Put another way, BIMI is an email authentication method, part of the set that includes SPF, DKIM, and DMARC. Like the rest of them, it’s basically a record, a TXT file that “lives” on the sender’s Domain Name System (DNS) server.
Their jobs are different, but BIMI is the only one “visual” of them:
- SPF specifies the mail servers that are allowed to send emails for your domain.
- DKIM confirms the sender’s identity using a digital signature.
- DMARC tells email providers what to do with an email depending on SPF and DKIM.
- BIMI contains the URL to a company’s logo.
Those records interact and depend on each other, so although technically you only need DMARC to have a BIMI, with DMARC being SPF/DKIM-aligned, you cannot have one without the other.
The adoption of SPF started in the early 2010s and BIMI is the latest installment in the “series” which makes it an important milestone in the history of email security. All the methods exist to prevent domain owners from being faked. Without them, emails would look suspicious to recipients and email services and end up in spam.
The AuthIndicators Working Group leads the BIMI movement and includes companies like Google, Verizon Media, Validity, and others. The first formalized spec for BIMI was published in February 2019. Now, after a couple of years of testing and trialing, it’s a full-fledged standard ready for use by anyone.