The moment I read that BIMI requires payment, my mind went to the paid SSL
certificates and how its all about scamming normal people for money they
shouldn't pay in the first place.
Once it becomes free (for example if Let's Encrypt starts supporting BIMI) they
I'll consider it, otherwise no thanks :)
On Mon, 8 Nov 2021 20:54:00 -0500 Tom Kulzer via mailop
wrote:
> Emails from our blog come from the aweber.com domain which uses BIMI and is
> VMC authenticated.
>
> https://blog.aweber.com/
>
> -Tom
>
>
> > On Nov 1, 2021, at 12:26 PM, Vsevolod Stakhov via mailop
> > wrote:
> >
> > Hello Al,
> >
> > That works like a charm, thank you!
> >
> > [2021-11-01T16:09:24.566Z INFO bimi_agent::mini_pki] added trusted CA
> > cert with fp
> > 504386c9ee8932fecc95fade427f69c3e2534b7310489e300fee448e33c46b42
> > [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] got valid pem for
> > domain cnn.com
> > [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] verify domain cnn.com
> > against pattern cnn.com
> > [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] verified name for
> > domain cnn.com
> > [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] verified expiry for
> > domain cnn.com
> > [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] verified key usage for
> > domain cnn.com
> > [2021-11-01T16:09:24.568Z DEBUG bimi_agent::cert] verified PKI for
> > domain cnn.com
> > [2021-11-01T16:09:24.568Z DEBUG bimi_agent::cert] got data url for cnn.com
> > [2021-11-01T16:09:24.568Z DEBUG bimi_agent::cert] got data url for
> > data:image/svg+xml;base64,H4...
> > [2021-11-01T16:09:24.569Z INFO bimi_agent::handler] processed
> > certificate for cnn.com
> >
> > They use the same digicert chain and are hosted by Valimail.
> >
> > For now, I'm interested in VMC based BIMI records as I have totally no
> > ideas about what to do with non-VMC as any malicious actor can send
> > their email and publish, e.g. Google logo for any possible domain once
> > it has valid DMARC as well.
> >
> > I could use our DMARC_WHITELIST list for that purposes but I need to
> > think about it...
> >
> > VMC is hard and expensive to obtain indeed but it provides at least some
> > level of trust.
> >
> > Presumably we should use other consensus and authority system for this
> > stuff nowadays aside of PKI with CA who could clearly do bad things for
> > profit (like they did many times in the past).
> >
> > I would also like to say thanks to other people who have replied as I
> > don't want to amplify ML traffic by individual messages solely with this
> > purpose :)
> >
> > On 01/11/2021 15:40, Al Iverson wrote:
> >> CNN has implemented VMC:
> >> https://www.digicert.com/news/pr/digicert-issues-certificate-to-cnn-for-bimi-email-standard/
> >> https://xnnd.com/dns.cgi?t=bimi&d=cnn.com
> >> Their newsletters would be good emails to sign up for, for testing
> >> your BIMI implementation:
> >> https://www.cnn.com/newsletters
> >>
> >> If you want mail from a non-VMC using sender that publishes a BIMI
> >> record, perhaps wish.com?
> >> https://xnnd.com/dns.cgi?t=bimi&d=wish.com&m=
> >> https://www.wish.com/
> >>
> >> Hope that helps!
> >>
> >> Cheers,
> >> Al Iverson
> >>
> >> On Mon, Nov 1, 2021 at 10:08 AM Vsevolod Stakhov via mailop
> >> wrote:
> >>>
> >>> Hello,
> >>>
> >>> I'm currently building a prototype of BIMI agent in Rspamd as per this
> >>> Github issue: https://github.com/rspamd/rspamd/issues/3935
> >>>
> >>> However, this technology seems to be very immature and only fragmentary
> >>> documented in some aspects. I was able to find just one (!) valid VMC
> >>> for `valimail.com` domain in the wild. Other participants of the BIMI WG
> >>> either do not publish BIMI records (e.g. Google), provide just an image
> >>> without VMC (e.g. Proofpoint) or even publish an expired VMC (e.g.
> >>> Paypal)...
> >>>
> >>> Furthermore, even a valid VMC from Valimail does not include any
> >>> system-wide trusted CA apart of the specific VMC CA that is not trusted
> >>> by system nor cross-signed by other DigiCert CAs (so I had to implement
> >>> my own PKI based on trusted fingerprints which is acceptable but not
> >>> pleasant).
> >>>
> >>> For now, I'm looking for some other options to test BIMI and one thing
> >>> I'm missing critically is an example of an email that could be validated
> >>> by DMARC for the domain that have a valid BIMI record (either normal but
> >>> preferably with VMC). So I would appreciate any help in getting such
> >>> messages, e.g. if anyone who can send email on behalf of Valimail.com
> >>> domain could send me a message with any content to my personal email.
> >>>
> >>> I would also appreciate any information about where to get further
> >>> details without signing any sort of bogus agreements which I personally
> >>> will never ever sign (as I have a strong belief that all Internet
> >>> standards must be open for the general public).
> >>> ___
> >>>