Email Security feature request: BIMI


It would be good for Cloudflare to offer ease of Brand Indicators for Message Identification (BIMI) configuration, this feature doesn’t really seem to be offered widely, just like MTA-STS configuration.

It would be very simple for Cloudflare to implement, as BIMI just requires DNS and a file hosting with SSL . Both of which are offered by Cloudflare.

Cloudflare R2 should be able to just host and serve that single file.

When you combine, DNS, Web Hosting and SSL certificates, all to configure a single thing! it just becomes a bit too much to maintain, unless they’re all offered in a single pane.

Looking forward to it.


Unlike with MTA-STS, BIMI is not trivial to deploy for Cloudflare.

For starters, you need the logo in a very specific format, and the user needs to provide that.Then you need a Verified Mark certificate, which involves a manual verification process by the CA, and they currently retail for about €1,000. Only two CAs provide BIMI certs at the moment, and even their sales teams will tell you that they don’t know what you are talking about.

We need to see more use of BIMI by mailbox providers before I expect it to get any traction in the market.

1 Like

And I just checked my old notes, most larger domains would have a lot of work to do to use BIMI, it is more than just the TXT record and image.

Your DMARC records must be set to p=reject, and you need either DKIM or SPF alignment. Depending on your environment, that might be a lot of work (it was for us when we did this a few years ago).

And then, even with a VM certificate, mailbox providers might think about displaying your BIMI logo, but it is not a guarantee. But as far as I recall, the major mailbox providers require a VM certificate.

Yes and the Customer’s design or web team should be able to provide that. It’s just SVG Tiny PS.

This is not a must, but a recommendation:

Step 3 (Recommended, but Optional)

Acquire a Verified Mark Certificate (VMC) for Your Logo
Implementation Guide - BIMI Group

lol! Yeah, and the cost needs to come down as well!

Very few mailbox providers support BIMI at all.

GMail (not an insignificant mailbox provider!) require VMCs, and I think Yahoo does as well. Fastmail do not, but they are much smaller than the other two. So a VMC is not mandatory, but it is required!

oh wow! That’s a bit off putting for small business I guess. Given the cost of the VMCs.

Anywhere Google has this documented?

1 Like


This answers for it:

Although a VMC is optional, many email clients, including Gmail, require a VMC to display your brand logo in the inbox.

At the moment - BIMI VMC certs are $1k/annum

If Cloudflare got into this game - do you have plans to issue BIMI VMC certs yourself?

We actually need you to step in and drive down the cost, with the help of a partner or otherwise.

1 Like