| > Current implementations display a blue checkmark in addition to the logo. It's a bit different from what Gmail or Gravatar previously has done. Where that checkmark ends up is important. In the GMail screenshots I saw, it's with the other header information, which is ok. If anyone puts it on the logo as a badge, that'll be bad because we'll start seeing blue checkmark badges on non-VMC logos used for phishing. If I were a bad actor, I'd put a BIMI like looking header at the top of my phishing emails. Most people I deal with don't know the difference between the application and display parts of the UI. They don't know that one is a trusted area and that the other isn't. Since the large email providers hide so much of the header, I think a fake "certification" at the top of an email would be pretty successful. > Having a proper SPF/DKIM/DMARC setup most likely has the biggest impact, but BIMI might also be taken into account. I bet it will be, even if it's not publicly advocated for. I'm sure that's what DigiCert and Entrust want because it sets them up as rent seeking middle men that you have to deal with. $1500 USD per year is a disgusting amount of money for what they're doing. It reminds me of getting code signing certificates where the prices are astronomical compared to what the issuers are actually doing. Some of the laughable requirements look similar too [1]: > You will need publicly available proof that your business exists. For newer startups, we found that Yellow Pages or Google Business Profiles were the easiest ways to obtain this. Neither of those are authoritative and both are filled with fake information based on my experience. It's just a bunch of theatre so DigiCert and Entrust can pretend they're doing something significant while charging an exorbitant amount of money for something that could be automated after the first year (until trademark expiration). I've personally had people doing the "verification" (not DigiCert or Entrust) for a code signing certificate ask me to provide links to local business listings to prove I exist. I could have sent them anything and they wouldn't know the difference. Instead I told them there aren't any official listings like that and asked them to cancel my order. Magically they didn't need it. I want code signing to change and, since this is the same awful scheme, I hope it fails to gain adoption. I plan to push harder to abolish DigiCert as a vendor next time I get a chance. This kind of egregious pricing isn't the type of innovation I'm looking for in tech companies. 1. https://resend.com/docs/dashboard/domains/bimi#2-obtain-a-vm... |