On 23.07.20 08:14, Kevin A. McGrail wrote: > However, I have questions of adoption rate, impersonation concerns, > anticompetitive concerns, and privacy concerns. This just sounds like > a commercial tracking pixel but the devil is in the details.
As the logo path is supposed to be published through TXT record, I guess the tracking would be much more limited compared to what we usually see in a mail body. On 23.07.20 09:09, Jari Fredriksson wrote: > Seems that the purpose it to help mail recipients to see if the sender > is who she claims to be. I have long ago implemented similar purpose in > my Maildir by creating a folder INBOX/DKIM_VALID_AU. I tend to be very > careful on mail in INBOX but that special folder is more easy to trust. BIMI requires DMARC, which is much easier to implement if you are a phisher creating a brand new domain .xyz with all the right SPF, DKIM, DMARC and BIMI. Putting the paypal logo on that .xyz domain and there you go. Your regular legit company will often struggle to implement all those correctly. So either you display any BIMI and it's a phisher's wet dream (also a nightmare to catch for a spam filter), or you only use a exhaustive list which will leave out most companies that don't have the (financial) resources. I am extremely skeptical of the whole BIMI thing and hate that it's presented as a security thing. Laurent S.
