Email Security feature request: BIMI

Hi,

It would be good for Cloudflare to offer ease of Brand Indicators for Message Identification (BIMI) configuration, this feature doesn’t really seem to be offered widely, just like MTA-STS configuration.

It would be very simple for Cloudflare to implement, as BIMI just requires DNS and a file hosting with SSL . Both of which are offered by Cloudflare.

Cloudflare R2 should be able to just host and serve that single file.

When you combine, DNS, Web Hosting and SSL certificates, all to configure a single thing! it just becomes a bit too much to maintain, unless they’re all offered in a single pane.

Looking forward to it.

Thanks,

Unlike with MTA-STS, BIMI is not trivial to deploy for Cloudflare.

For starters, you need the logo in a very specific format, and the user needs to provide that.Then you need a Verified Mark certificate, which involves a manual verification process by the CA, and they currently retail for about €1,000. Only two CAs provide BIMI certs at the moment, and even their sales teams will tell you that they don’t know what you are talking about.

We need to see more use of BIMI by mailbox providers before I expect it to get any traction in the market.

And I just checked my old notes, most larger domains would have a lot of work to do to use BIMI, it is more than just the TXT record and image.

Your DMARC records must be set to p=reject, and you need either DKIM or SPF alignment. Depending on your environment, that might be a lot of work (it was for us when we did this a few years ago).

And then, even with a VM certificate, mailbox providers might think about displaying your BIMI logo, but it is not a guarantee. But as far as I recall, the major mailbox providers require a VM certificate.

Yes and the Customer’s design or web team should be able to provide that. It’s just SVG Tiny PS.

This is not a must, but a recommendation:

Step 3 (Recommended, but Optional)

Acquire a Verified Mark Certificate (VMC) for Your Logo
Implementation Guide - BIMI Group

lol! Yeah, and the cost needs to come down as well!

Very few mailbox providers support BIMI at all.

GMail (not an insignificant mailbox provider!) require VMCs, and I think Yahoo does as well. Fastmail do not, but they are much smaller than the other two. So a VMC is not mandatory, but it is required!

oh wow! That’s a bit off putting for small business I guess. Given the cost of the VMCs.

Anywhere Google has this documented?

Thanks

This answers for it:

Although a VMC is optional, many email clients, including Gmail, require a VMC to display your brand logo in the inbox.

At the moment - BIMI VMC certs are $1k/annum

If Cloudflare got into this game - do you have plans to issue BIMI VMC certs yourself?

We actually need you to step in and drive down the cost, with the help of a partner or otherwise.

Following. Totally agree, this is a huge missed opportunity. Why leave it to entrustDOTcom and digicertDOTcom??

I just upvoted the feature request. Could be great if cloudflare could deliver a VMC

Voted up on this too. Cloudflare has been a disruptor and gamechanger in this space. Would be pro-business if they issue VMCs at an affordable price to the masses too.

This has been around for years, adoption is ridiculously slow due to the inaccessible price set by incumbents. Internet security should be accessible to all, and should be the global standards in this era.

Time waits for nobody. Change this now.

I’ve just upvoted this. We are in 2023 and unfortunately nothing has changed. Entrust charges $1,200/yr for a VMC and Digicert charges $1,499/yr which is really off-putting for SMBs. In the best interest of everyone, I’d love to see Cloudflare offering this with an easier process and a more affordable pricing.

Here for the same. VMC seems ridiculous.