There seems to be a lot of confusion about BIMI here in the comments.
You can’t just pick any logo to display in someone’s mailbox. This would actually promote phishing.
For BIMI you need to buy a Verified Mark certificate from a certificate authority that offers this (currently only DigiCert and Entrust). The provider of the VM certificate checks (among other things) with your local trademark office whether your organization indeed has the trademark or logo. Your artwork (logo) must therefore be registered with the trademark office.
Given the amount of human work involved in the validation process, VM certificates are still very expensive. For example, DigiCert charges $1500 for a VM cert.
A VM certificate is an x509 certificate as you use for web servers, but with an extension activated that contains the trademark information (including the logo itself).
You publish the BIMI support of your domain via a DNS record, and via HTTPS (with again a valid certificate) you have to host the same logo for mail clients.
BIMI was created to increase the adoption rate of DMARC. Your domain must have DMARC (in quarantine or reject mode) enabled to use BIMI.
Currently there are a number of domains that have implemented BIMI with a valid certificate. Like for example CNN BIMI validator for cnn.com.
I have written about the current state of BIMI here: the current state of BIMI
edit: to make it even clearer: you can see BIMI as verified accounts, but then for email. Because there is no central owner of email (as is the case with Twitter, for example), the trust must come from a certificate authority (just like with HTTPS).
[Reactie gewijzigd door LeonM op 12 juli 2021 23:28]