Emails from our blog come from the aweber.com domain which uses BIMI and is VMC
authenticated.
https://blog.aweber.com/
-Tom
> On Nov 1, 2021, at 12:26 PM, Vsevolod Stakhov via mailop
> wrote:
>
> Hello Al,
>
> That works like a charm, thank you!
>
> [2021-11-01T16:09:24.566Z INFO bimi_agent::mini_pki] added trusted CA
> cert with fp
> 504386c9ee8932fecc95fade427f69c3e2534b7310489e300fee448e33c46b42
> [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] got valid pem for
> domain cnn.com
> [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] verify domain cnn.com
> against pattern cnn.com
> [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] verified name for
> domain cnn.com
> [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] verified expiry for
> domain cnn.com
> [2021-11-01T16:09:24.567Z DEBUG bimi_agent::cert] verified key usage for
> domain cnn.com
> [2021-11-01T16:09:24.568Z DEBUG bimi_agent::cert] verified PKI for
> domain cnn.com
> [2021-11-01T16:09:24.568Z DEBUG bimi_agent::cert] got data url for cnn.com
> [2021-11-01T16:09:24.568Z DEBUG bimi_agent::cert] got data url for
> data:image/svg+xml;base64,H4...
> [2021-11-01T16:09:24.569Z INFO bimi_agent::handler] processed
> certificate for cnn.com
>
> They use the same digicert chain and are hosted by Valimail.
>
> For now, I'm interested in VMC based BIMI records as I have totally no
> ideas about what to do with non-VMC as any malicious actor can send
> their email and publish, e.g. Google logo for any possible domain once
> it has valid DMARC as well.
>
> I could use our DMARC_WHITELIST list for that purposes but I need to
> think about it...
>
> VMC is hard and expensive to obtain indeed but it provides at least some
> level of trust.
>
> Presumably we should use other consensus and authority system for this
> stuff nowadays aside of PKI with CA who could clearly do bad things for
> profit (like they did many times in the past).
>
> I would also like to say thanks to other people who have replied as I
> don't want to amplify ML traffic by individual messages solely with this
> purpose :)
>
> On 01/11/2021 15:40, Al Iverson wrote:
>> CNN has implemented VMC:
>> https://www.digicert.com/news/pr/digicert-issues-certificate-to-cnn-for-bimi-email-standard/
>> https://xnnd.com/dns.cgi?t=bimi&d=cnn.com
>> Their newsletters would be good emails to sign up for, for testing
>> your BIMI implementation:
>> https://www.cnn.com/newsletters
>>
>> If you want mail from a non-VMC using sender that publishes a BIMI
>> record, perhaps wish.com?
>> https://xnnd.com/dns.cgi?t=bimi&d=wish.com&m=
>> https://www.wish.com/
>>
>> Hope that helps!
>>
>> Cheers,
>> Al Iverson
>>
>> On Mon, Nov 1, 2021 at 10:08 AM Vsevolod Stakhov via mailop
>> wrote:
>>>
>>> Hello,
>>>
>>> I'm currently building a prototype of BIMI agent in Rspamd as per this
>>> Github issue: https://github.com/rspamd/rspamd/issues/3935
>>>
>>> However, this technology seems to be very immature and only fragmentary
>>> documented in some aspects. I was able to find just one (!) valid VMC
>>> for `valimail.com` domain in the wild. Other participants of the BIMI WG
>>> either do not publish BIMI records (e.g. Google), provide just an image
>>> without VMC (e.g. Proofpoint) or even publish an expired VMC (e.g.
>>> Paypal)...
>>>
>>> Furthermore, even a valid VMC from Valimail does not include any
>>> system-wide trusted CA apart of the specific VMC CA that is not trusted
>>> by system nor cross-signed by other DigiCert CAs (so I had to implement
>>> my own PKI based on trusted fingerprints which is acceptable but not
>>> pleasant).
>>>
>>> For now, I'm looking for some other options to test BIMI and one thing
>>> I'm missing critically is an example of an email that could be validated
>>> by DMARC for the domain that have a valid BIMI record (either normal but
>>> preferably with VMC). So I would appreciate any help in getting such
>>> messages, e.g. if anyone who can send email on behalf of Valimail.com
>>> domain could send me a message with any content to my personal email.
>>>
>>> I would also appreciate any information about where to get further
>>> details without signing any sort of bogus agreements which I personally
>>> will never ever sign (as I have a strong belief that all Internet
>>> standards must be open for the general public).
>>> ___
>>> mailop mailing list
>>> mailop@mailop.org
>>> https://list.mailop.org/listinfo/mailop
>>
>>
>>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
signature.asc
Description: Message signed with OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
