Google might never be able to stop phishing scams altogether, but it can certainly make them easier to spot. In a blog post last week, Google revealed support for a new security feature is finally rolling out for Gmail. Brand Indicators for Message Identification (BIMI) is an industry standard that attempts to bring stronger sender authentication to the email ecosystem. Google first announced a pilot program last July, but now BIMI appears to be ready for primetime.
As Google explains, BIMI gives both email recipients and security systems increased confidence in the source of an email. Bank of America is one company that plans to take advantage of BIMI:
“Bank of America has a wide range of security measures in place to support our customers, and we constantly evolve our program to deliver best in class protection. Part of this effort is our partnership with Google on BIMI, which provides an easy way to validate if correspondence is from us.” – Bank of America
How does the new Gmail security feature work?
With Google’s IMI, organizations are able to authenticate their emails using Domain-based Message Authentication, Reporting, and Conformance (DMARC). DMARC allows security systems to filter more effectively, separating legitimate emails from spoofed ones. Organizations that use DMARC will have validated logos display on authenticated emails from their domains and subdomains.
According to Google, these organizations can provide validated trademarked logos to Google via a Verified Mark Certificate (VMC). BIMI then verifies logo ownership and provides proof of verification. Recipients will then see the verified logos in the existing avatar slot. If you see the verified logo of the organization, you can be certain it’s a legitimate message:
Google says that this is just the beginning for its new Gmail security feature BIMI. In the future, BIMI will support more logo types and validators. Gmail users do not have to do anything to activate BIMI. Messages that support the feature will automatically take advantage of it. As for organizations, they need to adopt DMARC and validate their logos with a VMC.