Agreed, agreed. My $0.02 on the security value of BIMI (and pitch for implementing it) is this: Of the following two domains, one is owned by a major bank and locked down securely with DMARC and the other one currently costs $12 on GoDaddy (it's even discounted!), can you tell which is which? supp...@jpmorganchasebank.com supp...@jpmorganandchasebank.com (No particular reason I picked Chase bank, I just crawled around the whois looking for a good bank company example a while back and bumped into this one first.)
A lot of Chase bank customers probably wouldn't notice the difference in the From address, and if a spammer bought that domain right now they could certainly enforce DMARC on it. BIMI lets the ISP call out the one they are confident is legit (based on history, volume, etc) using the branding mark even if the other one manages to get through their filters. Presumably the ISP's own history/volume/etc requirements and the third-party certificate step (I'm not sure of the status of that) will make a spammer using a visually similar mark as Chase bank's unlikely, but I guess that's the bit that remains to be seen irl. If a company doesn't have BIMI, it's probably not a high priority for them...although I have seen marketers salivate at the thought of brand impressions before the email is even opened...but if they have DMARC already enforced, it's a relatively trivial upgrade to make things that much more secure (and pretty). *Zack Aab*, Senior Deliverability Strategist, Inbox Pros, a Trendline Company *O* +1 (470) 369-6712 <+14703696712> On Fri, Dec 6, 2019 at 6:25 AM Laura Atkins via mailop <mailop@mailop.org> wrote: > > On 6 Dec 2019, at 10:42, Vytis Marciulionis via mailop <mailop@mailop.org> > wrote: > > Hi, > I am not a part of the BIMI working group but, I think it is cool in it's > own way. So I will try to add my 2 cents. > > >> - It is said to increase security for mailbox owners because seeing the >> companies logo they now they can see the message really is from " >> brand.com". >> I still doubt this will work, because I could easily create a logo that >> looks similar to brand.com, but use "brånd.com >> <http://xn--brnd-roa.com/>" including valid >> SPF/DKIM/DMARC which AFAIK are conditions that have to be meet in order >> to >> display a BIMI logo. >> > > For the time being the requirement is to have p=quarantine or p=reject on > DMARC and a pass, also significant volume, engagement and reputation is > necessary for BIMI to appear. > Whereas it is indeed easy to authenticate your domains, spammers still > don't do that due to them constantly switching domains and it being > time-consuming. > > > You have the amount of effort involved in correctly authenticating with > DMARC backwards for spammers and real companies. > > It’s utterly trivial for a spammer to deploy DMARC authenticated email. > They’ve been using disposable domains on disposable IPs for a long time. > The process is automated to a very high degree and every spam message they > send is fully DMARC aligned. The only change they need to make is to change > their deployment scripts to publish one more DNS record. It’s trivial for a > spammer to change domains and have those domains fully DMARC p=reject > compliant. > > For real companies, they need to actually discover where all their mail is > coming from and go through a process of making sure each of those message > streams is authenticated. It can take months for even small senders with > only a few mail pathways to implement DMARC. > > Needless to say, building a reputation with certain providers is also not > something that spammers think of doing or, in most cases, are able to do. > > > You’ve not actually ever talked to companies many here would call > spammers, have you? Spammers think about reputation all the time and work > very hard to try and build a good reputation. There have even been lawsuits > detailing the behavior they go through to try and manipulate their > reputation. > > Now, will spammers be able to take advantage of BIMI? That is currently > unclear to me, but I’m sure they’re following the protocol development very > closely and looking at how they can also have their mail display logos. > > laura > > -- > Having an Email Crisis? We can help! 800 823-9674 > > Laura Atkins > Word to the Wise > la...@wordtothewise.com > (650) 437-0741 > > Email Delivery Blog: https://wordtothewise.com/blog > > > > > > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
