There seems to be a lot of confusion about BIMI here in the comments.
You can’t just choose any logo to display in someone’s mailbox. This would actually promote phishing.
For BIMI, you need to purchase a verified mark certificate from a certification body that offers this (currently only DigiCert and Entrust). A VM certificate provider (among other things) checks with your local trademark office whether your organization actually owns the trademark or logo. So your artwork (logo) must be registered with the Trademark Office.
Given the amount of human work involved in the validation process, VM certificates are still very expensive. For example, DigiCert charges $1,500 for a VM certification.
A VM certificate is an x509 certificate as you use it for web servers, but with an active extension that contains brand information (including the logo itself).
You are deploying BIMI support for your domain via a DNS record, and over HTTPS (again with a valid certificate) you have to host the same banner for mail clients.
BIMI was created to increase the rate of DMARC adoption. Your domain must have DMARC enabled (in quarantine or denied mode) to use BIMI.
There are currently a number of domains that have implemented BIMI with a valid certificate. Like CNN for example BIMI Checker for cnn.com.
I wrote about the current state of BIMI here: Current status of BIMI
Edit: To make it more clear: You can see BIMI as verified accounts, but then for email. Since there is no central owner of the email (as with Twitter, for example), the trust must come from a CA (just like with HTTPS).
[Reactie gewijzigd door LeonM op 12 juli 2021 23:28]