It's time for your periodic BIMI adoption status update.

A quick overview of what this is all about: BIMI is a standard being adopted by multiple internet services providers (ISPs) to allow the display of a sender's logo along side email messages, when displayed on a mobile device or in a webmail client. Some ISPs and mail clients have had a sender logo display function for a while now (one example is Gravatar ), but BIMI is an attempt to standardize and regulate this mechanism across the email ecosystem.

Adoption by senders seems a bit slow; but the spec only went public in 2019, which isn't that long ago. Also, it suffers a bit from the "chicken and egg" problem -- it's hard to convince senders to adopt the standard if receivers haven't adopted support for the standard. But now with two of the top three B2C mailbox providers (Yahoo and Gmail) having BIMI support, I'm guessing that we'll start to see more adoption of BIMI by senders.

Here's the current status of BIMI Support at large ISPs, email hosting and webmail providers:

1. Gmail: Yes, supports BIMI! Requires VMC. ( Find more info here .)
2. Yahoo (ex-Verizon): Yes, supports BIMI. Does not require VMC. ( More info here .)
3. Fastmail : Yes, supports BIMI! ( More info here .)
4. Considering BIMI Support: Comcast and Seznam.cz. ( More info here .)
5. Microsoft: Has no support for BIMI.

Gmail. In July 2020, Google announced their intent to support BIMI . In July 2021, Google announced that they were rolling out BIMI support over the coming weeks . Per the BIMI spec, Google requires that senders implement a Verified Mark Certificate (VMC), available from DigiCert or Entrust (and possibly others). It sounds like obtaining this VMC will require that a sender have trademarked their logo , which could be a significant barrier for smaller or hobbyist senders.

Yahoo (AOL/Yahoo/Verizon). Has support for BIMI. For a logo to display, the following conditions must be met: A BIMI record exists which points to a valid logo in SVG format, a DMARC policy of quarantine or reject is in place, the mailing is sent to large number of recipients (bulk mail), and they see sufficient reputation and engagement for the email address. They have a dedicated support page for BIMI and also have a contact address for questions/issues ( click here and search for "BIMI" on the page).

Microsoft Outlook.com (Hotmail). Microsoft has not announced any support for BIMI. A competing system called "brand cards" has likely been abandoned; multiple folks have told me that they have been unable to get enough information on how to implement a "brand card." There's no opportunity here at the present time, unfortunately. If that changes, I'll post an update.

So what should you do now? Here's what I would recommend large marketing senders do:

1. Make sure all email you send is authenticated with both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) authentication. (All mail -- not just bulk or newsletter mail. Your ESP , corporate email platform (or both) should be able to help you do that.)
2. Implement DMARC, perhaps working with a vendor like dmarcian , Agari , Valimail , ProofPoint or Red Sift . (Disclaimer: I work for Kickbox , and we've got DMARC monitoring in our deliverability tool suite as well. I am a happy user of it myself!) Partnering with a vendor to provide monitoring and reporting helps you know whether or not it is safe to move on to the next step -- ensuring that you're not going to accidentally tell ISPs to block your legitimate mail.
3. Move to a restrictive "p=reject" DMARC policy after your DMARC reporting shows that you properly authenticate all of your mail streams. Don't do this just for the future logo opportunity -- do it because it makes it harder for bad guys to send fake mail pretending to be from your email domain name.
4. Trademark your logo and obtain a Verified Mark Certificate. Wondering what this whole VMC thing is all about? Here's a primer . Ready to obtain a VMC? You could go directly to DigiCert or Entrust, or look for help from Mailkit via their NOTAMIQ service or Red Sift.
5. Learn how to create the BIMI logo file. You can find more information here .
6. Understand that things are still developing. More ISPs could announce support in the future, and how they, or existing ISPs, will enforce the spec could evolve. Stay knowledgable and be flexible and be able to evolve.

Značky: #gmail, #microsoft, #bimi, #seznam, #comcast, #Network, #brandimage, #brandavatar, #verizon, #yahoo, #fastmail

The good people at email platform provider Fastmail (whom I've blogged about more than once previously ) are dealing with a distributed denial-of-service ( DDOS ) attack. Not fun. I feel for them.

From Twitter :

Over the last two days, service has been interrupted several times.  This is the result of an ongoing attack against Fastmail as well as other email providers.  We're working with network service providers and law enforcement to put an end to the problem.

-- @Fastmail - 9:31 PM - Oct 22, 2021

Fastmail users and interested parties, you can find current status information on their system status site here . Their two most recent updates that I see (current as of 6:25 pm Chicago time on Saturday October 23rd) combine to say:

"We have multiple mitigations in place against the DDOS attacks and we are continuing to monitor. No mail has been lost, your data remains safe and services are operational." ... "DDOS protection can throttle or disrupt customer traffic. Some regions are affected if they are where attack traffic is also coming from. We apologize to affected customers."

Currently, from Chicago, I am able to access my Fastmail account successfully, and I'm able to send and receive mail there. Hopefully that means their DDOS-mitigation efforts are working and that they're recovering.

[ H/T: Jennifer Nespola Lantz ]

Značky: #Network, #fastmail, #downtime

"It’s like Apple’s new Hide My Email feature, but it works everywhere," according to The Verge . And it's powered by email platform Fastmail , perhaps a bit of a niche provider, but I mean that in a good way. Founded in 1999 , Fastmail hast a long history in the email space (unlike Hey.com ) and they seem to know what they're doing (look at their recent added support for BIMI ). If you want to "hide my email" but don't want to do it via the Apple ecosystem , it sounds like this is really worth checking out.

Click here for more information on Masked Email from Fastmail and 1Password.

Firefox Relay is another service with a similar aim, perhaps for those who are more into the Mozilla mindset, if there is such a thing. I actually haven't heard of anybody expressing a lot of interest in this one, have you?

The big question for me, for all of these, is how well do they handle email forwarding and spam filtering. Email forwarding is easy to get wrong and hard to get right. Even with big players (Apple) and email experts (Fastmail) involved, there are a lot of edge cases where you can run into the unexpected. How are they rewriting headers to prevent DMARC issues? Do visible from addresses end up looking messy? What level of spam filtering does each service have in place to try to keep spam out of the forwarded mail stream? Spam is quick poison to email forwarding; damaging the reputation of the forwarding service. At first I had assumed the Apple service would be essentially dropping mail directly into iCloud mailboxes (to bypass some of these concerns) but I get the impression that it can actually forward to "real" destination mailboxes that it doesn't host.

Looks like an opportunity for me to map out how these forwarding services accomplish what they do, unless somebody has beaten me to it. Got any expertise with any of these? Are you familiar with how spam checks or header rewriting is being done with any of them? I welcome your feedback and insight, and I'll promise to share it in a followup post.

Značky: #hey.com, #news, #apple, #fastmail, #Network

It's been a while since I've posted a BIMI status update, and things are changing! Things are standardizing! Things are getting good. So, let's get right to it...

BIMI, if you do not remember, is a new standard being adopted by multiple internet services providers (ISPs) to allow the display of a sender's logo along side email messages, when displayed on a mobile device or in a webmail client. Some ISPs and mail clients have had a sender logo display function for a while now (one example is Gravatar ), but BIMI attempts to standardize and regulate this process across the email ecosystem.

Here's the current status of BIMI Support at large ISPs, email hosting and webmail providers:

1. Verizon: Yes, supports BIMI.
2. Gmail: Yes, supports BIMI! Requires VMC. Find more info here .
3. Fastmail : Noted as having support ( here ) but I have no more details at this time.
4. Considering BIMI Support: Comcast and Seznam.cz. ( More info here .)
5. Microsoft: No support announced.

Verizon Media (AOL/Yahoo/Verizon). Has support for BIMI. For a logo to display, the following conditions must be met: A BIMI record exists which points to a valid logo in SVG format, a DMARC policy of quarantine or reject is in place, the mailing is sent to large number of recipients (bulk mail), and they see sufficient reputation and engagement for the email address. They also have a contact address for questions/issues ( click here and search for "BIMI" on the page).

Gmail. In July 2020, Google announced their intent to support BIMI . In July 2021, Google announced that they were rolling out BIMI support over the coming weeks . Per the BIMI spec, Google requires that senders implement a Verified Mark Certificate (VMC), available from DigiCert or Entrust (and possibly others). It sounds like obtaining this VMC will require that a sender have trademarked their logo , which could be a significant barrier for smaller or hobbyist senders.

Microsoft Outlook.com (Hotmail). Microsoft has not announced any support for BIMI. A competing system called "brand cards" has possibly been abandoned; multiple folks have told me that they have been unable to get enough information on how to implement a "brand card." There's no opportunity here at the present time, unfortunately.

So what should you do now? Here's what I would recommend large marketing senders do:

1. Make sure all email you send is authenticated with both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) authentication. (All mail -- not just bulk or newsletter mail. Your ESP , corporate email platform (or both) should be able to help you do that.)
2. Implement DMARC, perhaps working with a vendor like Agari , Valimail , ProofPoint or Red Sift . A DMARC-savvy email security vendor can help you properly configure email authentication, configure DMARC failure monitoring, show you how to read DMARC failure reporting, and give you confidence that you're not going to break anything if you implement a restrictive DMARC policy.
3. Move to a restrictive "p=reject" DMARC policy after your DMARC reporting shows that you properly authenticate all of your mail streams. Don't do this just for the future logo opportunity -- do it because it makes it harder for bad guys to send fake mail pretending to be from your email domain name.
4. Trademark your logo and obtain a Verified Mark Certificate. You could go directly to DigiCert or Entrust, or look for help from Mailkit via their NOTAMIQ service or Red Sift.
5. Understand that things are still developing. More ISPs could announce support in the future, and how they, or existing ISPs, will enforce the spec could evolve. Stay knowledgable and be flexible and able to evolve.

Značky: #yahoo, #seznam, #bimi, #fastmail, #verizon, #comcast, #Network, #microsoft, #gmail