Nowadays, with increasing digitalization and internet usage, email is a central communication tool. This holds true even despite the high popularity of instant messaging apps and social media. Email remains the favorite means of business communication worldwide, both in B2B and B2C. In 2019, 293.6 billion emails were sent and received. By 2025, this number will grow even more. It is predicted that we will send and receive 376.4 billion emails per day. In this scenario, implementing security features for email communications has become absolutely essential.

After a pilot project in the past years, the world’s most widely used email services, such as Gmail and Hotmail, have adopted Brand Indicators for Message Identification (BIMI) and the Verified Mark Certificate (VMC) to heighten the digital presence for brands and ensure more security in the mailbox. With this pioneering method, the official logo is placed next to the email, becoming an eye-catching feature, boosting recognition and building trust while working against email spoofing threats.

Email security is more relevant than ever

With the exchange of information carried out through emails every day, cybercriminals have adapted their targets accordingly. Emails have been heavily affected by security and privacy issues, phishing attacks and malware distribution. This is why email security needs to take on a leading role. Hackers use triggers that are not strictly related to technical vulnerabilities but rather rely on human behavior. The human factor in cybersecurity is crucial.

For a cyber threat based on email campaign to be effective, three main elements are required:

1. Instilling a sense of urgency to induce a malicious action, such as opening an attachment.
2. An invitation to click on a link and provide data and confidential information.
3. Presentation of the email sender as an authoritative, factual source or pretending to be the actual company behind the email.

This last point is very common and has evolved into many different forms, such as the CEO fraud, whaling and Business Email Compromise (BEC). According to Mimecast’s deductions reported in “The State of Brand Protection 2021”, brand impersonations rose to 39.2 billion in February 2021, an increase of 170% compared to 2019. Having a clear indication of who the sender has never been more important.

VMC to protect branded email communications

What if you could send a clear signal of trustworthiness with your email? The Verified Mark Certificate (VMC) helps brand your email communications with your trademarked logo. When implemented fully, the VMC allows placement of the brand logo directly next to the sender’s email address. Recipients can immediately see that the email comes from the brand owner before opening it. This instantly creates trust while simultaneously making it difficult for scammers to misuse logos in email communication.

Using Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC), companies can protect their email communication against abuse to a certain degree. SPF and DKIM provide other mail servers with instructions about which mail server may send emails from your domain. DMARC provides instructions about how an email should be handled if SPF and DKIM do not apply. Adding VMC as a third instance here, the displayed logo adds an additional step, improving the protection of your email communication.

What are the requirements for a VMC?

In order to acquire a VMC, certain legal and technical requirements must be met. On the legal side, your logo must be registered as an active word and/or image mark at one of the eight currently authorized trademark offices. Certificate Authorities use this, as well as other verification processes (personal identification, notarized certification, video call) to verify your trademark and your company. On the technical side, SPF, DKIM and DMARC must be set up correctly for your emails.

Who can use DMARC?

DMARC is available to all domain owners on the condition that the responsible Internet Service Provider (ISP) supports it. The administrator of the receiving mailbox must also support DMARC. An SPF and DKIM record are respectively required to create a DMARC record.

How is DMARC implemented?

The implementation of DMARC mainly takes place via a TXT record in the domain zone. Let’s take a step-by-step look at the process.

1. Decide whether DMARC should be used for the email traffic going over the main domain or over one of its subdomains. To protect your brand optimally, we recommend using the primary domain.
2. Make sure that the essential “DMARC Identifier Alignments” or “Domain Alignments” (SPF and DKIM) have already been implemented in the target domain. If necessary, set these up first. With regard to SPF and DKIM records, take into account any additional email channels, such as email via another email service provider or via your own infrastructure. This is important to avoid DMARC unintentionally blocking these channels.
3. Set up an email address to receive the DMARC reports.
4. Create the TXT record in the domain zone. An example of this is:
   

   _dmarc TTL IN TXT
   "v=DMARC1;p=policy;pct=100;
   rua=mailto:[email protected]"

How can I get a VMC for my trademark logo?

In order to qualify for a Verified Mark Certificate, you must own a registered trademark logo. The reason for this is that the spoofing of a logo protected by a registered trademark is much more difficult. Once you have proof of your registered trademark, you can complete the stringent validation process with a provider and the certificate authority (CA). The validation process entails three stages:

1. Verification of the trademark rights for the respective logo.
2. Verification of the notarized identification documents of the applicant in your organization.
3. Personal or virtual meeting with an employee of the certificate authority in order to verify the identity of the applicant.

After completing the validation, you can implement your verified logo on the mail server and in the DNS. To do this, first upload your logo to your mail server.

Important: The relevant logo must be uploaded in scalable vector graphics format as a .SVG file. The final step is to create a TXT record in the zone of the corresponding domain. An example of this is:

bimi TTL 3600 IN TXT
v=BIMI1;l=https://images.yourdomain.com/brand/bimilogo.svg;
a=https://images.yourdomain.com/ brand/certificate.pem

After this has been set up correctly, the logo should be displayed next to your emails in the inbox of systems that support VMC.

VMC for better cybersecurity

With rising cyberthreats coming from emails, it is important to implement the highest security level. VMC contributes several advantages to enhancing your digital presence in the mailbox, not only helping end users to recognize the actual brand identity, but also facilitating better classification of messages by mail servers. These are four reasons why VMC is great for mailbox security.

• Protects against spoofing and phishing: The verified sender’s identity offered by DMARC and VMC is clear.
• Bypasses spam filters: Your email will not be classified as spam, providing another authenticity signal to email providers.
• Protects against fraudulent logo use: A VMC requires a trademark. This will ensure your logo is not spoofed.
• Avoids DMARC misconfigurations: The DMARC records in the DNS record help identify unauthorized emails and misconfigurations from your domain.

VMC for a personalized and more secure web

In today’s world, in which emails can play such a critical role in the success of a business, the benefits of implementing a Verified Mark Certificate are evident. Recipients can immediately see that the email comes from the brand owner before opening it. This instantly creates trust while simultaneously making it difficult for scammers to succeed with their phishing campaigns.