DNS Esoterica: BIMI - SVG in DNS TXT WTF?!

You've been on the Internet a long time, right? Of course you know what BIMI is. All the cool kids do. But, for those of you who aren't hip to the jive of the Infobahn...

BIMI (Brand Indicators for Message Identification) is a new standard that can curb the issue of online impersonators. ... BIMI is a new standard that enables you to include your company’s logo alongside the emails you send. That way, your brand stands out among other emails, and your customers are sure that the emails are legitimate. How To Create a BIMI record

Wow! Much innovation! Such security! There's no way a fraudster could put a bank's logo on their dodgy spam, right?

*sigh*

OK, so in order for this not to be abused, most email providers require brands to pay for an expensive Verified Mark Certificate (VMC) - a digital certificate which says that you are the trademark owner of the logo.

How much does it cost?

US$1,499.00

Per year! No wonder no one is using BIMI.

Then it's just a case of sticking something like this in your DNS TXT records:

 TXTv=BIMI1;

l=https://example.com/logo.svg;

a=https://example.com/certificate.pem

That's nice, and all, but I don't think I've ever seen one in the wild. Even the BIMI Group haven't bothered paying for the VMC!

One of the few organisations who have set this up correctly is DigiCert. Because they're one of the orgs you can buy this service from.

dig txt default._bimi.digicert.com will get you:

 TXT;; ANSWER SECTION:

default._bimi.digicert.com. 3600 IN TXT 

   "v=BIMI1; 

    l=https://www.digicert.com/resources/DigiCertLogo_WhiteOnBlue.svg; 

    a=https://cacerts.digicert.com/digicert_com_vmc_WhiteOnBlue.pem"

You can read the PEM certificate using: openssl x509 -in digicert_com_vmc_WhiteOnBlue.pem -noout -text

Inside, you'll find this nugget:

data:image/svg+xml;base64,H4sIAAAAAAAACo1XXW/jRhJ8tn8FwzwF4NDzzaFhb3BRckmADRAgwL4eHFoxhePZhqiVN/…

Hmmm… H4sIAAA is the start of a base64 encoded zipped string.

Once decoded and unzipped, we find… the SVG logo!

It's fairly obvious that people want a nice logo next to their email in your inbox. If you're on GMail, you're probably used to seeing your friends faces smiling back at you. But that only works if everyone is on the same email system. So BIMI is a reasonable idea for a cross-provider standard.

Downsides

There are several problems with BIMI.

The first is cost. If it were free then AbsolutelyYourBank@trust_me.biz could use the HSBC logo with impunity. I'm sure an extremely dedicated fraudster could spend the $1.5k and fool DigiCert into certifying their illegitimate use of someone else's logo. But it's unlikely to happen.

There's also a privacy issue. Because the BIMI logos are stored on a website, the website owner could track when they were downloaded and use that to work out who was reading their emails. Thankfully, both GMail and Yahoo proxy the images - so the provider doesn't get any additional analytics benefit.

Support is poor in GMail. Here's an email from LinkedIn: As you can see, the BIMI logo is displayed by the email address - but is absent in the contact view.

Finally, DNS TXT records are limited to 255 bytes of data. That's why logos are restricted to being (fairly short) links.

Is it worth it?

I think the marketplace of ideas has answered this with a fairly resounding "no".

You can track adoption at BIMIBRadar.

It would be great to stick your face, logo, or picture next to every email you send. But the risk from fraudsters is just too high.

The cost of certification is necessary to stop misuse - but that also means that smaller brands and individuals are locked out. Which isn't what we want from an open Internet.

There's no worldwide brand registry which can certify your use of an image. And, even if there were, it would be a huge single-point-of-failure.

The conversation about BIMI chugs on in IETF mailing lists. Do get involved if you think you have something of value to add.