DMARC 2.0? New BIMI standard will help fight spoofing and phishing
Major email service providers are teaming up with large corporations like health insurers, financial service providers and social media giants to develop a new standard that will let commercial email senders securely display their logo next to the “from” name when a message is in a user’s inbox.
Brand Indicators for Message Identification, or BIMI, aims to bolster sagging public trust in email, and thereby increase customer engagement with commercial marketing messages. But senders will have to use industry-standard email verification measures in order to leverage BIMI, and the logos will also appear on individual emails from employees of the sending company, as well as mass marketing messages.
As a result, BIMI, will also help combat spoofing and phishing messages, according to Patrick Peterson, the founder and executive chairman of email security outfit Agari — one of the new standard’s authors.
“We’re putting the trust back into email,” he told CyberScoop.
However, if the standard is to scale across the internet, those in charge will need to develop a way to make sure scammers and other cybercriminals can’t abuse it by using logos they’re not entitled to.
Peterson and other BIMI backers acknowledge it’s not a silver bullet. They compare the new standard to Domain-based Message Authentication, Reporting and Conformance, or DMARC — which identifies email senders and confirms ownership of the domain from which their message purports to come. DMARC helps stop spoofing, when hackers impersonate a trusted sender like a bank or government agency; and phishing — when they use that trust to get the recipient to click on a malicious link or download a weaponized attachment.
“It’s like a DMARC 2.0,” Peterson said of the new standard, noting that many of the same individuals and companies that worked together to draw up the DMARC standard are members of the Authindicators Working Group, which is crafting BIMI.
“It’s many of the same cast of characters that embarked on that journey,” he said.
The Authindicators Working Group members include Agari, Comcast, Google, LinkedIn, Microsoft, Oath (the Verizon subsidiary that operates AOL and Yahoo), PayPal, and email security providers Returnpath and Valimail.
“All of the hard-lifting technical work, the development of documentation … continues to go forward,” said Peterson of the new pilot, “But in parallel with that, someone’s got to actually go do it, and try it and break it and see what happens.”
He said the pilot would allow the working group to find potential problems and pitfalls with actually implementing the standard — “The kind of things you can only learn when you put the car on the track and take it for a couple of laps.”
The pilot being launched this week will run on Yahoo mail applications, including desktop and mobile. The logos of health insurance giant Aetna, professional social media site LinkedIn and social discount provider Groupon will appear next to the “from” field of the email, even before it is opened, when it is still in the inbox queue.
The placement is significant because this digital real estate is owned and operated by the recipient’s email provider — not by the sender.
Other companies, including large brands in the financial services, airline and technology industries will soon be announcing their participation, Peterson said.
The implementation of BIMI — like that of DMARC — will be a long road, Peterson said.
DMARC was this year made mandatory for federal agencies by the Department of Homeland Security, but many still haven’t deployed it. In the private sector, implementation has also lagged — amid complaints that the standard is too complex to deploy in large organizations.
“We’ll go through a period where it’ll be rare and then it’ll be common and then it’ll be ubiquitous,” Peterson said of BIMI.
Like DMARC, BIMI employs public records maintained as part of the Domain Name System or DNS — the Internet’s address book.
“A few billion people use DNS hundreds of billions of times a day … so it’s the perfect globally scalable architecture to use for this,” said Peterson.
He said commercial email senders had been trying to devise a way to use their logo as a symbol of the authenticity of their email. Some individual email providers like Gmail allow users, including corporate ones, to specify an image next to the “from” field through their Google+ profile page. But the image is only visible to other Gmail users.
“It’s been done in a bespoke way,” said Peterson. BIMI does it “at internet-scale, on an open basis any [email provider] can use, for the owners of any domain.”
The challenge: Verifying the logo
What BIMI currently lacks is a mechanism for verifying that the email sender has a right to use the logo.
The sender’s domain and their right to send email from it is verified using DMARC public records. And the public BIMI record points to an internet address where the logo is available, so the recipient’s email provider can pull down a verified copy of it to place next to the “from” field.
But what’s to stop a scammer setting up a domain — aetnar.com, for example — that they legally own and can send mail from; and then using the Aetna logo to leverage consumer trust in the service of fraud?
“There’s going to be mark-verifying authorities,” said Peterson, companies that will, for a fee, “verify that you own the domain, and the logo. Otherwise the cybercriminals would be the first ones to adopt BIMI.”
But he acknowledged that email and other online service providers don’t want that role.
“ISPs don’t want that authority … Google’s not in a position to say ‘You can’t use that logo’ … They also want some liability limitation … they don’t want to be in the business of deciding who gets to show which logo.”
Peterson said that, “for at least the next couple of years” the BIMI authors expected online certificate authorities — which currently provide encryption certificates for secure websites — would fill the role.
“We’ve briefed the CA/Browser forum on this,” he said, referring to the organization that works on standards for the certificate authority community. “A lot of the design [of the standard] has been based on their feedback.”
In the meantime, the pilot would be run on what he called a “pinky-swear” basis — meaning it was based on existing trusted relationships among the participants.
“We have long-standing relationships with all of the players in the pilot,” he said.
The vision: Multi-platform logo authentication
The BIMI standard is being drawn up so it can be used in all forms of messaging — like social media or internet telephony — as well as email.
“It’s being developed in a protocol agnostic fashion … [so it can be] used with other messaging formats,” said Peterson. “I could be on this call and see a logo next to the phone number.”
Messages over Facebook or Twitter could eventually be verified in similar fashion, he said.
“This is going to be a great leap forward for trusted email, but at the same time, it’s no panacea,” he added. “You can build the safest car in the world, but even then, if I don’t use the seatbelt that’s fitted, I won’t be protected. Consumers will fall for attacks and no technology can completely stop that.”