|
Nowadays, with increasing digitalization and internet usage, email is a central communication tool. This holds true even despite the high popularity of instant messaging apps and social media. Email remains the favorite means of business communication worldwide, both in B2B and B2C. In 2019, 293.6 billion emails were sent and received. By 2025, this number will grow even more. It is predicted that we will send and receive 376.4 billion emails per day. In this scenario, implementing security features for email communications has become absolutely essential.
After a pilot project in the past years, the world’s most widely used email services, such as Gmail and Hotmail, have adopted Brand Indicators for Message Identification (BIMI) and the Verified Mark Certificate (VMC) to heighten the digital presence for brands and ensure more security in the mailbox. With this pioneering method, the official logo is placed next to the email, becoming an eye-catching feature, boosting recognition and building trust while working against email spoofing threats.
With the exchange of information carried out through emails every day, cybercriminals have adapted their targets accordingly. Emails have been heavily affected by security and privacy issues, phishing attacks and malware distribution. This is why email security needs to take on a leading role. Hackers use triggers that are not strictly related to technical vulnerabilities but rather rely on human behavior. The human factor in cybersecurity is crucial.
For a cyber threat based on email campaign to be effective, three main elements are required:
This last point is very common and has evolved into many different forms, such as the CEO fraud, whaling and Business Email Compromise (BEC). According to Mimecast’s deductions reported in “The State of Brand Protection 2021”, brand impersonations rose to 39.2 billion in February 2021, an increase of 170% compared to 2019. Having a clear indication of who the sender has never been more important.
What if you could send a clear signal of trustworthiness with your email? The Verified Mark Certificate (VMC) helps brand your email communications with your trademarked logo. When implemented fully, the VMC allows placement of the brand logo directly next to the sender’s email address. Recipients can immediately see that the email comes from the brand owner before opening it. This instantly creates trust while simultaneously making it difficult for scammers to misuse logos in email communication.
Using Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC), companies can protect their email communication against abuse to a certain degree. SPF and DKIM provide other mail servers with instructions about which mail server may send emails from your domain. DMARC provides instructions about how an email should be handled if SPF and DKIM do not apply. Adding VMC as a third instance here, the displayed logo adds an additional step, improving the protection of your email communication.
In order to acquire a VMC, certain legal and technical requirements must be met. On the legal side, your logo must be registered as an active word and/or image mark at one of the eight currently authorized trademark offices. Certificate Authorities use this, as well as other verification processes (personal identification, notarized certification, video call) to verify your trademark and your company. On the technical side, SPF, DKIM and DMARC must be set up correctly for your emails.
DMARC is available to all domain owners on the condition that the responsible Internet Service Provider (ISP) supports it. The administrator of the receiving mailbox must also support DMARC. An SPF and DKIM record are respectively required to create a DMARC record.
The implementation of DMARC mainly takes place via a TXT record in the domain zone. Let’s take a step-by-step look at the process.
_dmarc TTL IN TXT
"v=DMARC1;p=policy;pct=100;
rua=mailto:[email protected]"
In order to qualify for a Verified Mark Certificate, you must own a registered trademark logo. The reason for this is that the spoofing of a logo protected by a registered trademark is much more difficult. Once you have proof of your registered trademark, you can complete the stringent validation process with a provider and the certificate authority (CA). The validation process entails three stages:
After completing the validation, you can implement your verified logo on the mail server and in the DNS. To do this, first upload your logo to your mail server.
Important: The relevant logo must be uploaded in scalable vector graphics format as a .SVG file. The final step is to create a TXT record in the zone of the corresponding domain. An example of this is:
bimi TTL 3600 IN TXT v=BIMI1;l=https://images.yourdomain.com/brand/bimilogo.svg; a=https://images.yourdomain.com/ brand/certificate.pem
After this has been set up correctly, the logo should be displayed next to your emails in the inbox of systems that support VMC.
With rising cyberthreats coming from emails, it is important to implement the highest security level. VMC contributes several advantages to enhancing your digital presence in the mailbox, not only helping end users to recognize the actual brand identity, but also facilitating better classification of messages by mail servers. These are four reasons why VMC is great for mailbox security.
In today’s world, in which emails can play such a critical role in the success of a business, the benefits of implementing a Verified Mark Certificate are evident. Recipients can immediately see that the email comes from the brand owner before opening it. This instantly creates trust while simultaneously making it difficult for scammers to succeed with their phishing campaigns.
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
I’d note that modern email standards already allow for this without requiring any additional work or additional DNS records.
1. Obtain an email signing certificate from your current certificate provider for the email address in your domain used to send the emails.
2. Configure your email software to sign outgoing emails using the certificate and associated private key. See the S/MIME standards for more information.
That’s it. As an additional benefit the signature not only verifies that the email came from the correct address, it confirms that the email hasn’t been altered in transit by a third party to add hostile content or redirect links. All modern email software supports S/MIME out-of-the-box.
Note: SPF, DKIM and DMARC are strongly recommended regardless of how you handle email validation, as is DNSSEC to insure DNS records can’t be tampered with or forged. As an additional matter, DANE (TLSA records) should be considered (even though it’s currently not widely implemented) and service and software providers encouraged to support it. DANE allows you to tell client software which root certificates are allowed for your domains, and can be used to operate an in-house private certificate authority on an even footing with the well-known certificate authorities. Nobody can identify who should have certificates for your domains better than you.
Todd, afaik S/MIME doesn't have anything to do with logo display in email, which is what BIMI and VMC are all about.
The problem is that BIMI require downloading and rendering remote content, something that's by default disabled for modern email clients. S/MIME and the associated SSL certificates, OTOH, can be validated and the organization name displayed without requiring downloading remote content (except maybe for CRLs, and those don't require rendering their content so are generally safer). Why can't you download remote content safely even from a "trusted" site? See https://sansec.io/research/naturalfreshmall-mass-hack for the latest example: the site you're downloading the logo from may have been compromised and the logo replaced by hostile content.