[Systemmanic]

I liked the look of this:

>BIMI (Brand Indicators for Message Identification) is this kind of access in the inbox. It sets you apart from all the others by showcasing your brand and legitimacy to your users in the inbox by displaying your logo and, in some cases, a verified checkmark.

Until I looked at the cost of a Verified Mark Certificate (1-year plan):

>$1,499.00 USD [1]

Yikes.

Small money for big players, but small businesses with valid brands not so much.

[1]https://order.digicert.com/step1/vmc_basic

[donmcronald]

$1500 USD / year for something that collides with the logo functionality of Gravatar if the user isn't hovering over the logo?

We used to emphasize domains and everyone understood them. Then the large tech companies de-emphasized domains to the point where people stopped understanding them. Now big tech is going to sell domain validation back to us at a premium? Wow! What innovation.

I know there's trademark verification too, but I've never met a normal person that could tell you a difference between a Gravatar logo like the one I see in my mail client and a VMC logo like the one I see in the screenshots, so what good is showing a trademarked logo? Also, most small businesses I've seen don't even have trademarks, so they'll be completely excluded from this system.

I wonder if this is going to turn out like code signing certificates where they're super expensive for small developers, so they get excluded, but they're totally attainable for scammers and scumbags, so there's plenty of malware and garbage signed by certificates from fly-by-night companies.

Does BIMI help you pass spam filters like EV code signing certificates help you bypass SmartScreen? I can't be the only one that thinks all these things feel like a scam.

One thing I'm certain of based on what we see with SSL certificates. Government agencies will be racing to light money on fire buying them. Every year I watch my taxes get spent on overpriced DigiCert OV certificates and it enrages me. For all intents and purposes, all certificates are identical to normal users. It doesn't matter if DigiCert is taking my DNA for validation, all my mom sees is the lock icon. Nothing else matters.

[Avamander]

> I know there's trademark verification too, but I've never met a normal person that could tell you a difference between a Gravatar logo

Current implementations display a blue checkmark in addition to the logo. It's a bit different from what Gmail or Gravatar previously has done.

> Does BIMI help you pass spam filters like EV code signing certificates help you bypass SmartScreen? I can't be the only one that thinks all these things feel like a scam.

Having a proper SPF/DKIM/DMARC setup most likely has the biggest impact, but BIMI might also be taken into account.

[donmcronald]

> Current implementations display a blue checkmark in addition to the logo. It's a bit different from what Gmail or Gravatar previously has done.

Where that checkmark ends up is important. In the GMail screenshots I saw, it's with the other header information, which is ok. If anyone puts it on the logo as a badge, that'll be bad because we'll start seeing blue checkmark badges on non-VMC logos used for phishing.

If I were a bad actor, I'd put a BIMI like looking header at the top of my phishing emails. Most people I deal with don't know the difference between the application and display parts of the UI. They don't know that one is a trusted area and that the other isn't. Since the large email providers hide so much of the header, I think a fake "certification" at the top of an email would be pretty successful.

> Having a proper SPF/DKIM/DMARC setup most likely has the biggest impact, but BIMI might also be taken into account.

I bet it will be, even if it's not publicly advocated for. I'm sure that's what DigiCert and Entrust want because it sets them up as rent seeking middle men that you have to deal with. $1500 USD per year is a disgusting amount of money for what they're doing.

It reminds me of getting code signing certificates where the prices are astronomical compared to what the issuers are actually doing. Some of the laughable requirements look similar too [1]:

> You will need publicly available proof that your business exists. For newer startups, we found that Yellow Pages or Google Business Profiles were the easiest ways to obtain this.

Neither of those are authoritative and both are filled with fake information based on my experience. It's just a bunch of theatre so DigiCert and Entrust can pretend they're doing something significant while charging an exorbitant amount of money for something that could be automated after the first year (until trademark expiration).

I've personally had people doing the "verification" (not DigiCert or Entrust) for a code signing certificate ask me to provide links to local business listings to prove I exist. I could have sent them anything and they wouldn't know the difference. Instead I told them there aren't any official listings like that and asked them to cancel my order. Magically they didn't need it.

I want code signing to change and, since this is the same awful scheme, I hope it fails to gain adoption. I plan to push harder to abolish DigiCert as a vendor next time I get a chance. This kind of egregious pricing isn't the type of innovation I'm looking for in tech companies.

1. https://resend.com/docs/dashboard/domains/bimi#2-obtain-a-vm...

[technion]

I'm pretty annoyed by BIMI.

We only just had Lets Encrypt shutdown the EV nonsense from the CA industry, and BIMI, which is only currently able to be signed by two super expensive providers, is their comeback.

Aside from the fact it's just unnecessary, I'm seeing a range of various "domain security checks" services now test for BIMI, meaning lack of BIMI is something I'm already seeing showing up on low rate "penetration tests".

Note it's not even supported on Office 365, meaning all those business customers you're aiming for won't see it.