---
title: "Problems with BIMI"
date: 2023-06-09T22:15:51-07:00
syndicatedCopies:
- title: 'The Fediverse'
url: 'https://pleroma.envs.net/notice/AWXQqaIGDQl0Jf0JOq'
---
Everything about [Brand Indicators for Message Identification](https://bimigroup.org/) (BIMI) feels so half-baked.
Lukewarm take: BIMI should mandate DMARC with DKIM and just ignore SPF. It could also require supporting TLS 1.3+. After all, one of the stated goals of BIMI was to increase adoption of better email standards like DMARC. This could have [entirely prevented recent spoofing issues](https://infosec.exchange/@titanous/110481616735600044).
Putting the HTTPS URL of an SVG icon in a new DNS TXT record to associate a whole domain with a logo makes no sense. _Several_ better standards exist for associating a `user@domain` with an image, allowing different logos for different emails at the same domain. [Webfinger](https://webfinger.net/) and [Libravatar](https://www.libravatar.org/) come to mind.
Hell, even its special SVG Tiny Portable/Secure standard could be simplified further. [usvg](https://github.com/RazrFalcon/resvg/tree/6be2f2d396e539ddfcf022dc67f304d307c1211a/crates/usvg) can convert nearly any SVG to a tiny subset of the SVG Tiny P/S standard while preserving their appearance.
Of course, none of this is too relevant to the BIMI group. The real purpose of BIMI was always to give certificate authorities a new source of income after their losses from Let's Encrypt's (lack of) pricing, the rise of ACME-based automation, and browsers' deprecation of EV features.