Despite years upon years of attempts to drown out phishing scams from the email ecosystem, fraudulent messages are still painfully commonplace. Last year, Google announced support for BIMI, a standard aimed at verifying major organizations and loading in additional metadata for improved security. The rollout began with G Suite users almost a full year ago while the bugs were worked out of the system, but it’s now coming to the rest of Gmail.
BIMI, short for Brand Indicators for Message Identification, is the result of a collaboration between major messaging companies and marketers including the likes of Google, MailChimp, Verizon Media, Twilio, and others. While the implementation details include a number of enhancements that help with authenticating the original senders and maintaining security, there’s one specific user-facing manifestation: Gmail will show their logos.
It may sound a bit oversimplified, but the intent is that verified senders will get their logo in the avatar image. This spot has historically shown just an oversized first letter of the sender’s name, but may also show a profile image if it comes from another Gmail account. This is meant to indicate that the sender and the message have been authenticated.
On the technical side, organizations will have to use either SPF (Sender Policy Framework) or DKIM (Domain Keys Identified mail) to send messages and deploy DMARC (Domain-based Message Authentication, Reporting, and Conformance) so a recipient is capable of clearly authenticating the source of a message. Once a message passes these security checks, the recipient reaches out to a verifying authority through the BIMI protocol, at which point it can be served the logo of the organization.
While this should give recipients the confidence that incoming messages have gone through rigorous validation, it’s not entirely clear if Google is using any methods to prevent Gmail and G Suite accounts from abusing the avatar image. Regardless, this is still raising the stakes against fraudulent mailers and improving security for organizations that are most often targeted.
Google says the rollout is beginning today, but will take a few weeks to reach everybody. Once it’s rolled out, you still may not notice much difference if the messages coming to you are from senders that haven’t registered with a verifying authority or simply don’t use all of the same security measures.