The draft is long enough, but effectively states:
"verify SPF, DKIM and DMARC, if all okay..... and the important bit: if the local policy thinks the site is trustworthy..... then one can fetch and maybe show the logo.
Thus "local policy" is the real differentiator for deciding if a logo is shown.
The actual BIMI portion does not add much as that DNS record is untrusted (unless DNSSEC is checked, which is not specified/required anywhere).
As a spammer/phisher I could just:
setup a domain with valid SPF, DKIM and DMARC; note that this happens all the time.
add a BIMI-Selector and default._bimi.example.com CNAME default._bimi.bigcompany.com.
And voila! They don't even have to copy the _bimi TXT record of the target domain, as the resources get loaded from the remote site, nicely served and all. Even if the remote site did something magic, they only need to know the selector once and either manually steal the images and host them myself.
The above, in better wording, should be described in an adversarial section of the document.
Still, local policy is what hinders this. Who defines local policy? What makes something become a 'reputed domain', does this mean only large company get an advantage, or domains older than X days? What about startups or other legit businesses?
The draft is long enough, but effectively states: "verify SPF, DKIM and DMARC, if all okay..... and the important bit: if the local policy thinks the site is trustworthy..... then one can fetch and maybe show the logo.
Thus "local policy" is the real differentiator for deciding if a logo is shown.
The actual BIMI portion does not add much as that DNS record is untrusted (unless DNSSEC is checked, which is not specified/required anywhere).
As a spammer/phisher I could just:
And voila! They don't even have to copy the _bimi TXT record of the target domain, as the resources get loaded from the remote site, nicely served and all. Even if the remote site did something magic, they only need to know the selector once and either manually steal the images and host them myself.
The above, in better wording, should be described in an adversarial section of the document.
Still, local policy is what hinders this. Who defines local policy? What makes something become a 'reputed domain', does this mean only large company get an advantage, or domains older than X days? What about startups or other legit businesses?