Gmail’s latest anti-fraud measure promises to show you company logos

Despite years of attempts to quash phishing scams from the email ecosystem, scam messages are still painfully commonplace. Last year, Google announced support for BIMI, a standard aimed at verifying major organizations and uploading additional metadata for improved security. The rollout started with G Suite users almost a year ago as bugs were fixed in the system, but now it affects the rest of Gmail.

BIMI, short for Brand Indicators for Message Identification, is the result of a collaboration between leading messaging companies and marketers including Google, MailChimp, Verizon Media, Twilio and others. While the implementation details include a number of enhancements that help authenticate original senders and maintain security, there is one specific manifestation aimed at users: Gmail will display their logos.

It might sound a bit simplistic, but the intention is for verified senders to get their logo in the avatar image. This place has historically only shown an oversized first letter of the sender’s name, but may also display a profile picture if it’s from another Gmail account. This is intended to indicate that the sender and the message have been authenticated.

Technically, organizations will need to use Sender Policy Framework (SPF) or Domain Keys Identified Mail (DKIM) to send messages and deploy Domain-based Message Authentication, Reporting, and Conformance (DMARC) so that a recipient is able to clearly authenticate the source of a message. Once a message passes these security checks, the recipient contacts a verification authority through the BIMI protocol, in which case they can receive the organization’s logo.

While this should give recipients reassurance that incoming messages have undergone rigorous validation, it’s not entirely clear whether Google uses any methods to prevent Gmail and G Suite accounts from abusing the image of. the avatar. Either way, it always increases the stakes against fraudulent senders and improves the security of the organizations that are most often targeted.

Google says the rollout begins today, but it will take a few weeks to reach everyone. Once it’s deployed, you still might not notice much of a difference if the messages that come to you are from senders who haven’t registered with a verification authority or just don’t use them. same security measures.