Before everybody rushes to all sorts of conclusions, some background info on BIMI:
For BIMI to work, you need a Verified Mark Certificate (VMC). This is a x.509 certificate, but with additional extensions enabled. Most notably the 'pe-logotype' (OID 1.3.6.1.5.5.7.1.12) extension, which embeds an SVG file of your 'mark' (most likely your logo) into the certificate. The VMC proofs that your domain (the part after the '@' in the sender email address) is in fact the legal owner of the mark (the logo) that you are using. Otherwise any sender could use the logo of a bank.
A VMC is like an EV certificate on steroids, because there are a lot of things the CA must verify before issuing the certificate. The CA must verify that you own the 'mark' (the logo), and in order to do that the mark must be registered at your local trademark office. The CA must then contact your local trademark office to verify you own the mark, and contact your company (by phone) to verify you actually ordered the VMC. Needless to say: VMCs are not cheap (currently ~800 USD). Also needless to say: you can't get a VMC at Let's Encrypt or other free CAs.
Once you obtained a VMC you must host this VMC and the mark (as SVG) on a dedicated HTTP server, supporting TLS. I say dedicated, because most customer (browser) facing web services simply won't do. You must ensure that the files are served without cookie banners, CAPTCHAs, redirects, etc. The served mark (SVG) must be binary equivalent to the mark in the VMC, or else it will be rejected. This means hosting your BIMI assets using Windows machines may actually prevent it from working, as it may rewrite the line endings.
VMCs are certificates, so they will expire. You must renew your VMC annually. If you forget, you may harm your brand reputation.
Finally, BIMI mandates that you have DMARC enabled with 100% quarantine, or reject policy enabled. Which, on itself, can be quite a long process to adopt for large organizations.
My company has helped dozens of organizations with obtaining a VMC, we also host the BIMI assets for them. We see it is quite a big hurdle to adopt BIMI for most customers. It is definitely not as straight forward as becoming verified on Twitter et al.
But the blue check mark on Twitter is seen by many as “this person is a douchebag.”. We are currently testing a Doge/blue check sticker to mark physical world objects for opsonization. (Don’t think it will perform better than a confederate flag for a car parked in a black neighborhood though.) Google should pick a symbol that doesn’t have so much baggage…. A green check or something.
For BIMI to work, you need a Verified Mark Certificate (VMC). This is a x.509 certificate, but with additional extensions enabled. Most notably the 'pe-logotype' (OID 1.3.6.1.5.5.7.1.12) extension, which embeds an SVG file of your 'mark' (most likely your logo) into the certificate. The VMC proofs that your domain (the part after the '@' in the sender email address) is in fact the legal owner of the mark (the logo) that you are using. Otherwise any sender could use the logo of a bank.
A VMC is like an EV certificate on steroids, because there are a lot of things the CA must verify before issuing the certificate. The CA must verify that you own the 'mark' (the logo), and in order to do that the mark must be registered at your local trademark office. The CA must then contact your local trademark office to verify you own the mark, and contact your company (by phone) to verify you actually ordered the VMC. Needless to say: VMCs are not cheap (currently ~800 USD). Also needless to say: you can't get a VMC at Let's Encrypt or other free CAs.
Once you obtained a VMC you must host this VMC and the mark (as SVG) on a dedicated HTTP server, supporting TLS. I say dedicated, because most customer (browser) facing web services simply won't do. You must ensure that the files are served without cookie banners, CAPTCHAs, redirects, etc. The served mark (SVG) must be binary equivalent to the mark in the VMC, or else it will be rejected. This means hosting your BIMI assets using Windows machines may actually prevent it from working, as it may rewrite the line endings.
VMCs are certificates, so they will expire. You must renew your VMC annually. If you forget, you may harm your brand reputation.
Finally, BIMI mandates that you have DMARC enabled with 100% quarantine, or reject policy enabled. Which, on itself, can be quite a long process to adopt for large organizations.
My company has helped dozens of organizations with obtaining a VMC, we also host the BIMI assets for them. We see it is quite a big hurdle to adopt BIMI for most customers. It is definitely not as straight forward as becoming verified on Twitter et al.