Human nature is such, that unless a particular incident impacts us personally we seldom take any precautionary measure against it. But if that is the case for email spoofing attacks, it can cost you more than you think! Every year email spoofing attacks cost businesses billions and leave a long-term impact on their brand’s reputation and credibility. It all starts with domain owners living in constant denial of impending cyber threats till they finally fall prey to the next attack. Today, we are bidding adieu to negligence by taking you through 3 easy and beginner-friendly steps that can help you stop email spoofing once and for all. Here is what they are:

Step 1: Configure DMARC

If you haven’t already heard about it, DMARC can prove to be a holy grail for you if you are looking to stop constant impersonation attempts on your domain. While no protocol out there is a silver bullet, you can leverage DMARC to unleash its full potential and minimize email spoofing drastically.

To implement DMARC at your organization:

  • Create your custom DMARC record with a single click using our DMARC record generator
  • Copy and paste the record in your DNS
  • Allow your DNS 72 hours to configure the protocol

Step 2: Enforce Your DMARC Policy

When you are at the beginner stage of your email authentication journey, it is safe to set your DMARC policy at none. This allows you to familiarize yourself with the nuts and bolts of your email channels through monitoring, while not impacting the deliverability of your emails. However, a none policy doesn’t prevent email spoofing.  

To gain protection against domain abuse and impersonation, you need to enforce your policy to a DMARC quarantine or reject. This means that under any circumstance if an email sent from your domain fails authentication, i.e it is sent from a non-compliant source, these fraudulent emails would be either lodged in the receiver’s spam folder or blocked outright.

To do this, you can simply modify the “p” criterion in your existing DMARC record to p=reject from p=none.

Step 3: Monitor Your Domains

The third and final step that binds together the entire process of DMARC adoption is monitoring. Monitoring all the domains for which you have levied email authentication solutions is a MUST to ensure the consistent deliverability of your business and marketing emails. This is why DMARC provides the benefit of sending data pertaining to domain-specific email authentication results in the form of DMARC aggregate and forensic reports.

Since XML reports are hard to read and appear disorganized, a DMARC report analyzer is an excellent platform that assembles your reports under a single roof, in a collocated and comprehensive manner. You get to view and monitor your domains, modify your policies, and survey spoofing attempts easily, all across a single pane of glass.

With these steps in place, you can minimize direct-domain spoofing and enjoy safe email once again at your organization!

BIMI email specification gives a brand the agility to determine what logo should appear as the sender for outgoing emails. Its unique approach allows the brand to create a wholesome user experience with more than just their products, but also their customer touchpoints. Instead of the generic logo that is displayed by default by your mailbox provider, BIMI helps brands provide a more professional look and feel to their business and marketing emails. This can be useful if a brand wishes to keep the same main brand and/or use different logos for different contexts.

What are Key Requirements for BIMI?

Domain owners should note that they need to meet certain key requirements before configuring BIMI for their domains. They are as follows:

  • For BIMI to function, DMARC enforcement is a mandatory requirement. Make sure that you configure a DMARC analyzer for your domain and shift to a policy of p=reject/quarantine
  • The next step is to have your BIMI complaint brand logo in place. According to BIMI logo, the correct SVG file format is SVG Tiny 1.2
  • The display of your BIMI logo is ultimately in the hands of your mailbox provider, so make sure BIMI is supported by your participating mailbox providers
  • Finally, implement BIMI for your domain by publishing your BIMI DNS record

How to Create a BIMI DNS Record? 

For creating and publishing your BIMI record, start by identifying your root domain. This is the domain that would appear as the sender of your emails. Considering your domain name is domain.com, the next step should be creating your BIMI selector. Similar in function to DKIM selectors, a BIMI selector is rendered by receiving servers to extract your BIMI record during a DNS lookup.

Note: It is not mandatory to define a selector name, as you can go with the default selector. However, if you operate several brands located on subdomains and want to render a different BIMI logo for each of them, then you need to manually configure a BIMI-selector header to make that possible.

BIMI Record Examples

 

BIMI record without VMC:

BIMI record with VMC:

 

Note: If you have not created your BIMI selector name, the name will be kept as “default”, in which case the value for your “host” field will be “default._bimi.domain.com”. 

I Have Published My BIMI Record, What Next? 

Simply publishing your BIMI record is not enough to rest assured. You still need to ensure that your BIMI record is valid.

Gaining visibility on your sending sources when you are on p=reject for DMARC is crucial to maintaining a consistent flow of information and a steady email deliverability rate. DMARC reports parsed and displayed on a human-readable dashboard save your time while organizing your domain’s data efficiently. Configuring a DMARC report analyzer helps you manage and monitor your domains and hosted services with ease, allowing you to modify your record configurations in real-time with the click of a button.

 

PowerDMARC, a global provider of email security and authentication solutions based in Delaware, U.S.A, has signed a distribution agreement with Complete Solution Finder, a leading regional value-added distributor specializing in information security solutions. In lieu of this agreement, PowerDMARC will now be distributing advanced email authentication services and solutions in Singapore, Malaysia, and Indonesia.

Extending Email Authentication Services in Singapore, Malaysia, and Indonesia

PowerDMARC is an email authentication platform that helps organizations combat domain spoofing, secures their email channel, and enhances their brand’s reputation. Their platform leverages protocols such as DMARC, MTA-STS, TLS-RPT, and BIMI to protect email messages across multiple domains in real-time. It also offers an easy-to-read dashboard that displays an organization’s DMARC statistics. They help entities that leverage their embedded features gain greater protection against phishing attacks and ransomware, improved delivery rates, and enhanced visibility on sending sources

“We are excited about this opportunity,” said Faisal Al Farsi, CEO of PowerDMARC. “ We’re looking forward to unearthing new, unexplored avenues with businesses in Southeast Asia. It is our pleasure to do business with Complete Solution Finder, an organization with over 30 years of unmatched expertise in this domain. With this invaluable partnership, we are hoping to strengthen the email security infrastructure of organizations in Singapore, Malaysia, and Indonesia.”

Complete Solution Finder is a pioneer in the regional distribution of data security solutions. Together with PowerDMARC, they’ll play a significant role in boosting DMARC compliance rates across countries in Southeast Asia, a region that has seen relatively low rates of DMARC adoption.

“We are thrilled to get on board with this new venture,” said Lawrence Woo, Managing Director of Complete Solution Finder. “Singapore, Malaysia, and Indonesia have been noticeably falling behind in their DMARC adoption rates, which makes this opportunity a significant one. PowerDMARC’s platform is convenient, coherent, and organized, which is everything we’re looking for in a partner’s product. We’re looking forward to great things to come.”

Sign up for your free DMARC trial today.

Brand-Indicators for Message Identification is more than just another additional layer to your email security posture, it is also an effective marketing tool. BIMI allows organizations using mailboxes that support it, to attach brand logos to their emails. This helps visually affirm that the received email is legitimate, and increases the chances of your potential customer opening it. Today we are here to discuss BIMI selectors, their uses, and when you should consider configuring them. This is especially beneficial for enterprises that make use of more complicated branding techniques.

Table of Contents

What are BIMI Selectors?

What are the BIMI-Selector Header Tags?

What is the Correct Syntax for a BIMI-Selector Header?

BIMI-selector header example:

Does the BIMI selector get inherited by subdomains?

Is there a limit to the number of BIMI selectors one can configure?

Which of the mailbox providers support BIMI selectors?

What are BIMI Selectors?

Much like the different DKIM selectors configured on different subdomains that you use to conduct business, BIMI selectors also work in a somewhat similar way. A BIMI-Selector header is a critical element that is completely in the hands of the user to configure if they wish to attach contrasting logos for a number of brands or companies operated via subdomains. While you must still adhere to the core requirements as described in the BIMI logo specifications, this is an additional feature that provides you with more liberty pertaining to the display of more than one logo.

Note that it is not compulsory to configure a BIMI-selector header manually since a default header is assigned to your BIMI DNS record and “From” header during implementation. However, it is an important step that you can’t dismiss if you want to display multiple BIMI logos for a particular From domain.

You can configure BIMI for your domain by publishing a record in your DNS created with the help of a BIMI record generator. After you are done publishing your BIMI record, you can now define different BIMI-selector headers for configuring contrasting logos to represent your brand. Thereafter when you send an email from your domain, the receiving server queries the sender’s DNS for the BIMI record. While performing the DNS lookup, in case the BIMI-selector header is missing, the server looks up the “From” header using a default selector. Otherwise, the receiver’s server queries your DNS using the selector configured by you in the added header.

What are the BIMI-Selector Header Tags?

In order to configure a BIMI-selector header, there are certain key constituents or tags that form the syntax of the header. They are the following:

  • Header name: the name of your BIMI-selector header, which by default is always BIMI-Selector. This field is compulsory.
  • v: the version of BIMI configured (BIMI1). This field is compulsory.
  • s: Also a compulsory field, this tag defines the name of the BIMI selector you want to configure. The name of your selector can be an alphanumeric value.

Note that whatever you decide to name your selector, the value should be consistent with the selector name displayed in both the BIMI header as well as the BIMI record that you have published in your domain’s DNS.

What is the Correct Syntax for a BIMI-Selector Header?

By default, the BIMI DNS record for a domain (e.g domain.com) points to default._bimi.domain.com. However, a domain owner can define an additional selector header based on a subdomain if he wants to display a different brand logo while sending a particular email.

Similar to publishing a BIMI DNS record, you need to make an entry for an additional BIMI-selector header in your DNS in the form of a text (TXT) record, to configure it. Let’s take a look at the correct syntax for a BIMI-selector header

BIMI-selector header example: 

 BIMI Selector: v=BIMI1; s=bimi2021;

Note: if you configure the selector header for a subdomain you are using to send your email, the receiver’s server will look up the BIMI record based on bimi2021._bimi.sub.domain.com. If the server finds no existing BIMI record in the DNS, it gets rolled back to look up the “From” header using the default BIMI selector for the main domain (default._bimi.domain.com). 

To modify and view your BIMI record configurations easily using hosted BIMI services, get access to your own PowerBIMI dashboard. Sign up for our DMARC report analyzer today!

Frequently Asked Questions

Does the BIMI selector get inherited by subdomains?

Yes. Ideally, your organization needs to publish a single BIMI DNS record based on the organizational domain to define a BIMI policy for all the subdomains. Therefore, the selector defined in the BIMI record published for the main domain gets inherited by the subdomains. You need to manually configure the BIMI-selector header based on subdomains to display multiple logos.

 

Is there a limit to the number of BIMI selectors one can configure? 

According to BIMI specifications, domain owners can configure multiple selectors for a domain without any defined limit.

 

Which of the mailbox providers support BIMI selectors? 

The display of your BIMI logo is ultimately determined by the participating mailbox providers. Currently, all supporting providers such as Gmail, Yahoo!, AOL, and Fastmail support BIMI selectors.