BIMI: An Analysis of the Top 1 Million Domains

After developing an RFC-compliant validator for BIMI (Brand Indicators for Message Identification), I conducted a comprehensive analysis of the top 1 million domains to evaluate their BIMI setup. The findings highlight significant insights and common errors in BIMI implementations across these domains.

Summary of Findings

Out of the top 1 million domains analyzed:

  • 7,562 domains (0.76%) have a BIMI DNS record.
  • 3,161 domains with BIMI records had one or more issues (43.5%)
  • 8 domains explicitly refuse to participate in BIMI on the default assertion record.

Error Analysis

The following percentages are based on the total number of domains that serve a BIMI record:

  • Non-compliant SVG files with SVG Tiny Portable/Secure standards: 2,150 (28.4%)
  • DMARC policy p=/sp= set to 'none': 1137 (15.04%)
  • Unretrievable indicator location: 826 (10.92%)
  • SVG files exceeding 32 KB: 362 (4.79%)
  • DMARC policy of quarantine with PCT < 100: 146 (1.93%)
  • Unknown keys specified: 37 (0.49%)
  • Missing mandatory location tag in BIMI policies: 34 (0.45%)
  • Incorrect BIMI indicator location value: 18 (0.24%)
  • BIMI indicator file served via HTTP instead of HTTPS: 6 (0.07%)
  • Incorrect 'v' tag value: 5 (0.07%)

Authority Evidence Location Issues

Out of 2,075 domains that specified an Authority Evidence Location:

  • Incorrect authority evidence location: 218 (10.51%)
  • Invalid Verified Mark Certificates (VMC): 204 (9.83%)
  • Expired certificates: 156 (7.52%)
  • Certificates not matching the SVG in the indicator location: 54 (2.6%)
  • Certificates not matching the correct domain name: 16 (0.77%)
  • Revoked certificates: 6 (0.29%)
  • Served over HTTP instead of HTTPS: 1 (0.05%)

Conclusion

The analysis reveals that while a small fraction of domains have adopted BIMI, many implementations contain errors. The most common issues include non-compliance with SVG Tiny Portable/Secure standards and incorrect or expired certificates for authority evidence. These findings underscore the need for improved adherence to BIMI specifications to ensure robust and secure email authentication and brand recognition.

By addressing these errors, domain owners can leverage BIMI's full potential for brand visibility in email clients.

To validate a domain's BIMI configuration, you can use the free validator available at URIports.