Internet-Draft | BIMI | April 2023 |
Blank, et al. | Expires 9 October 2023 | [Page] |
Brand Indicators for Message Identification (BIMI) permits Domain Owners to coordinate with Mail User Agents (MUAs) to display brand-specific Indicators next to properly authenticated messages. There are two aspects of BIMI coordination: a scalable mechanism for Domain Owners to publish their desired Indicators, and a mechanism for Mail Transfer Agents (MTAs) to verify the authenticity of the Indicator. This document specifies how Domain Owners communicate their desired Indicators through the BIMI Assertion Record in DNS and how that record is to be interpreted by MTAs and MUAs. MUAs and mail-receiving organizations are free to define their own policies for making use of BIMI data and for Indicator display as they see fit.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 9 October 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH BEFORE PUBLISHING: The source for this draft is maintained in GitHub at: https://github.com/BLAHBLAHBLAH¶
This document defines Brand Indicators for Message Identification (BIMI), which enables Domain Owners to coordinate with Mail Box Providers (MBPs), Mail Transfer Agents (MTAs), and Mail User Agents (MUAs) in the display of brand-specific Indicators next to properly authenticated messages.¶
BIMI is designed to be open and to work at Internet scale. BIMI is intended to drive adoption of email authentication best practices by leveraging existing DMARC [RFC7489] policies, the supporting authentication methods DKIM [RFC6376] and SPF [RFC7208], and other associated standards such as ARC [RFC8617].¶
The approach taken by BIMI is heavily influenced by the approach taken in DKIM [RFC6376], in that BIMI:¶
To participate in BIMI, Domain Owners MUST have a strong [DMARC] policy (quarantine or reject) on both the Organizational Domain, and the RFC5322.From Domain of the message. Quarantine policies MUST NOT have a pct less than pct=100.¶
This document defines how Domain Owners specify their desired indicators through the BIMI Assertion Record in DNS and how that record is to be interpreted by MTAs and MUAs. This document does not cover how domains or indicators are verified, how MUAs should display the indicators, or how other protocols (i.e. IMAP, JMAP) can be extended to work with BIMI. Other documents may cover these topics. MUAs and Mail Box Providers (MBPs) are free to define their own policies for making use of BIMI data and for indicator display as they see fit.¶
The Sender Policy Framework (SPF [RFC7208]), DomainKeys Identified Mail (DKIM [RFC6376]), "Domain-based Message Authentication, Reporting, and Conformance" (DMARC [RFC7489]), and Authenticated Received Chain (ARC [RFC8617]) provide mechanisms for domain-level authentication of email messages. They enable cooperating email senders and receivers to distinguish messages that are authorized to use the domain name from those that are not. BIMI relies on these authentication protocols, but is not a new authentication protocol itself.¶
MUAs are increasingly incorporating graphical Indicators to indicate the identity of the sender of a message. While a discussion of the merits of doing this is beyond the scope of this document, at present there are no open standards for publishing and aiding discovery of preferred Indicators or for tying display of them to authentic messages only.¶
Because of the desire to have brand-specific Indicators available, some mail-receiving organizations have developed closed systems for obtaining and displaying Brand Indicators for select domains. While this has enabled these mail-receiving organizations to display brand Indicators for a limited subset of messages, this closed approach has a number of downsides:¶
This shows the need for a standardized mechanism by which Domain Owners interested in ensuring that their Indicators are displayed correctly and appropriately can publish and distribute Brand Indicators for use by any participating MUA.¶
BIMI removes the substantial burden of curating and maintaining an Indicator database from MUAs and MBPs, and allows each domain owner to manage their own Indicators. As an additional benefit, mail-originating organizations are incentivized to authenticate their email as doing so will enable them to influence how email and Indicators from the organization are displayed.¶
The structure of BIMI is as follows:¶
Domain Owners:¶
Fully implement the DMARC [RFC7489] mechanism, to include:¶
Creating and publishing in DNS [RFC1035] a DMARC [RFC7489] policy record that meets the following criteria:¶
MTAs and MBPs:¶
The purpose of this structure is to reduce operational complexity at each step. It is also to consolidate validation and Indicator selection operations into the MTA, so that Domain Owners need only publish a few simple records and MUAs only need simple display logic.¶
It is expected that MBPs implementing BIMI will do so in both their MTAs and MUAs.¶
#Requirements {#requirements}¶
Specification of BIMI in this document is guided by the following high-level goals, security dependencies, detailed requirements, and items that are documented as out of scope.¶
An overview of the security challenges and design decisions is documented at [BIMI-OVERVIEW].¶
BIMI has the following high-level goals:¶
Brand Indicators are a potential vector for abuse. BIMI creates a relationship between sending organization and Mail Receiver so that the receiver can display appropriately designated Indicators if the sending domain is verified and has meaningful reputation with the receiver. Without verification and reputation, there is no way to prevent a bad actor exxample.com from using example.com's Brand Indicators and behaving maliciously. This document does not cover the different verification and reputation mechanisms available, but BIMI relies upon them to be in deployed in order to control abuse.¶
Several topics and issues are specifically out of scope for the initial version of this work. These include the following:¶
This section defines terms used in the rest of the document.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Readers are encouraged to be familiar with the contents of [RFC5598]. In particular, that document defines various roles in the messaging infrastructure that can appear the same or separate in various contexts. For example, a Domain Owner could, via the messaging mechanisms on which BIMI is based, delegate responsibility for providing preferred brand indicators to a third party with another role. This document does not address the distinctions among such roles; the reader is encouraged to become familiar with that material before continuing.¶
Syntax descriptions use Augmented BNF (ABNF) [RFC5234].¶
"Author Domain", "Domain Owner", "Organizational Domain", and "Mail Receiver" are imported from DMARC [RFC7489] Section 3.¶
The mechanism through which a Protocol Client verifies the BIMI Assertion Record and constructs the URI(s) to the requested Indicator(s) to be placed in the BIMI-Location header.¶
The icon, logo, image, mark, or other graphical representation of the brand. The Indicator is defined in a common image format with restrictions detailed in the Assertion Record Definition.¶
A document published by a Mark Verifying Authority to assert evidence of verification. These are defined in a separate document.¶
A certificate issued by a Certificate Authority in accordance with the Verified Mark Certificate Guidelines. These guidelines are defined in a separate document.¶
A Verified Mark Certificate is one example of a BIMI Evidence Document.¶
An entity designed to obtain and correctly interpret the records defined in this specification for the purpose of discovering and fetching published Indicators.¶
A Protocol Client that uses optional capabilities to obtain and evaluate evidence concerning the Domain Owner's rights to use the published Indicators.¶
Domain owners publish BIMI policies by adding BIMI Assertion Records in the DNS as TXT records.¶
Published policies are interpreted and applied by Protocol Clients. A Domain Owner signals intended BIMI participation for one or more of its domains by publishing an Assertion Record in a subdomain under it. In doing so, Domain Owners make specific requests of MUAs regarding the preferred set of Indicators to be displayed with messages that are confirmed to be authorized to appear from the Domain Owner's domain.¶
The use of BIMI is opt-in. Receivers default to performing no BIMI-specific message handling until they choose to do so, and then only if a BIMI record for the sender's domain is found.¶
BIMI's use of the DNS is driven in part by BIMI's use of domain names as the basis of sender identity and message authentication. Use of the DNS as the policy publication service also has the benefit of reusing an extremely well-established operations, administration, and management infrastructure, rather than creating a new one.¶
BIMI's policy payload is intentionally only published via a DNS record and not via one or more email headers. This serves three purposes:¶
Per DNS [RFC1035], a TXT record can comprise several "character-string" objects. BIMI TXT records with multiple strings must be treated in an identical manner to SPF Section 3.3.¶
MUAs implementing the BIMI mechanism SHOULD make a best-effort attempt to adhere to the Domain Owner's published BIMI policy. However, MUAs have final control over the user interface published to their end users, and MAY use alternate Indicators than those specified in the BIMI assertion record or no Indicator at all.¶
All Domain Owner BIMI preferences are expressed in DNS TXT records published in subdomains named "_bimi". Multiple sets of preferences can be associated with a single RFC5322.From domain. To distinguish between these different preferences, BIMI defines and uses [selectors]{#selectors}. Senders declare which selector to use for a given message by specifying the selector in an optional BIMI-Selector header.¶
For example, the Domain Owner of "example.com" would post BIMI policy in a TXT record at "default.bimi.example.com". Similarly, a Mail Receiver wishing to query for BIMI policy regarding mail with an RFC5322.From Author Domain of "example.com" and a selector "default" (the default) would query the TXT record located at the subdomain of "default.bimi.example.com". The DNS-based BIMI policy record is referred to as the "BIMI Assertion Record" or "Assertion Record".¶
BIMI Assertion Records follow the extensible "tag-value" syntax for DNS-based key records as defined in DKIM [RFC6376].¶
Assertion Records are defined precisely. Mail receivers MUST NOT attempt to fix syntactical or capitalization errors. If a required tag is missing, or its value not well-formed, it is an error.¶
This section creates a registry for known BIMI tags and registers the initial set defined in this document. Only tags defined in this document or in later extensions, and thus added to the registry, are to be processed; unknown tags MUST be ignored.¶
The following tags are introduced as the initial valid BIMI tags:¶
v= Version (plain-text; REQUIRED). Identifies the record retrieved as a BIMI record. It MUST have the value of "BIMI1" for implementations compliant with this version of BIMI. The value of this tag MUST match precisely; if it does not match or it is absent, the entire retrieved record MUST be ignored. It MUST be the first tag in the list.¶
ABNF: bimi-version = "v" *WSP "=" *WSP "BIMI1"¶
a= Authority Evidence Location (plain-text; URI; OPTIONAL). If present, this tag MUST have an empty value or its value MUST be a single URI. An empty value for the tag is interpreted to mean the Domain Owner does not wish to publish or does not have authority evidence to disclose. The URI, if present, MUST contain a fully qualified domain name (FQDN) and MUST specify HTTPS as the URI scheme ("https"). The URI SHOULD specify the location of a publicly retrievable BIMI Evidence Document. The format for evidence documents is defined in a separate document.¶
If the a= tag is not present, it is assumed to have an empty value.¶
ABNF: bimi-evidence-location = "a" *WSP "=" *WSP [bimi-uri] bimi-uri = \[FWS\] URI \[FWS\] ; "URI" is imported from [URI] ; HTTPS only ; commas within a URI (ASCII ; 0x2C) MUST be encoded¶
l= location (URI; REQUIRED). The value of this tag is either empty indicating declination to publish, or a single URI representing the location of a Brand Indicator file. The only supported transport is HTTPS.¶
ABNF: bimi-location = "l" *WSP "=" *WSP [bimi-uri]¶
Therefore, the formal definition of the BIMI Assertion Record, using ABNF [RFC5234], is as follows:¶
bimi-sep = *WSP ";" *WSP bimi-record = bimi-version (bimi-sep bimi-location) [(bimi-sep bimi-evidence-location)] [bimi-sep] ; components other than bimi-version may appear in any order¶
If both the "l=" and "a=" tags are empty, it is an explicit refusal to participate in BIMI. This is distinct from not publishing a BIMI record. For example, an empty BIMI record enables a Domain Owner to decline BIMI participation for a subdomain when its organizational domain has default Indicators available. Furthermore, messages sent using a selector that has declined to publish will not show an Indicator while messages with other selectors would display normally.¶
An explicit declination to publish looks like:¶
v=BIMI1; l=; a=;¶
Any format in the BIMI-formats IANA registry are acceptable targets for the l= tag. If an l= tag URI ends with any other image format suffix, or if the document retrievable from the location(s) in the l= tag are of any other format, the evaluation of the record MUST be treated as a permanent error.¶
As of the publishing of this document, only SVG and SVGZ, as defined in RFC6170 section 5.2 is acceptable in the l= tag. Further restrictions apply to the SVG; these are documented elsewhere.¶
To support publishing and display of more than one distinct Brand Indicator per domain, the brand Indicator namespace is subdivided for publishing of multiple Assertion Records using "selectors". Selectors allow the Domain Owner to choose the brand Indicator, for example, by type of recipient, by message source, or by other considerations like seasonal branding. BIMI selectors are modeled after DKIM selectors.¶
The selector "default" is the default Assertion Record. Domain Owners can specify which other selector to use on a per-message basis by utilizing the BIMI-Selector Header.¶
Periods are allowed in selectors and are component separators. When BIMI Assertion Records are retrieved from the DNS, periods in selectors define DNS label boundaries in a manner similar to the conventional use in domain names. In a DNS implementation, this can be used to allow delegation of a portion of the selector namespace.¶
ABNF: selector = sub-domain *( "." sub-domain ) ; from [SMTP] Domain, ; excluding address-literal¶
The number of selectors for each domain is determined by the Domain Owner. Many Domain Owners will be satisfied with just one selector, whereas organizations with more complex branding requirements can choose to manage disparate selectors. BIMI sets no maximum limit on the number of selectors.¶
Once BIMI policies are published in DNS via Assertion Records, Domain Owners can provide additional guidance to Mail Receivers, and Mail Receivers to their MUAs through the use of BIMI header fields.¶
BIMI header fields are case insensitive. If a required tag is missing, it is an error.¶
BIMI DNS records are placed in <selector>.bimi.<domain>, and by default they are placed in default.bimi.<domain>. That is, for example.com, the default Assertion Record is located in the DNS at default._bimi.example.com. However, a Domain Owner may override the use of the default selector and specify the use of an alternative using the RFC5322-compliant header 'BIMI-Selector'. The BIMI-Selector header consists of key value pairs:¶
v= Version (plain-text; REQUIRED). The version of BIMI. It MUST have the value of "BIMI1" for implementations compliant with this version of BIMI. The value of this tag MUST match precisely; if it does not or it is absent, the entire retrieved record MUST be ignored. It MUST be the first tag in the list.¶
ABNF: bimi-header-version = "v" *WSP "=" *WSP "BIMI" 1DIGIT¶
s= Selector (plain-text; REQUIRED). The location of the BIMI DNS record, when combined with the RFC5322.From domain.¶
ABNF: bimi-selector = "s" *WSP "=" *WSP selector¶
And the formal definition of the BIMI Selector Header, using ABNF, is as follows:¶
bimi-selector-header = bimi-header-version bimi-sep bimi-selector \[bimi-sep\]¶
BIMI-Location is the header a Mail Receiver inserts that tells the MUA where to get the BIMI Indicator from.¶
The syntax of the header is as follows:¶
v= Version (plain-text; REQUIRED). The version of BIMI. It MUST have the value of "BIMI1" for implementations compliant with this version of BIMI. The value of this tag MUST match precisely; if it does not or it is absent, he entire header MUST be ignored. It MUST be the first tag in the list.¶
The ABNF for bimi-header-version is imported exactly from the [BIMI Selector Header](#bimi-selector).¶
l: location of the BIMI Indicator (URI; OPTIONAL if a bimi-evidence-location-header-uri is specified, otherwise REQUIRED.). Inserted by the MTA after performing the required checks and obtaining the applicable domain's published Assertion Record. The value of this tag is a URI representing the location of the Brand Indicator file. HTTPS is the only supported transport.¶
ABNF: bimi-location-header-uri = "l" *WSP "=" bimi-uri¶
a: location of the BIMI Evidence Document (URI; REQUIRED if the BIMI Evidence Document was verified). Inserted by the MTA after performing the required checks and obtaining the applicable domain's published Assertion Record. The value of this tag is a URI representing the location of the BIMI Evidence Document. HTTPS is the only supported transport.¶
ABNF: bimi-evidence-location-header-uri = "a" *WSP "=" bimi-uri¶
And the formal definition of the BIMI Location Header, using ABNF, is as follows:¶
bimi-location-header-location-only = bimi-location-header-uri bimi-location-header-evidence-only = bimi-evidence-location-header-uri bimi-location-header-both = bimi-location-header-uri bimi-evidence-location-header-uri bimi-location-options = bimi-location-header-location-only / bimi-location-header-evidence-only / bimi-location-header-both bimi-location-header = bimi-header-version bimi-sep bimi-location-options \[bimi-sep\]¶
BIMI-Indicator is the header a Mail Receiver inserts to pass a verified Indicator to the MUA.¶
The header contains the SVG of the Indicator encoded as base64, and is inserted by the MTA after performing the required checks and obtaining the applicable domain's published Assertion Record. The contents of this tag MUST match the SVG Indicator content retrieved from the URI specified in the BIMI-Location header. If he Indicator was supplied as a gzipped SVGZ file then the MTA MUST uncompress the file before base64 encoding.¶
base64string = ALPHADIGITPS *([FWS] ALPHADIGITPS) [ [FWS] "=" [ [FWS] "=" ] ]¶
And the formal definition of the BIMI Indicator Header, using ABNF, is as follows:¶
bimi-indicator-header = bimi-sep base64string \[bimi-sep\]¶
If present, the BIMI-Selector header SHOULD be included in the DMARC-aligned DKIM signature used to confirm authenticity of the message. If it is not included in the DMARC-compliant DKIM signature, the header SHOULD be ignored.¶
Receivers MAY choose to apply additional methods to validate the BIMI-Selector header, for example by evaluating a trusted [ARC] chain. In this case the Receiver MAY choose to treat the message as if the BIMI-Selector header was signed.¶
The BIMI-Location and BIMI-Indicator headers MUST NOT be DKIM signed. This header is untrusted by definition, and is only for use between an MTA and its MUAs, after DKIM has been validated by the MTA. Therefore, signing this header is meaningless, and any messages with it signed are either coming from malicious or misconfigured third parties.¶
This section includes a walk through of the actions a Domain Owner takes when setting up Assertion Records and sending email messages.¶
Domain Owners should consider which Indicator file formats to choose when setting up their BIMI Assertion Records. For a Sender, BIMI provides control over which Indicators are eligible and can be chosen for display, but not the ultimate manner in which the MUA will display the Indicator.¶
For each set of Indicators and domains, publish the appropriate Assertion Record as either "default" or a named selector as a DNS TXT record within the appropriate "_bimi" namespace.¶
For Domain Owners with multiple domains that wish to share the same set of Indicators within a trust boundary and only manage those Indicators from a single DNS location, it is RECOMMENDED to use DNS CNAMEs.¶
Using a CNAME here is functionally similar to the SPF redirect modifier. Since BIMI does not require l= tags to be aligned to the Author Domain, CNAMEs present a cleaner solution than extending the protocol.¶
Once a default Assertion Record has been published for an Author Domain, all emails from this domain should display the appropriate Indicator in participating MUAs.¶
If a non-default Indicator is desired, the BIMI-Selector header should be set appropriately. If for some reason this selector cannot be accessed by the Protocol Client, the fallback is the default Assertion Record on the Organization domain.¶
The BIMI-Location header MUST NOT be set by email senders, and Protocol Clients MUST ignore it.¶
This section includes a walk through of the actions a Protocol Client takes when evaluating an email message for BIMI Assertion.¶
Before applying BIMI processing for a message, a receiver MUST verify that the message passed the following BIMI authentication requirements:¶
Through the BIMI Assertion Record, Domain Owners use DNS TXT records to advertise their preferences. Preference discovery is accomplished via a method similar to the method used for DMARC [RFC7489] records. This method, and the important differences between BIMI and DMARC [RFC7489] mechanisms, are discussed below.¶
Assertion Record Discovery MUST NOT be attempted if the message authentication fails per Receiver policy.¶
To balance the conflicting requirements of supporting wildcarding, allowing subdomain policy overrides, and limiting DNS query load, Protocol Clients MUST employ the following lookup scheme for the appropriate BIMI record for the message:¶
Individual types of BIMI Evidence Document MAY specify extra discovery and validation steps. These will be defined in separate documents.¶
If an Assertion Record is found, and it has empty bimi-location and bimi-evidence-location then this is a Declination to Publish record. BIMI processing MUST not occur on this message and the MTA SHOULD reflect this in the Authentication-Results header by adding a bimi=declined entry.¶
If an Assertion Record is found, and has an empty or missing bimi-evidence-location entry then no evidence has is presented, and the Indicator MUST be retrieved from the URI specified in the bimi-location entry using the following algorithm:¶
Upon completion of Assertion Record Discovery, Indicator Discovery, and Indicator Validation, an MTA SHOULD affix the result in the Authentication-Results header using the following syntax, with the following key=value pairs:¶
bimi: Result of the bimi lookup (plain-text; REQUIRED). Range of values are 'pass' (BIMI successfully validated), 'none' (no BIMI record present), 'fail' (syntax error in the BIMI record, failure in Discovery or Validation steps, or some other error), 'temperror' (DNS lookup problem), 'declined' (The domain owner published an explicit declination record), or 'skipped' (BIMI check was not performed, possibly because the message did not comply with the minimum requirements such as passing DMARC, or the MTA does not trust the sending domain). The MTA MAY put comments in parentheses after bimi result, e.g., "bimi=fail (Invalid SVG)", "bimi=skipped (sender not trusted)" or "bimi=skipped (message failed DMARC)".¶
header.d: Domain of the BIMI Assertion Record which was evaluated (plain-text; REQUIRED if bimi=pass). For example, this will be the organizational domain if the BIMI lookup used the fallback record, otherwise it will be the RFC5322.From domain.¶
header.selector: Selector of the BIMI Assertion Record which was evaluated (plain-text; REQUIRED if bimi=pass). For example, if a BIMI-Selector Header was present and used to discover a BIMI Assertion Record then this will be the Selector used, otherwise this will be 'default'.¶
policy.authority: Authority verification status of the Brand Identifier (plain-text; REQUIRED if the BIMI Evidence Document was checked). If the Authority Evidence presented in the BIMI Assertion Record was checked and found to be valid then this MUST be set to pass. If the validation failed then this MUST be set to fail. If no Authority Evidence was presented, or the MTA did not check the Authority Evidence then this SHOULD be set to none.¶
policy.authority-uri: The URI of the BIMI Evidence Document checked, as found in the a= tag of the BIMI Assertion Record (plain-text; OPTIONAL).¶
Regardless of success of the BIMI lookup, if a BIMI-Location or a BIMI-Indicator header is already present in a message it MUST be either removed or renamed. This is because the MTA performing BIMI-related processing immediately prior to a Mail Delivery Agent (or within the same administrative realm) is the only entity allowed to specify the BIMI-Location or BIMI-Indicator headers (e.g. not the sending MTA, and not an intermediate MTA). Allowing one or more existing headers through to a MUA is a security risk.¶
If the original email message had a DKIM signature, it has already been evaluated. Removing the BIMI-Location header at this point should not invalidate the signature since it should not be included within it per this spec.¶
This header MUST NOT be added if Discovery or Validation steps failed.¶
The URI used to retrieve the validated SVG Indicator. If the receiver extracted the Indicator from the BIMI Evidence Document then this SHOULD be the bimi-evidence-location added with a a= tag, otherwise it SHOULD be the bimi-location added with a l= tag. If both a= and l= tags are included then the MTA MUST perform checks to ensure that the SVG Indicator referenced by the bimi-location is identical to the SVG Indicator extracted from the BIMI Evidence Document.¶
This header MUST NOT be added if Discovery or Validation steps failed.¶
Encode the SVG Indicator retrieved and validated during the Indicator Discovery and Indicator Validation steps as base64 encoded data. If the Indicator was compressed with gzip when retrieved then the data MUST be uncompressed before being base64 encoded.¶
The MTA MUST fold the header to be within the line length limits of SMTP [RFC5321].¶
The consistent use of Brand Indicators is valuable for Domain Owners, Mail Receivers, and End Users. However, the routine display of brand Indicators represents an attractive target for abuse, especially for determined malicious actors. Great care is warranted. The discussion following as an incomplete list of considerations.¶
If a mail store ingests a message from another mail store through some other means, the message may or may not have BIMI headers added already. If the receiving store trusts the other mail store, it may simply use existing headers. Or, it may re-evaluate BIMI policy and requirements, and create or replace the BIMI-Location header.¶
Publishing BIMI records is not sufficient for an MTA to signal to the MUA to load the BIMI Indicator. For example, the Domain Owner may also need to have a sufficiently strong reputation with the MTA. The receiver may use a manually maintained list of large brands, it may import a list from a third party of acceptable domains, or it may apply its own reputation heuristics before deciding whether or not to load the BIMI Indicator. BIMI does not specify what MTAs may bring to bear as additional factors.¶
The MTA or MUA should perform some basic analysis and avoid loading Indicators that are too large or too small. The Receiver may choose to maintain a manual list and do the inspection of its list offline so it doesn't have to do it at time-of-scan.¶
All email Receivers already have to query for DNS records, and all of them have built-in timeouts when performing DNS queries. Furthermore, the use of caching when loading Indicators can help cut down on load time. Virtually all email clients have some sort of image-downloading built-in and make decisions when to load or not load Indicators.¶
There is no guarantee that a group responsible for managing Brand Indicators will have access to put these Indicators directly in any specific location of a domain, and requiring that Indicators live on the asserted domain is too high a bar. Additionally, letting a brand have Indicator locations outside its domain may be desirable so that someone sending legitimate authenticated email on the Domain Owner's behalf can manage and set selectors as an authorized third party without requiring access to the Domain Owner's DNS or web services.¶
If a Domain Owner relies on SPF but not DKIM for email authentication, then adding a requirement of DKIM may create too high of a bar for that sender. On the other hand, Receivers doing BIMI assertion may factor in the lack of DKIM signing when deciding whether to add a BIMI-Location header.¶
MTAs and MVAs should aggressively police Indicators to ensure they are the Indicators they claim to be, are within appropriate size limits, and pass other sanity checks. Additionally, MTAs might cache good Indicators and serve them directly to their MUAs, which would in practice bypass any malicious dynamic payload set to trigger against an end user but not an MTA.¶
Domain Owners should be careful to strip any metadata out of published Indicators that they don't want to expose or which might bloat file size. MTAs and MVAs might wish to inspect and remove such data from Indicators before exposing them to end users.¶
IANA will need to reserve three new entries for the "Permanent Message Header Field Names" registry and create a registry for support file formats for BIMI.¶
Header field name: BIMI-Selector¶
Applicable protocol: mail¶
Status: standard¶
Author/Change controller: IETF¶
Specification document: This one¶
Header field name: BIMI-Location¶
Applicable protocol: mail¶
Status: standard¶
Author/Change controller: IETF¶
Specification document: This one¶
Header field name: BIMI-Indicator¶
Applicable protocol: mail¶
Status: standard¶
Author/Change controller: IETF¶
Specification document: This one¶
Names of support file types supported by BIMI must be registered by IANA.¶
New entries are assigned only for values that have been documented in a published RFC that has had IETF Review, per [IANA-CONSIDERATIONS]. Each method must register a name, the file extension, the specification that defines it, and a description.¶
NOTE: Items currently being discussed¶
o Can the MUA validate BIMI directly? What hints are needed? How can it be validated with some semblance of trust?¶
This section shows several examples of how a receiving MTA should determine which Assertion Record to use depending on the BIMI-Selector header.¶
The domain example.com does not send with a BIMI-Selector header.¶
From: sender@example.com¶
The MTA would lookup default._bimi.example.com for the BIMI DNS record.¶
The domain example.com sends with a BIMI-Selector header:¶
From: sender@example.com BIMI-Selector: v=BIMI1; s=selector;¶
The MTA would lookup selector._bimi.example.com.¶
The domain foo.example.com sends without a BIMI-Selector header:¶
From: sender@foo.example.com¶
The MTA would lookup default.bimi.foo.example.com for the BIMI DNS record. If it did not exist, it would lookup default.bimi.example.com.¶
The domain foo.example.com sends without a BIMI-Selector header:¶
From: sender@foo.example.com BIMI-Selector: v=BIMI1; s=myselector;¶
The MTA would lookup myselector.bimi.foo.example.com for the BIMI DNS record. If it did not exist, it would fall back to the lookup myselector.bimi.example.com.¶
The domain example.com sends with a BIMI-Selector header, but does not include the required field 'v=':¶
From: sender@example.com BIMI-Selector: s=myselector;¶
The MTA would ignore this header, and lookup default._bimi.example.com.¶
This section shows example Authentication-Results stamps based on different BIMI lookup statuses.¶
From: sender@example.com BIMI-Selector: v=BIMI1; s=myselector; Authentication-Results: bimi=pass header.d=example.com header.selector=myselector;¶
From: sender@sub.example.com Authentication-Results: bimi=none;¶
In this example, sub.example.com does not have a BIMI record at default.bimi.sub.example.com, nor does default.bimi.example.com¶
From: sender@example.com Authentication-Results: bimi=declined;¶
In this example the record found at default._bimi.example.com was "v=BIMI1; l=; a=;", indicating a Declination to Publish a BIMI Assertion Record, and so indicating that BIMI processing should not occur on this message.¶
From: sender@sub.example.com Authentication-Results: bimi=pass header.d=example.com header.selector=default;¶
domain has a default¶
From: sender@sub.example.com BIMI-Selector: v=BIMI1; s=myselector; Authentication-Results: bimi=none;¶
In this example, the sender specified a DNS record at myselector.bimi.sub.example.com but it did not exist. The fallback is to use myselector.bimi.example.com, which also does not exist. The assertion record does exist for the default selector at the organizational domain default._bimi.example.com, however this is not used as the sender specified a selector of myselector.¶
From: sender@sub.example.com BIMI-Selector: v=BIMI1; s=myselector; Authentication-Results: bimi=pass header.d=example.com header.selector=myselector;¶
In this example, the sender specified a DNS record at myselector.bimi.sub.example.com but it did not exist. The fallback is to use myselector.bimi.example.com.¶
This section shows how an example MTA might evaluate an incoming email for BIMI participation, and how it could share that determination with its MUA(s).¶
The MTA receives the following DKIM signed message:¶
DKIM-Signature: v=1; s=myExample; d=example.com; h=From;BIMI-Selector;Date;bh=...;b=... From: sender@example.com BIMI-Selector: v=BIMI1; s=brand; BIMI-Location: image.example.com/bimi/logo/example-bimi.svg Subject: Hi, this is a message from the good folks at Example Learning¶
The receiving MTA receives the message and performs an SPF verification (which fails), a DKIM verification (which passes), and a DMARC verification (which passes). The domain is verified and has good reputation. The Receiver proceeds to perform a BIMI lookup.¶
The MTA sees that the message has a BIMI-Selector header, and it is covered by the DKIM-Signature, and the DKIM-Signature that passed DKIM is the one that covers the BIMI-Selector header. The MTA sees the header validates and contains 'v=BIMI1', and 's=brand'. It performs a DNS query for brand._bimi.example.com and retrieves:¶
brand._bimi.example.com IN TXT "v=BIMI1; l=https://image.example.com/bimi/logo/"¶
The MTA verifies the syntax of the BIMI DNS record, and it, too passes.¶
The MTA knows it has previously retrieved the Indicator referenced by the BIMI DNS record, and had already successfully checked this Indicator against the published SVG profile. The MTA retrieves the Indicator from the cache.¶
The MTA computes and affixes the results of the BIMI to the Authentication-Results header:¶
Authentication-Results: spf=fail smtp.mailfrom=example.com; dkim=pass (signature was verified) header.d=example.com; dmarc=pass header.from=example.com; bimi=pass header.d=example.com header.selector=brand;¶
The MTA base64 encodes the retrieved Indicator and constructs a new BIMI-Indicator header.¶
The MTA constructs a BIMI-Location header with a version tag, and an l tag indicating the URL from which the Indicator was retrieved.¶
Finally, the MTA removes any existing BIMI-Location and BIMI-Indicator headers, and stamps the new ones:¶
BIMI-Location: v=BIMI1; l=https://image.example.com/bimi/logo/ BIMI-Indicator: PD94bW...8L3N2Zz4K¶
That the original sender signed a BIMI-Location header against this spec is irrelevant. It was used for DKIM validation and then thrown out by the MTA.¶
The mail is opened from the mail store in an MUA. The MUA performs locally defined checks to make sure that it can trust the BIMI-Indicator header. Finally, the MUA extracts the Indicator from the BIMI-Indicator header and displays it to the user.¶
Many people have contributed to the development of BIMI. Along with thanks to members of the current AuthIndicators Working Group, the editors wish to acknowledge the efforts of Sri Somanchi, Don Cardinal, Steve Jones, and John Levine.¶