Closed websecnl closed 7 months ago
You're not the first to propose BIMI, but thanks for making the issue, because it was not yet created.
The first thing is that BIMI is still in draft state, see draft-brand-indicators-for-message-identification. That's why I put it in the :ice_cube: icebox for now.
The second thing is the 'Verified Mark Certificate (VMC)' with registered brands are not really an 'open standard', just an expansive certificate. It might be questionable if it really improves security, see this earlier sample with an UPS spoof where Google incorrectly showed BIMI ☑️ verified that wrongly trusted Microsoft.
Also see the SIDN article Add a verified logo to your business mail (2023-02-21) (also available in :netherlands: Dutch: Je zakelijke mail voorzien van een geverifieerd logo).
Would be nice to have a check that triggers over people having invalid BIMI record or a BIMI record with wrong certificate / invalid / expired.
What do you think?