On Fri, Jan 12, 2024 at 1:03 PM Jaroslaw Rafa via mailop <mailop@mailop.org> wrote:
> Dnia 12.01.2024 o godz. 11:18:32 Tim Starr via mailop pisze: > > By publishing the BIMI spec. No one's required to follow the spec, but if > > they don't, then they're not doing BIMI, and that's not the fault of the > > spec. > > Does the BIMI spec *require* that *only* BIMI-authenticated messages can > have logos displayed alongside them in the MUA? > There is no such thing as "BIMI-authenticated". BIMI isn't authentication, and doesn't claim to be. I quote from the Abstract of https://datatracker.ietf.org/doc/html/draft-brand-indicators-for-message-identification BIMI permits Domain Owners to coordinate with Mail User Agents (MUAs) to display brand-specific Indicators next to properly authenticated messages. There are two aspects of BIMI coordination: a scalable mechanism for Domain Owners to publish their desired Indicators, and a mechanism for Mail Transfer Agents (MTAs) to verify the authenticity of the Indicator. The "scalable mechanism" is the DNS, and the "mechanism for MTAs to verify the authenticity" is the Evidence Document, a.k.a., the VMC. The current BIMI spec requires that: - A message pass DMARC authentication - The RFC5322.From domain's DMARC policy be either p=quarantine or p=reject - The Organizational Domain (as defined by DMARC) for the RFC5322.From domain (if different) also have a DMARC policy of p=quarantine or p=reject, and further the Organizational Domain must not have sp=none in its DMARC record. - There is a BIMI record published in DNS that is associated with the RFC5322.From domain, usually at default._bimi.fromDomain or default._bimi.organizationalDomain, although alternative selector names are supported. Mailbox providers who participate in BIMI can and likely will add other criteria to their decision as to whether or not to actually have their clients display a BIMI logo. > In my understanding no. If it actually states so, then it's far too > restrictive and unacceptable (and this *is* fault of the spec). That's what > im talking about all the time. > > BIMI is not the end-all and be-all of display of logos or avatars at some place in an MUA; it is one specification for having such logos appear, either in the folder list, next to the message after it's opened, or both. So MUAs that display "other" (non-BIMI !) logos, are doing BIMI *plus* > something else. They are not contrary to the BIMI spec. They are just in > addition doing something that is completely orthogonal to BIMI, but gives > similar visual experience to the user. > > Which actually defeats the purpose of BIMI, as I understand it. > I do not know of any independent MUAs (i.e., those that are not client applications of mailbox providers) that currently support BIMI. I suspect that it might be rather a challenge for an independent MUA to perform the required DMARC validation of the message, but I am not a developer of MUAs and so cannot do any more than suspect this to be true. -- *Todd Herr * | Technical Director, Standards & Ecosystem *e:* todd.h...@valimail.com *p:* 703-220-4153 *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
