David Frank
Deploying BIMI images, the logo you see in your inbox queue, is far more work, far more expensive, and much slower than most people would expect based on online guides and videos. This optional branding boosts email open rates, and in turn click and conversion rates. I deployed an implementation this year, and am sharing important details and potential delays I wish I knew about ahead of time. This article intends to share the unexpected tasks, costs and timelines associated with implementing BIMI. Here’s a realistic, real-world scenario of what deploying BIMI can be like.
The other value in this article is how to configure domains for cold outreach. Information on this setup is hard to come by because
- agencies charge a lot of money for their technical expertise on this, and
- because this is the same technology and setup used by people on the far end of the email spectrum: spammers and scammers. Reputable guides will never be published for this reason.
By all means, read other guides on how to do BIMI, like these ones from DMARC Report and Litmus, but also read this article for the real-world things those articles miss, like using subdomains or multiple domains, a well-kept secret change needed for those who may change domains, and extra tasks you won’t be told about in advance that you may want to do earlier.
Contents
The unique needs of a company that does PR outreach
For context, I am the Email Marketing Operations Manager at a 5 year old tech startup.
We run a main .com domain used by both corporate staff and our platform’s communication with existing customers.
We run an handful of secondary domains used for PR outreach to send press releases and other cold email outreach to promote our clients to journalists who may be interested. This practice of sending press releases and highly targeted emails reaching out to journalists who cover stories on topics our clients are experts on is a practice native to PR from before digitisation, and an expected part of journalism. We use the same best practices used by PR firms and spammers alike to get through spam filters. Spammers run dozens or hundreds of domains, and they do not pay for trademarks or a VMC, not that they would pass the verification tests legitimate businesses need to pass in to get either.
Subdomains – Some reasons to use them.
I do not use subdomains (with one exception). Instead I use multiple domains. However, they can be incredibly useful. Here’s why:
- Differentiation: We use @[domian].com for messages from our platform, but also run the subdomain @messages.[domain].com to route messages between users to our users email. You may notice this form of “fencing off” different types of emails (sales, marketing, billing, transactional) for many services you receive emails from.
- Reputation: One of our platforms, Apollo, suggests using subdomains to separate email reputation from main reputation.
- Monitoring statistics. Your platform may give a different spam block rate statistic per subdomain. Apollo does.
I suggest against this, as Google Postmaster Tools is your most useful place to see such stats, and it groups all subdomains into the main domain. See Section 2, Measurement below. - Users see just 1 domain in use that they know and trust.
- Subdomains are cheaper than new domains. But domains are cheap
If you do set up subdomains, remember to set up authentication (SPF, DKIM, DMARC) and BIMI on your subdomains as well!
Separate domains are better than subdomains:
1. Fallback domains.
Sub-domains only partially isolate your reputation from other sub-domains and the main domain. If a domain gets burned or blacklisted, switch to another domain. Using subdomains for this purpose won’t help you if your domain gets totally burned, only (and I am making up a word here) lightly singed.
NB: switching to backup domains:
Don’t just switch by moving all email sends to one domain that was sitting in standby. Massive jumps in email sending from a domain, or switching to a newly bought domain also may result in getting blocked and burned. Anyone familiar with email warmup will tell you that going from zero to heavy use will result in instant blocking. A better practice is to not so much switch domains once one is having issues, but transfer the load to another domain (or multiple domains) currently in heavy use. All the more reason to have multiple domains in use, or if you’re a believer in email warmup services, keep paying to keep some domains ready to go. Either way, keep the engine running, and smooth jumps in sending volume as best you can.
Why would a legit company have deliverability issues
Even in large and reputable companies, your reputation may drop. This is visible as IP and Domain reputation drops in Google Postmaster Tools and Microsoft SNDS, blacklists your domain or IP address(es) appear on (I like the MXToolbox blacklist checker), or your deliverability drops and you only notice via increased Spam Blocked Bounces, Policy Bounces, or a drop in click rate.
At several companies I have worked at previously, other well-meaning staff or entire departments had accidentally impacted email reputation by running their own unauthorized email campaigns or using poorly configured software. My own boss at Amazon prohibited me using mail merge within Outlook to automate my job after one such incident at some point in the conglomerate’s history.
When I worked at an IT company specializing in private medical clinics in the early 2010s (when companies, even small ones, often ran their own mail servers, before SaaS solutions like Google Workspace and Office 365 took over), it was common for new clients to come on board because malware had infected their server. One common issue was that malware would send spam, tanking their IP and/or domain reputation, and/or getting them placed on blacklists.
Yes, there are processes to get off blacklists pretty quickly, but a trashed reputation takes time (months) to heal. Burned domains are no laughing matter.
At my current company our previous email agency ran our cold email campaigns through email domains they had “burned” through poor practices. They had “bad” reputations as seen in Google Postmaster Tools. Implementing best practices on currently used domains AND establishing backups was important to me.
2. Measurement
Google Postmaster Tools doesn’t provide a breakdown.
By running each campaign through its own domain, I can see the spam report rate for every single domain separately. Each domain is 100% siloed from the others, and I can have different teams or staff members using them for different purposes or campaigns. I measure spam reports for each campaign individually. Or to put it another way, this way I can measure each campaign’s effect on reputation. And no, your email platform’s Spam Report data is woefully inaccurate, to the point of being useless. In this era of diminishing email performance data, who wouldn’t love an extra, but most importantly, accurate metric!
Domains are cheap, the labor involved in setting up extra ones does cost a bit, and to be fair VMC Certificates for extra domains is expensive. See below.
Step 1: Implement DMARC for your domain(s). Reject or Quarantine?
DMARC required SPF and DKIM to be set up first. These technical tasks are usually done by your domain administrator or IT support team. Follow other guides on how to do this, however one variable that took a lot of research was whether to set the DMARC policy to Reject or Quarantine. In our experience, and in line with industry guidelines, we got better deliverability for our primary domain with a Quarantine policy. However, what took a lot of research to find out was that for domains with reputation issues, a stricter Reject policy is best.
You can check whether you’re BIMI-ready by using the Valimail DMARC checker. It’s the DMARC checker that is recommended by Digicert, one of the only two VMC providers.
Step 2: Use a trademarked logo
Is your logo trademarked?
At the time my company formed, only the company name was trademarked. Unfortunately this meant that when applying for a VMC (see below), only the trademarked company name was allowed to be in the BIMI image. Our logo was not trademarked, and thus our colorful logo was not allowed. Effectively, we had a “wordmark”, but no logo.
I proceeded with getting the VMC using just the wordmark rendered plainly for our BIMI, while our CFO worked with our lawyers to file a logo trademark with the US Patents and Trademark office. It takes 9+ months after filing to get the trademark approved, and cost us $1500 in legal and filing fees. Our lawyers wrote the following:
“$1500 will get the application filed; the USPTO will issue its objections in 9 months to the extent it has any. We then will have an opportunity to address any objections raised by the USPTO. The cost to address such objections (and the likelihood of success) will depend on the nature and extent of any objections. I can estimate those fees once I see the objections, but I want to be transparent that the $1500 is to prepare and file the application and there may be additional fee before we secure registration.”
A list of trademark offices approved for VMCs, including the USPTO, UK Intellectual Property Office, and IP Australia is available here.
To be fair, even if we had registered the logo when the company had formed, we went through a rebrand since, and the new logo was not trademarked then either. This is common, as this optional expense is hard to justify during a company’s founding or rebranding.
If filing a trademark, beware of scams
Our lawyers also sent the entire leadership team and anyone else involved the following text, in red color, highlighted yellow.
“Please be aware of unsolicited letters/invoices from third parties appearing to relate to this application. Any you receive will almost certainly be of a bogus or scam nature. Communications regarding these applications should only be received from us. We have seen recent incidents of applicants receiving unsolicited calls from individuals holding themselves out as representatives of the USPTO and requesting the payment of filing fees; please be assured that [law firm] pays all filing fees at the time of filing. Applicants should not be receiving communication directly from the USPTO, and should not provide payment information to anyone representing to be from the USPTO.”
And sure enough a bill came in the mail which our staff almost paid!
Advise your leadership team, staff handling postal and email communication, your accounts payable department and any other relevant staff that all communication regarding your trademark should go through you and you alone for this very reason.
Step 3: Format your logo
Export a “Tiny 1.2” SVG from Adobe Illustrator. Remember to keep the file below 32kb. Using a non-transparent background is best. Nobody wants an email from an executive using their device on dark mode complaining about something not looking right.
Then the code needs to be slightly edited. Directly edit the code in Notepad++. Use this guide by digicert, one of the two VMC providers. It has a better description, the screenshots are better, and it includes a very important final step (“Line endings must be LF”) that is missing from the official guide from the BIMI group.
Alternatively, a file conversion tool and Illustrator script is available from the BIMI group, however the tool needs to be installed locally, which may not be allowed by your employer’s IT policies.
You won’t be able to check your BIMI is compliant until you submit it to Digicert or Entrust. The former used to allow you to upload it before paying and it would give an error message if you are not compliant, however they now put that after the payment stage.
Step 4: Purchase your VMC
Some mailbox clients, most notably Gmail, with a global market share of ~35% (Litmus) require a Verified Mark Certificate, or VMC. (Note that Gmail’s US market share is much higher than the global number.)
There are only two authorized providers of VMCs, Digicert and Entrust, though a Google search will reveal many resellers.
I went with Entrust because:
It was impossible to get hold of Digicert. Their phone number went to a full voicemail mailbox the many times I called, and their onlin chat person was unable to give me an answer regarding the cost of additional domains question or put me through to someone who could. In contrast, I was able to get through to Entrust and get quick answers from the right people.
Though they are very roughly the same price for 1 domain, multiple domains is MUCH cheaper at Entrust.
Digicert: $1,608 per domain.
Entrust: $1,299 for first domain, $499 for each domain for the same company using the same logo thereafter.
The process of getting a VMC from Entrust was time consuming, frustrating, and involved a lot of waiting. Getting a formal quote took a week. I was informed that this was because all Entrust customers, no matter what product or price point, took a week for the quotation team to process. I made a change to my quote a couple days into the process and had to jump to the back of the line!
Will you change domains? Tell them! I discussed the chance of switching around which domains have a BIMI due to upcoming changes to our domains, and the risk of burning a domain, and my salesperson was glad I spoke up. This requires a difference in how my purchase is made on the back end. This is NOT something you can choose when making a purchase online, or covered in any online documentation. I did indeed end up disusing a domains and buying a nother within the first year, and the process of revoking and reissuing the domain was quick and easy.
Getting verified was hard. Luckily the company name was trademarked at our formation, but our logo was not. See Step 2: Use a trademarked logo. In short, it cost us $1500 and took 9 months to get the logo trademarked.
Our company changed name since founding, from [Name] LLC in New York to [Name] Inc registered in Delaware. Our Unfortunately this required
updating our trademark for our company name with USPTO (our lawyer charged $650 and it took USPTO 2 weeks to process)
Updating our listing on Dun & Bradstreet (dnb.com). This was self-service through the DnB website, but required an executive to authorize their ID etc.
Step 5: Get your VMC
Once you’ve got your company and trademarks verified, your VMC will be approved, your annual fee starts.
Step 6: Validate your domains
Entrust require proof that you have control over the domains before they’ll allow you to issue your VMC. Again, this would have been nice to know ahead of time so I could make changes in advance and save time.
Your choices are to:
- Put a snippet in your DNS record for the domain
- Put a snippet on your web server
- Send a verification to
- admin@[domain].com
- administrator@[domain].com
- webmaster@[domain].com
- hostmaster@[domain].com
- postmaster@[domain].com
In my case, the easiest and simplest thing to do was just had postmaster@[domain].com set up as an alias for my own mailbox.
Step 7: Generate the VMC
Do this within Entrust or Digicert.
Step 8: Update your DNS Records
Do this on the platform you purchased and configure your domains on. This is typically handled by your IT Department. This can be a bottleneck, so be sure to let them know ahead of time.
Step 9: Test
Check the BIMI is working and looks good.
The BIMI Group’s BIMI checker is best, providing detailed error messages if there is an issue, however the third party BIMI checker from Valimail is also good.
Step 10: Celebrate your win!
In your company-wide Slack channel, at your company wide internal email address, and in your next all hands meeting celebrate the fact that your company logo is now showing in all mail clients that support it and Gmail now includes a fancy verified checkmark in a starburst next to names. Thank everyone who contributed to the expensive and large amount of work to get this image that many of your competitors are behind on, including your graphic designer, legal team, and the support of management.
Anything to add?
Did you get a VMC and deploy a BIMI and encounter different issues. Please let me know either in the comments or by emailing me and I would love to add your experiences.
About the author:
David Frank is a Seattle-based senior email marketing operations and senior email marketing manager. He has over 15 years of experience working for small, medium and enterprise clients and employers across a variety of industries, primarily in tech. Having lived and worked in 5 countries across 4 continents, he specializes in global compliance and best practice. He has an MSc in Marketing from Edinburgh Napier University in the UK.
For more information, you can visit his LinkedIn profile or thedavidfrank.com.
