Updates on BIMI with Brian Westnedge of Redsift

00:00:05

Eric Trinidad: Welcome to Emails Not dead. My name is Eric and with me is Jonathan.

00:00:08

Jonathan Torres: Hello.

00:00:08

Eric Trinidad: Hello. Welcome back, friends. We're here today to talk to you about all things email as we do every week or every session. Today we're going to be talking about BIMI. We talked about it way back when. When was that?

00:00:20

Jonathan Torres: That was a long time ago.

00:00:21

Eric Trinidad: 2019. We're joined with Brian Westnedge of Redshift to talk a little bit about BIMI and where and how far we've come. You know, it's been like what, 20 years I feel? Hey Brian, how are you?

00:00:35

Brian Westnedge: Hey. Good to be with you guys today.

00:00:38

Eric Trinidad: It's good to see you, sir. It's good to hear you as well. You know, I don't think people are going to be able to see you, but, yeah.

00:00:43

Brian Westnedge: I got a much better face for audio, Eric.

00:00:45

Eric Trinidad: You know, that's what Johnathan tells me all the time. So you're in good company.

00:00:48

Jonathan Torres: I say it about myself, though, too, so.

00:00:51

Eric Trinidad: Well, yes, sir. You are the senior director of alliances and p artnerships at Redsift. Can you tell us a little bit what's that about?

00:00:58

Brian Westnedge: I work with our partners in the email space, typically around implementing BIMI and alongside BIMI, there's another email authentication protocol your listeners are probably familiar with called DMARC. So I like to establish partnerships with folks like Sinch Email to kind of make their customers experience better around email security, email authentication and BIMI and hopefully together, have that kind of that better-together story. But yeah, my career has kind of been an email for the last 20 years. I just realized that the other day that, number one, I'm old and number two, I love email. Your podcast title, you know, emails not dead like, you know, so many times in the last twenty years. I saw those articles and said, you know, X is going to kill email. You know, is it going to be Yam, is going to be slack, is going to be RSS, you know, stretched way back.

00:01:52

Brian Westnedge: But the great thing for all of us who love emails is email's still alive and kicking and it's not going anywhere anytime soon, I don't think.

00:01:59

Eric Trinidad: Yeah, I think we were talking about it the other day about saying like the last things on earth are going to be roaches and email.

00:02:07

Brian Westnedge: Taxes, roaches, email. There you go.

00:02:10

Eric Trinidad: Yeah. Well, right on. Well, you know, because it has been so long since we've talked about it. I mean, we spoke with Matt about it like in 2019. We've talked with the folks at Dmarcian in the past talking about Dmarc. So a lot of our frequent listeners are kind of familiar with that, you know, so kind of since, you know, in the past few years, where have you seen BIMI been implemented.

00:02:32

Brian Westnedge: Yeah I think you know Matt Vernhout and who you guys spoke with was on the working group. And first of all to say kudos to the BIMI working group. You might also hear it called the auth indicators working group, but I think, you know, since you talked to Matt over three years ago, there's I would say been a lot of advancements in the space both on who's supporting BIMI on the mailbox provider side and then you know, kind of who's implementing it on the sender side. So couple of really I think, you know, key updates since you talked about is, number one, Google started supporting me back in the summer of 2021. So they kind of piloted BIMI for like a year before that and then kind of went production with the summer of 21. So any sender now can if they want to implement them if they want to get logo display at Google both Google Workspace you know from a B2B side and Gmail they implement something called a verified mark certificate, which basically is where a certificate authority, which is like the entities that issue like SSL certificates typically extend to validation certificates like those locks you see on a website in your browser, they also issue something called a verify mark certificate. So we work with a company called the intrust, and that's basically what they do is they authenticate that you own the logo. Basically you're trying to use an email to check to see, Hey, this domain that you want to set a BIMI record for, and this VMC, they'll make sure that you own that domain, you own the logo you want to associate with that domain, and it stops a bad actor from going out. Like if I registered some random, you know, eBaystores.com and I tried to use an eBay logo and send an email campaign with the logo that I don't have the rights to use. There's some checks and balances in the system now that could stop a malicious actor potentially from taking advantage of BIMI. So I think Google, if you want to get the logo display at Google, you have to get this VMC. Not required at some other providers, most notably Yahoo, which is obviously probably the largest provider in the space back when you talk to Matt. But the Google adoption I think really raised a ton of interest and awareness in BIMI amongst email marketers. And then this last fall we saw Apple roll out BIMI support as well. So that kind of created another wave of interest, I think, in marketers where now I'm seeing kind of where deliverability was, you know, maybe like ten years ago. Now I think deliverability is kind of top of mind with most marketers, most marketers are aware? Hey, Deliverability is something I need to care about, right? You know, I can't just push, send on my campaign, out of Mailgun or Mailjet. You know, I need to think about how I got my list and how I mail to it and how I send relevant content that people want to receive. You know, authentication is one part of the deliverability cocktail, but certainly not all of it. But you know, today, now with the Apple support, with the Google support, I think most marketers are like okay yeah I've heard of BIMI it's this thing you know maybe I want it maybe they aren't aware of some of the prerequisites which is like hey you got to implement DMARC both on any subdomains you send mail from as well as the top level domain. You know, maybe they haven't heard about the verified marks to it. Maybe they don't know if they have a trademarked logo at their company, which is not uncommon. You know, the logo people use in email campaigns might not be actually the look of the company is trademarked or maybe the company's trademark like a wordmark they call, which is, you know, the name of the company, but they trademark like the actual graphic, you know, logo that they use in email. So there's all of these things. I think, you know, I spend a lot of time evangelizing in the marketplace. I first met you guys last year at the email evolution conference down in Arizona where I was talking about BIMI with my friend Udeme from LinkedIn. But I think the more I talk about BIMI these days with marketers, I think the lightbulbs going on and, and people are like, Oh yeah, I've heard of that and maybe they just dont know the details yet. But I think the more work the working group does to kind of add more support to the standard, like folks like Google and Apple, there's a few other folks like the Post in France, is a French mailbox provider they support BIMI now we've seen some entities kind of outside of the traditional consumer mailbox provider sphere adopt BIMI zone, which is kind of an Estonian web hosting provider. They support BIMI now, so fast mail down in Australia. So I guess we're seeing more global support, which is great, you know, both from a global mailbox provider perspective as well as kind of those regional mailbox providers that get on board. So yeah, a lot of excitement.I'm obviously I'm super biased. Obviously you guys tell I'm super passionate about the space. Today It's still in a bit of an early adopter phase where you actually will notice in your inbox like, Hey, if I'm looking at mail on my Gmail app on my iPhone, I see that logo, you know, its the from avatar instead of like initials or like a blank avatar, you know, that like stands out these days, which is one of the reasons why marketers should think about adopting. I think eventually it'll be more of a cost of doing business potentially than it is now, you know, kind of early adopter phase. But anyway, that was super long stream conscious. I've definitely had my coffee today.

00:07:45

Eric Trinidad: No you're solid and you're right. I mean, it is a differentiator out there. I know when I'm looking, you know, through my I don't even want to show you how many unread messages I have, but it's in the thousands. And when I'm looking through there and I notice like there's a logo that legitimizes, you know, the messages that I click on and the and what I'm actually going to be engage with compared to, you know, some other things that I'm not going to look at. My city where I get my like water bill, electric bill from, like they go to spam all the time. And I feel like I need to reach out and talk to them about it because, of course, I don't want my water to get turned off. But at the same time, what are they doing on their end that they keep getting marked as spam, that you know.

00:08:30

Brian Westnedge: Yeah you think that's wanted mail, right? Well, maybe don't want to pay your bill but it's important right? Theoretically you should want to see that. Yeah.

00:08:39

Thomas Knierien: Don't even get me started. City of San Antonio if you're listening right now. Yeah, you need to get your deliverability together because I've been getting my water bills to spam.

00:08:50

Jonathan Torres: You're just going to call them out like that.

00:08:51

Thomas Knierien: I am going to call them out.

00:08:54

Brian Westnedge: I'm sure the city has some avid listeners of the podcast, so I'm sure they'll be going to get right back to you with shortly. I didn't even touch on this, but governments can actually take advantage of BIMI too are government entities that I should say. So you know, depending on what kind of type of government entity work in, there's something called a government mark, which is basically the equivalent of like a trademark. But the government entity, typically you don't go out to the U.S. Patent Trademark Office and get a trademark. But they have a mark that they use in their in their activities. So there's no reason why government entities can't get DMCs and they can't leverage BIMI. I think my guess is part of the reason you see this stuff go to spam is you know, the prerequisite for BIMI is implementing DMARC. And theoretically when you implement DMARC, you're going to be at least authenticating your legitimate mail correctly. Doesn't mean that you don't have other deliverability challenges outside of authentication, which I'm guessing is what the city of San Antonio is running into. But, you know, just the process of the least authenticating mail that helps. I think one of the challenges I see with folks that are implementing BIMI is that the marketing team might drive, you know, the BIMI project they've heard of. Oh, this sounds pretty cool. I really want that for my marketing team that's using Sinch email. It's a differentiator. They want their logo, in email. Anything they can do to drive response and engagement with their email program. Hey, why not give it a shot? You know, hey, I use a subdomain, traffic comes out a Mailgun, you know, it's fully authenticated, DMARC compliant. But then the top level domain that the organization uses, especially at their large organizations, probably is managed by a completely different entity or completely different group internally than the marketing team that's using, you know, Mailgun or Mailjet. There's an IT team maybe that controls the top level domain and their services setting up that top level domain, that marketing doesn't control like, you know, Workday or Zendesk or Salesforce or Marketo or, you know, all of the different cloud services we all use on our day to day life. You know, there's no one organization usually within the company that looks after email, you know, broadly across every single mail stream. Usually emails kind of been siloed. You guys may have a encounter this with customers as well as, you know, marketing's got their email traffic. You know, corporate email goes off about Office 365 or G suite, and maybe that's looked after by IT then all these other cloud services are somewhere over here. And, you know, maybe there's no like definitive owner of all of those. So when we're implementing BIMI with folks, it's like, yeah, that's great. You want BIMI, you know, BIMI is like the carrot, right? That's the carrot that google's using, that Yahoo's using. They want people to adopt DMARC and get them to care about DMARC. DMARC makes their lives easier in terms of figuring out what mail potentially is legitimate and wanted. You know, DMARC doesn't necessarily say that a message is a good piece of email. It just says this message authenticates properly for the domain it claims to be from. But again, it is one indicator that the messages is legitimate. You know, if you authenticate your mail, you're going to get the reputation you deserve. It's kind of what you hear in deliverability circles a lot of times is, hey, you know, take responsibility for your own mail stream authenticate it. Once you do that, there's a whole bunch of things that can happen. But from a DMARC perspective in particular, it's like, yeah, BIMI was conceptualized as the way to incent people to do the hard work at DMARC and to get it implemented, get to DMARC compliance as well. That's probably another thing is a lot of folks like, Oh yeah, I'm doing DMARC and doing DMARC you always start with the DMARC policy none. You have to start there. A DMARC policy then gives you visibility into all your mail. Once you have that visibility, you authenticate all the good stuff and then hopefully all the bad stuff gets blocked once you move to DMARC adoption. But a lot of people started DMARC projects sometimes, and they just stay with that DMARC policy of none, which means they get visibility, but they're not either protected from spoofing of that domain. And then secondly, they can't take advantage of BIMI until they do get to a DMARC policy quarantine or reject. So I'm getting a little probably in the weeds for your average marketer. But one thing they should be aware of is like, Hey, if you want to adopt BIMI, get to DMARC compliance on both your subdomain you might use for marketing activities. And then also you might have to talk to your IT team about getting the top level domain into compliance. So that makes it more of a cross-functional effort. Marketing might get support from my team for implementing DMARC or on the opposite side. If the IT team is kind of driving DMARC, they should bring in marketing and say, Hey, marketing, take advantage of this work we've done to implement DMARC. You get the benefit, which is BIMI. So the most successful customers I've worked with it have implemented BIMI. To me, it's like been a cross functional effort. It hasn't been done in a silo by the marketing, right? They kind of come together, you know, made it a joint effort.

00:13:55

Jonathan Torres: I don't think it's too far off, too crazy of a conversation to have with, you know, the marketers or the IT or separately in that function. The reason I think of it that way is that I think it's such a good warning to both sides that it is an effort to do it. You know, I'm glad you touched on that because it is like one of those things where it's a compounding kind of thing, where you need both. You need to do both. You need to take your time and implement it. And I encourage everybody that I can to do it. But I do let them know and I think this is fair warning even here. It's an effort. It takes effort to do it. It's one of those things that like there is a lot of work to do. There's a lot of places in the company that it's going to touch. There's a lot of things that have to be adjusted. But at the end of the day, you're in a much better place and you have like so much potential and who knows, maybe there's something else besides BIMI coming down the pipeline that DMARC can help you achieve. And, you know, there's always those things that are coming up. So thank you for bringing up that part of the conversation because yes, like and definitely everybody, take your time. Do what you need to do, like, you know, put in the effort because like it is, you know, provide a good reward. And I mean, on that reward part of it and I just kind of want to touch on this because I know it was a little bit the conversation before, and I know we're kind of straying away from it just a little bit, but I want to talk about the implementation from the provider side. Right. So we know Apple's the newest addition like there's all those worldwide that are coming through. So what does the future look like? I guess, is the big question for me. And from what you know and what you've seen, like at the rate of adoption that this is happening. I know there's still places that you don't see the rewards just yet, but I mean, it's coming. It feels like it's on the horizon. We're finally getting to that.

00:15:25

Brian Westnedge: If your listeners go to bimigroup.org that's the website hosted by the authenticators working group. They got a graphic that says, hey, here's the folks that support BIMI today, here are the folks that are considering it. And then here's the big kind of, you know, elephant that does not support it, which is Microsoft. So, you know, just for your listeners, you know, Microsoft has not supported BIMI yet. Not clear if and when they're going to you know, my experience kind of just been in email for so long is Microsoft kind of tends to lag under the standards bodies, you know, sometimes will try their own thing like Microsoft had something called sender ID, which was kind of like a competing protocol to SPF. So they tried this sender ID for a while and eventually they abandoned it and started kind of fully supporting SPF. They had something in the past was kind of BIMI like I think they called it Microsoft business profiles at the time. And then maybe it became like being profiles. And frankly, now I'm not really sure where it stands, but it was a way kind of for a business to kind of apply manually and say, Hey i'm, Amazon, I want to use this logo with my domain and Microsoft clients, but I haven't heard much about that in a long time. And I think eventually though, they'll get on board with kind of the BIMI, you know, standard and kind of support standards. So from a DMARC perspective, what I've seen over time as they send DMARC reports from other consumer mail properties, they stopped that when they merged the back end of Office 365 and the consumer properties, Outlook.com and live.com and all that, they are sending DMARC reports again for the consumer properties like Hotmail, Outlook.com, Wired.com. I've heard rumors and kind of seen that maybe this march they're going to start sending DMARC reports from Office 365 as well, which would be awesome and, and great kind of for the email ecosystem. Just so listeners know, Microsoft today is kind of the, you know, largest mailbox that is not doing anything with BIMI today. Google and Yahoo! Are the folks that are supporting it. One interesting thing I've seen as Apple with their support of BIMI now they've created a framework for other mailbox providers to support BIMI in Apple mail clients. So if I'm web hosting provider and my customers read their email for my domain and you know, on their iPhone or an Apple Mail client on their Macs and macOS Ventura, Apple now has if you insert a couple of different headers now into mail, Apple will actually pick up on that and display the logo in Apple Mail clients for their mailbox forever. So even if that mailbox provider has a built in native support for me and to whatever kind of web client they have for reading email, their customers can get the benefit of logo display if they call this Apple protocol. So Apple's kind of built on top of the BIMI spec itself instead of it. Other mailbox providers. If you want your customers to get this benefit, you don't have to start from scratch and roll your own. You can use our framework. So that's pretty cool. And I think Cloud Mark is using that protocol for domains that are protected by cloud mark And then I suspect we'll see that help increase adoption with maybe a longer tail of smaller regional mailbox providers in different places. Again, it can take time to like, you know, re-engineer your mail client to support that logo display. So I think that's part of Comcast has been looking at BIMI me for a long time. And I think, you know, kind of what I've heard from M3AAWG in other places is it's not trivial for us to make changes in our web mail client for Comcast.net email to display this logo to do the BIMI check to look at the headers and do all that. So I think it's kind of been coming soon at Comcast for a while and I would suspect that we'll see them broad adoption eventually but for a lot of these mailbox providers not necessarily trivial to make the changes in whatever web mode client they're using. So for them it might be easier to just use this Apple spec that's been published and will at least allow their customers who are reading mail in Apple Mail clients to get the BIMI logo display. So just took a trip probably again down in the weeds again, but just from like a coming soon perspective, I think Comcast is probably the most notable that I've heard about. British Telecom in the UK is another big one. And then again, I think we'll see a lot of regional mailbox providers rolling out support over the next 12 to 18 months.

00:19:45

Jonathan Torres: I think you hit it exactly where people are curious about it because like the iPhone and because it's one of those things if you can collect your own email because I mean, I know I use a bunch of different mailboxes all in one spot, so I just like I'm one of those people that uses Apple mail to get everything in one place. You start seeing things in there by then, building that framework. That's a huge step, I think, forward and being able to see it and being able to recognize it and then being able to see a tangible benefit. I think for most people where right now it seems like, oh, it's a thing, it can be done, sure, there's somebody that's going to see it, but I don't see it right now. So like it changes the perspective and reality of it, really.

00:20:19

Brian Westnedge: One thing that I'm trying to work on, especially in email marketing ecosystem, is trying to get more case studies about BIMI to give more interest in awareness from folks. I think part of the challenge is when Google rolled out BIMI support, it was right around the time that Apple mailbox privacy protection was rolling out too, so it became a little harder obviously to track open rates accurately. So in a pre MPP world it would have been pretty straightforward to say, Hey, what were your open rates, you know, before BIMI and then what were they like after BIMI now, You know, rather than focusing on open rates for customers, it's more like what are your other measures of success for your program in terms of engagement. Is it click to open rate, is it revenue, is it however you measure success, is there a way that we can get data before implementing BIMI and after. So we did one case study with a customer who had implemented BIMI. Company called Talafi, which is in the B2B space, but they were really smart about tracking and clicks. And you know, in their app, you know, how many people were clicking on things. And for them it was like, I can't remember was like a 25% increase in clicks after implementing them. So one thing I think we do need more of is, you know, however you measure success in your email program outside of maybe opens, you know, how is BIMI you know contributing to that. You know no marketer should do anything without kind of you know, you shouldn't do something just because some talking head, you know, like myself says to do it right, you know, you should probably measure it, you should probably think about, does this make sense to my business, You know, what's the cost? I mean, DMARC is an open standard. Anybody can implement it. They can do it on their own. They don't need a vendor like, you know, RedSiift, a product like on DMARC to do it. You can do it on your own, but you know, there's challenges always with manually kind of implementing, you know, standards. You know, most folks find it to be a little easier to use a vendor to help them, you know, with DMARC. But BIMI is kind of the same thing is, you know, there's no cost per say to putting a BIMI record in place. You have to have your logo and a certain type of .svg file format. You know, you have to have a trademark which of course you know, costs money, the verify mark certificates, those are about thousand bucks per year per domain. So it's not free even though it's open standards, I guess I should say. So no, marketers should just like think about this and do it like, oh, especially they should never say, Oh, if I need to be a DMARC enforcement on my domain, I'll just set my DMARC policy to reject, you know, out of the gate and then I'll be compliant. Well, that's a really bad idea because if you haven't kind of, you know, tried to measure all your mail stream, see if they authenticate properly, If you put a reject record in place, you could have legitimate mail streams that failed DMARC out of the gate and get blocked. So you should never do that. Marketers should test right? They should think, hey, does this make sense to my business? You know, I will say with that said, I've seen a lot of interesting companies adopt BIMI that I wasn't expecting. Like I thought for sure BIMI would be something adopted by really large companies especially retail, travel, hospitality right? You know really well known brands and that's not to say that that hasn't happened. And we operate a site here with Enrust called bimiradar.com. So if you go to bimiradar.com, we're going to show you all the BIMI logos we picked up in BIMI records because they're public in DNS. So we scour, you know, millions of millions of domains every day and look for BIMI records being published. And we will track hey, here the here are the companies we see adopting BIMI. And certainly it is large companies. But what we also found is like 50% of the companies that we've seen get VMC in particular, more than 50% have under like $25 million in revenue and under like 100 employees. So it made me kind of reset my expectations or my biases. And, you know, there's a lot of smaller companies have implemented. We've seen adoption around the world. I think last time I looked, there were like 50 different country headquarters. There's only a certain number of jurisdictions where you can have a trademark that's accepted by and trust. And digi cert is the other certificate. You have to have a registered trademark in like 16 different jurisdictions to get the VMC. But that said, a lot of companies operate globally. So we've seen like, you know, companies with headquarters in 50 different countries adopt BIMI. It has been kind of a little more heavily weighted to the Americas. First, like a little over half of the VMCs we saw were issued by companies that were headquartered in the Americas and then closely followed by Europe in then APAC, which, you know, is kind of a trend you see across email in that, you know, sometimes new protocol specs are adopted you know, North America, South America first, then go to Europe, then go to Asia-Pacific. So that's kind of what we've seen with BIMI as well. We took a look at kind of verticals. Again, my bias or my expectation was it was going to be mainly retail and hospitality, but we see pretty broad based adoption across vertical markets as well. Finance for sure, because financial services, you know, they're heavily targeted by spoofing and phishing. So they've adopted DMARC probably before a lot of other verticals. So we do see a lot of BIMI adoption in kind of FiServ. Absolutely retail and hospitality medical sector. I mentioned kind of government entities. I've seen non-profits adopt BIMI, I've seen universities, colleges and universities too, which I wasn't necessarily expecting. You know, smaller companies, maybe because they're more likely to be early adopters, might be moving faster into BIMI and VMC. So I think for the audience, I'd just say like, you know, this isn't necessarily something that's only a big company initiative. You can take advantage of this as well, no matter your size, no matter whether you're B2B, B2C, you know, whatever vertical you're in, you know, if you've got an email project and done DMARC, especially if you've done DMARC and gotten to do more compliance, hey, you know, it's a pretty small step to actually get me after that. So I'm really hopeful this year that we'll continue to see kind of vertical markets expand. You know, the companies have adopted BIMI in different verticals, see that expand, of course, love to see big logos adopt BIMI because it validates protocol, you know, builds momentum and interest and awareness, but still expect to see smaller companies continue to adopt it. And then hopefully what we'll see going forward as well. One of the barriers to adoption BIMI has been the requirement of a registered trademark to get the verified marks certificate. Some of these that we just don't have it or, you know, may take a while to get a registered trademark can take, you know, depending on where you're trying to register the trademark. You know, it can take 12, 18, 24 months to get that. I think what we'll see, too, this year is the authorities trying to make them easier and that maybe a registered trademark might not be required. So if you're a company, like I said, you have a trademark application process that might be okay and good enough to get a marked certificate of some sort. Or maybe you've registered a wordmark, but your actual graphic logo is not trademarked. That might be okay. Or maybe you're an established company and we can go back in the wayback machine, you know, ten years and we see, Oh, you've been using this logo forever, okay? Even if it's not a registered trademark or you're small company, you just haven't had the resources to get a trademark. There might be some other mechanisms to allow for logo display outside of the verified mark certificates. So I think we'll see some flavors of mark certificates going forward this year as well. So I'm not sure that's imminent like let's say in the first half of this year, but from the folks we talk to in the space, I think maybe in the second half of this year, we'll hear a little more about that.

00:27:59

Jonathan Torres: With BIMI it can be a reward. We have seen that, you know, that brand recognition, people recognizing that, understanding that you as a sender have done a little bit extra to make sure that people know who you are and they can see you and quickly recognize you within the email space. But then also when it comes to that extra layer of protection, because we do see that, right, we see that with DMARC, I can create a fake domain today that's very close to the actual domain. Verify myself like I can. I'm sending legit mail. I own that domain within from trying to spoof a company that is actually doing something on there that BIMI I think is providing that next step or protection that next piece. And seeing people go from one to the other I think is super helpful. Like I know you've done a little bit on the Redsift side to see how that's working or, you know, when those issues come up. Like, can you talk a little bit about that particular piece?

00:28:43

Brian Westnedge: Yeah, DMARCs, great love DMARC fully believe in it. You know, I think companies should adopt it for the domains that they own and control, right. Don't let anybody else take advantage of your domain. You own your domain. You should authenticate it. And then once you get to DMARC compliance, you can stop somebody from spoofing you. Yeah, absolutely. You should do that. And if you do that, then you get the reward, which is, BIMI you know, in other words, you know, theoretically better delivery of legitimate mail once it's authenticated. But the use case that you said, I own you know Amazon.com, but somebody goes out and registers Amazon-stores.com. Maybe they create a BIMI record with an Amazon logo and they publish a DMARC record in the mail, the malicious mail they send from Amazon-stores.com passes DMARC. Yeah, that is a real issue. And we do see once folks publish DMARC records for the domains that they own and control, we do see from time to time that you know, malicious actors will spin up under those cousin lookalike domains. And so we've done some research into this I shared some really preliminary findings at the M3AAWG Conference in Brooklyn. For the spring M3AAWG in San Francisco, probably in Dublin this Summer. We'll have a lot more data to share, but basically took a bunch of really well known retail and hospitality domains like the 250 largest retail and hospitality domains around the world and started looking at, okay, what we do is take a real domain and then start looking for the variations on it. And we have some data scientists that do some cool stuff and apply some machine learning and try to figure out all these different permutations, like give the system Amazon.com. We'll go look for Amazon with a zero instead of an "o" or, you know, go look for those permutations with dashes or subdomains. Sometimes we see instances where somebody might spin up like ama.zon.com or something like that, like try to spin up a subdomain with a top level domain and make it all one brand. In a way, if you stitch it all together. So that's kind of interesting. So so we're looking for all those different permutations and from what we see. So we took 250 retail and hospitality domains and I think over a period of 60 days we found like 50,000 different lookalike domains. Of those original 250, you know, some percentage of those had DMARC on them. So I think it was like 10% of them had like DMARC enforcement on. And I think what that means is a lot of times if you're a big retailer, you have a really extensive portfolio of what's called defensively registered domains. So even if you don't use a domain for email or you don't use it for the web, you might have acquired a domain. And maybe it's because there was a cousin lookalike domain that you took down off the Internet and you acquired it because you own the rights to, you know, to your brand. So a lot of times we'll be working with really big retailers who have if you're Amazon, you've probably gone out and acquired, you know, Amazonsucks.com and, you know, various, you know, derogatory or, you know, legitimate looking domains that you just don't use for email or web. So you have, you know, maybe hundreds and hundreds of domains you registered defensively sometimes, you know, folks should put DMARC records on those and put them in enforcement. M3AAWG has some best practices, especially for best practices for non sending domains. And it's like, you know, put a blank SPF minus all record, you know, put a DMARC record in either quarantine or reject and a few other things. So quite possible that some of these lookalikes that we saw in that case not used for email at all, maybe not used for web, not even used, but have a DMARC record of any kind on which is totally legit. But then we also did some machine learning using logos. So what we can do is, is take a real logo like the Amazon logo and we can train our system to go look for that logo on, you know, phishing websites basically, so we can go out and say, okay, the Amazon logo has been used on Amazon-stores.com. Hey, that domain is registered in China. It stood up for email. It has an MX record. It has an SPF record. We get forensic samples from different data providers that can allow us to say this mail coming from Amazon-stores.com. That's not a legitimate Amazon email. It's a phishing message it's pointing to some other even third party site. It's potentially malicious and it's something that the marketer or a lot of times a legal team or a big brand can get taken down off the Internet. So if I'm Amazon, I see somebody as Amazon-stores.com. I can usually legally assert a right to you know and obviously it can be different for other companies that aren't Amazon. But what we see kind of out of those 50,000 lookalike domains there was like 800 of those domains that were using a company's real logo on a phishing website thats sending mail as well. So some of these phishing websites, don't send email it's just a website that's trying to get you to input your credentials and steal your information. Sometimes there's email coming out of those domains to send people to those websites. Sometimes malicious actors will insert themselves into like legitimate Twitter streams, like, you know, somebody goes to Amazon help. I can't remember what their help handle is but you know go to what whatever brand help.com Twitter site and somebody will insert themselves into the stream and say hey sorry to hear about your trouble. Go to this website over here to get further assistance and people go there and it's like a phishing website. Looks like the company uses their logo. Right? Pretty easy to copy a web page, just like when they copy an email, you know, legitimate email these days. So we see that happen. But yeah, anyway, out of the 50,000 domains that we're looking at, there's like 800. It looked really bad. Like, looks like a real website with a real logo, but we're actually trying to harvest credentials and do bad other things. So and then we see some weird cases where somebody might leverage a brand name as the cousin domain like Amazon-stores.com. But the content of the message itself might be for a completely different brand. And they're just trying to play on the fact that you might recognize the from domain, you know, looks like a real brand and then the actual content message has nothing to do at all with that well-known brand. So and then the other thing we saw with these 250 domains that we're looking at, like real domains that were used by these really large retailers, like over half of those wanted DMARC enforcement on the real domains that we're using as the input for the analysis. So I guess what that made me realize is DMARC is still not done even amongst large retailers. Not all of them have gotten to DMARC enforcement. And I looked at BIMI too out of those 250 really large domains. Only eight of them had BIMI my records too. So BIMI is obviously still an opportunity within that set as well. So I think for me it's like brand hijacking is kind of, you know, it's a real thing and happens once you've locked down your own domains with DMARC, you might see abuse on other domains. So if there's a way for you to monitor abuse other than obviously your customer support desk, like if you have a customer service email, a lot of times people will consumers will forward fake emails to your helpdesk or support desk or your abuse desk potentially. So sometimes you'll hear from your customer support department, You'll hear that people are reporting fake emails, so that can be useful and that gives legal some ammunition to go and get these websites taken down. But I think if you don't own the domain that's spoofing your brand, you know, you can't put DMARC on it because you don't own the domain, you don't own DNS for that domain, you can leverage DMARC, you can go to the web hosting provider or you know, the registrar and say, hey, you know, you issued this domain to this company. It's not us. It looks like us. They're trying to trade on our name. There's companies out there that solely focus on taking malicious websites down off the Internet. We partner with one of those comes from OPSEC Security. When our customers have websites they need taken down off the Internet. So I guess this is probably outside of the range of marketing, not really their remit, except if customers are getting fake emails from fake domains and they want their legal team to take care of it, you know, they might say, Hey legal, go look at this. We're being spoofed by this completely random domain that's not ours. If you're in retail and hospitality, especially financial services, you know, technology, if you have a well-known brand, you know, you're kind of a target. And the low hanging fruit is. The thing that's completely under your control is putting DMARC in place for your own domain and just do that out of the gate. So people that receive emails from your own domain know it's yours. BIMI is not an email security protocol per se, but it is an indicator of visual trust. If I get an email from eBay.com and it has the eBay logo, you know, eBay.com is the legitimate domain and is using the legitimate eBay logo. I, as a consumer, know that I can trust that email with cousin lookalike domain. It's a little harder. You know, Gmail and Yahoo and Comcast spend a ton of time and money into their algorithms to detect malicious mail and spam and phishing, but they're not perfect. You know, some mail is malicious, does get to the inbox from time to time. And I think if I'm a brand, you know, again, maybe not marketing, but marketing can raise a priority and say, hey, look, you know, we've done DMARC. That's great. We still don't see this abuse on cousin lookalike domains. We need to monitor this somehow. Hey, legal. You need to get involved to take this stuff down. Again, another joint effort, I think, between marketing and maybe IT or maybe it's information security, within the brand is like just stay vigilant. Emails trivial to spin up. You know, the reason we're kind of in this world is because emails cheap, easy to spin up, doesn't take in this day and age a lot of technical skill to create a phishing campaign. I can be, you know, just a script kitty. I can go to search on the internet, you know, spoofing forms. You know, I've shown customers this before like did you know you can go to this website and I can spoof you, you know, from this website and create a pretty good looking email. Of course, you guys have probably been following chat GPT and how you can give it some inputs, it can create some nice phishing emails, you know, potentially. So there's all sorts of crazy stuff going on these days you got to stay aware of. You know, for those of us that work with marketers, it's like, Hey, I want to get my legitimate email delivered first and foremost so people can take action on that. I want to stop anybody from using my domain maliciously. And then third, I want to stop other abuse social, you know, potentially abuse or other email abuse besides my own domain. And I think the tactics are always changing. You know, the reason we see email again, email it's the number one threat factor, I think, because every company uses it still, right. No one's gotten rid of email. Your podcast title is the reality is email's the workhorse of today's business to get into a social account or any sort of online service, use your email address to log into those. For the audience. I would just say, you know, stay vigilant. You got to stay aware. The bad guys are always changing their tactics to adapt to the goals of the world in the Yahoo's and Comcast and the Apples who changed their defensive tactics to react to whatever new thing you know, the bots are doing. And hey, you know, somebody created a botnet that works. It's sending out a bunch of pretty good looking spam using chat GPT. The Defenders are going to be reacting to what the offenders, if you will, are doing maliciously. So it's always an arms race, it's always escalating. Tactics are changing. But foundationally, there's always best practices that people should adhere to. If you're a legitimate marketer and you guys know this, it is send mail that people want, you know, authenticate your mail, stop your domain from being used without your permission. Stay aware and keep calm and carry on.

00:40:48

Jonathan Torres: That leads into my very forced I feel like I'm just imposing my theme for the podcast this season, which is like brand, brand recognition, brand reputation. I think overall like it's one of those things where it's a scary world. There's a lot of things going on out there that email can be such a target because it is cheap. It's cheap for the companies to do so. Everybody does it, but it's also cheap for people, malicious actors, all the malicious actors that are out there for them to do as well. So it's one of those things that you got to protect yourself, you've got to do those right things. But then when you bring it back around to that whole brand part of it, if you do all the things you can to protect that brand, and I think that's me trying to speak to marketers like watch out, because like, even though this is a technical thing and this might sound like it's out of your realm, you need to protect the brand because that's what everybody's looking out for, is creating a brand, holding a brand, you know, expanding a brand. But then if those malicious actors get a hold of your stuff or can spoof you or mimic you or anything like that, it's a bad time. So protect your brand.

00:41:42

Brian Westnedge: For sure. If you don't protect your brand, somebody is going to try to exploit it. I mean, it's just no question about it.

00:41:48

Eric Trinidad: For that protection. You know, if you're looking for examples?

00:41:51

Brian Westnedge: bimigroup.org is the working group site for BIMI the authenticators working group and then bimiradar.com. You can just kind of go and see who's implementing BIMI. What are some of the logos and verticals and types of companies that are implementing it. And then if you just want to check, if you're just curious, like, hey, I wonder if my company is doing anything around BIMI or even DMARC, go to redsift.com/bimi and you can just put your domain in and we'll do the check and say, hey, it looks like you're using DMARC. It looks like youre using BIMI or both. Those three sites are kind of good, you know, free resources to just kind of get a sense of what's going on as a baseline.

00:42:27

Eric Trinidad: Right on, right on. And if they wanted to get in contact with you, if anybody has any questions out there.

00:42:32

Brian Westnedge: You bet. Yeah. Brian.Westnedge@redsift.io

00:42:43

Eric Trinidad: Right on. Well, we're definitely looking forward to hopefully seeing you out there in real life at M3AAWG and other events that are coming out. So hopefully we'll get another conversation going soon, but I appreciate your time today. Brian, Thank you so much for joining us.

00:42:56

Brian Westnedge: Thanks, Eric. Thanks, JT Really enjoyed being with you.

00:42:58

Eric Trinidad: Yeah. And Thomas if they want to find out any more information about us. Where can they go?

00:43:02

Thomas Knierien: Yeah, everyone. You can find us a Mailgun.com/resources/podcast. You can find the episode that we had Matt in 2019 when we first talked about BIMI.

00:43:14

Eric Trinidad: Right on, thanks everyone. Have a great one.