Set up BIMI for emails coming from VA

[miabecker]

Value Statement

As Veteran or non-Veteran Beneficiary I want to see the Department of Veterans Affairs Logo (BIMI) on emails are coming from the Department of Veteran's affairs in my inbox So that I have confidence my information is safe

Acceptance Criteria

GIVEN an email from the Department of Veterans Affairs WHEN it is sent from messages.va.gov and notifications.va.gov THEN the end-user will see a BIMI in their inbox on the same row as the email

Checklist

• [ ] Implement for both domains: messages.va.gov and notifications.va.gov

Assumptions

• This will require an ESEC request to modify the DNS Record
• Will store the image / svg file in the va.gov public s3 bucket

Additional Info/Resources

• BIMI SVG -
• What is BIMI?: BIMI is a way to verify your brand and sender information, similar to other email authentication standards you’ve probably heard of like DMARC, DKIM, and SPF. And, just like those others, BIMI is essentially just a text record that lives on your servers. Email clients that support BIMI will check for that record to confirm that your emails are legit.The feature that distinguishes BIMI, though, is that during the verification process, email clients will pull in your brand logo to display alongside your message. 

https://www.litmus.com/blog/how-to-set-up-bimi/

Out of Scope

-

Open Questions

-

[miabecker]

Is it possible for Granicus?

[miabecker]

@toddstanich to add svg file here

[toddstanich]

BIMI added above.

[ffafara-tw]

https://github.com/department-of-veterans-affairs/vets-website/pull/17162

[ffafara-tw]

Submitted in scope change to RFC-005219 ESECC request.

[ffafara-tw]

https://bimigroup.org/bimi-generator/ claims the SVG has some issues:

SVG Issues You Need To Fix
 Attribute "Data-Name" Not Allowed Here, At Line Number: 1:170
More Details [+]
 Element "Svg" Missing Required Attributes "BaseProfile" And "Version", At Line Number: 1:170
More Details [+]
 Element "Defs" Not Allowed Yet, At Line Number: 1:176
More Details [+]
 Element "Style" Not Allowed Anywhere, At Line Number: 1:183
More Details [+]
 Element "ClipPath" Not Allowed Anywhere, At Line Number: 1:436
More Details [+]
 Element "ClipPath" Not Allowed Anywhere, At Line Number: 1:515
More Details [+]

@toddstanich can you take a look?

[toddstanich]

@ffafara-tw ran it through a conversion tool. How can we verify it meets the requirements?

Attached in this zip folder, github won't let me upload the SVG directly. bimi.zip

[ffafara-tw]

I think we will need to upload it to S3 bucket and use https://bimigroup.org/bimi-generator/ to verify.

[ffafara-tw]

PR to udpate SVG: https://github.com/department-of-veterans-affairs/vets-website/pull/17317

[ffafara-tw]

We might need to add some more DNS entries (SPF, MX) for notifications.va.gov domain.

[ffafara-tw]

BIMI verification passes for messages.va.gov however it's not showing up on gmail. We might need to to obtain a verified mark certificate (VMC)

[ffafara-tw]

We should also test it with Verizon Media (Yahoo)

[miabecker]

1. Test sending to yahoo email with both domains

@TWs-DevenS

[ffafara-tw]

If it doesn't work for either domain - we have to review what is missing according to https://bimigroup.org/. If it does not work for notifications.va.gov we will need to:

• add SPF DNS record
• add MX DNS record via ESECC in scope change request.

To add MX DNS record we will need to talk to VA Email (Exchange?) group to get their approval for pointing the domain at VA mail servers.

[ffafara-tw]

The BIMI logos are not showing up in yahoo. It's possible that we are not sending enough emails, as yahoo is only showing BIMI Logo for bulk senders: https://easydmarc.com/blog/how-to-configure-bimi-record/

[TWs-DevenS]

Test Plan for testing BIMi logo https://docs.google.com/document/d/1n4UvmiAESUSySw0GdwtqbLxNWIsBzUCQRDY4BL-D-Fc/edit

[miabecker]

Inputted a ticked to Yahoo support today.

[miabecker]

Creating a bug card for yahoo issue.