help communicate email
authenticity." While different types of authenticity can justify
different tools, when brand and domain coincide there is no difference.
The visual cacofony of different BIMI-brands icons on different lines of
the MUA's list of messages is more confusing than the unified green flag
displayed on each line with verified DMARC. FairEmail is my goto MUA,
with all visual bling (including HTML-body display, so even less
branding) disabled. My MUA, my preferences. YMMV.
(C) THE MARKETING/BRANDING VALUE IS TOO LITTLE TO JUSTIFY THE EXPENDITURE
The only remaining value proposition for brands that I see in BIMI is
"to allow brands to control the display of their logos in email they
send." Funny this value proposition is listed for mailbox providers at
https://bimigroup.org/mailbox-providers/ when it is actually a better
argument to persuade senders than any of
https://bimigroup.org/faqs-for-senders-esps/
As a brand, I already have full control over the emails I send. My
concern in the context of email are the emails sent by spammers abusing
my logo and BIMI does not help. If anything, the contrary is true. A
determined spammer can register an optically similar trademark in a
jurisdiction that my brand did not cover. AFAIK there are 17 trademark
offices approved for BIMI/VMC. Then fool MUAs and their users globally.
Trademarks are complex thing. (Self-interest) lawyer's advice: the
money is better spent on figuring out strategically where and how to
protect the brand. Not all brands are Burger King:
* https://en.wikipedia.org/wiki/Burger_King_(Mattoon,_Illinois)
* https://en.wikipedia.org/wiki/Burger_King_(Alberta)
A famous CEO of a large Fortune 500 company once said that half of his
marketing expenditures are a waste, he just does not know which. In my
opinion, if he was not retired, he would know in which half to classify
BIMI.
(D) THE SENDER/RECIPIENT FAULT-LINE
"control the display of their logos in email they send" put sender on a
collision course with recipients: of course some brands would like to
burn in their logos on recipient's displays. That's spammy. There is a
difference between the display of names, logos, and avatars from the
user's own curated addressbook vs. imposing the sender's control.
If a recipient decides that the 💲 logo is to be displayed instead of
the bank's logo; and the ❤️ logo is to be displayed instead of the
significant other's avatar: recipient's MUA, recipient's rules. No BIMI
shBIMI override / grab of expensive display real-estate. May not be
applicable to the significant other for diplomatic reasons, though ;-)
(E) COST
Interestingly, the cost of BIMI are not much different for a Fortune 500
company than for small business like mine. So I made the exercise of
following https://bimigroup.org/implementation-guide/ and calculate
before coming to a conclusion.
(1) SPF/DKIM/DMARC - This is something that any serious sender should
implement to best practice levels. I am guilty of neglecting (no DMARC,
no rotation of DKIM keys). The implementation is planned, independently
of BIMI. marginal cost to add BIMI: zero.
(2) SVG logo design and hosting. Lucky me, my logo is already SVG, well
managed, and of square size. I can re-use what has been used already
for business cards, letterheads, etc. and the marginal cost of hosting
for BIMI purposes is again zero.
(3) VMC. Although the BIMI implementation guide says it is optional,
Apple Mail and Gmail require VMC. Given how ubiquitous those two
(default MUAs on almost all mobile devices in operation today and sold
in the near future), BIMI without VMC is nearly worthless. While my
brand does not require registration to be protected in my jurisdiction,
the cost to register/renew a Trademark are small and reasonable. Not so
the cost of the VMC, even though the bulk of the work is made at the
trademark office. US$1500/year... that kills it. The money is better
spent on other advertising activities.
(4) DNS record publication: zero.
(F) CONCLUSION
Cyberspace is not a separate jurisdiction. Never was, never will be.
Name/brand/trade mark protection are jurisdiction-based and the tools to
protect them are mainly of legal/local nature, not technical/global.
But when one sells hammers, they naturally want all potential customers
to believe that the screw in their hands are, in fact, nails. That's to
me BIMI in a nutshell. No BIMI for me this year.
Yuv
Ontario-licensed lawyer
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
