/
draft-brand-indicators-for-message-identification-latest.txt
1454 lines (1066 loc) · 58.6 KB
/
draft-brand-indicators-for-message-identification-latest.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Network Working Group S. Blank
Internet-Draft P. Goldstein
Intended status: Experimental Valimail
Expires: 1 February 2021 T. Loder, Ed.
Skye Logicworks, LLC
T. Zink, Ed.
Zink Magical Contraptions
M. Bradshaw, Ed.
Fastmail
31 July 2020
Brand Indicators for Message Identification (BIMI)
draft-blank-ietf-bimi-01
Abstract
Brand Indicators for Message Identification (BIMI) permits Domain
Owners to coordinate with Mail User Agents (MUAs) to display brand-
specific Indicators next to properly authenticated messages. There
are two aspects of BIMI coordination: a scalable mechanism for Domain
Owners to publish their desired Indicators, and a mechanism for Mail
Transfer Agents (MTAs) to verify the authenticity of the Indicator.
This document specifies how Domain Owners communicate their desired
Indicators through the BIMI Assertion Record in DNS and how that
record is to be interpreted by MTAs and MUAs. MUAs and mail-
receiving organizations are free to define their own policies for
making use of BIMI data and for Indicator display as they see fit.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 1 February 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (http://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction
2. Overview
3. Requirements
3.1. High-Level Goals
3.2. Security
3.3. Out of Scope
4. Terminology and Definitions
4.1. BIMI Assertion
4.2. Indicator
4.3. Mark Verifying Authority (MVA)
4.4. BIMI Evidence Document
4.5. Verified Mark Certificate (VMC)
4.6. Protocol Client
4.7. Verifying Protocol Client
5. BIMI DNS Records
5.1. MUA Obligations
5.2. Assertion Record
5.2.1. Declination to Publish
5.2.2. Supported Image Formats for l= tag
5.3. Selectors
6. BIMI Header Fields
6.1. BIMI-Selector Header
6.2. BIMI-Location Header
6.3. BIMI-Indicator Header
6.4. Header Signing
7. Domain Owner Actions
7.1. Determine and Publish Indicator(s) for Use
7.2. Publish Assertion Records
7.3. Manage multiple uses of the same Indicator(s) within
a trust boundary
7.4. Set the headers on outgoing email as appropriate
8. Receiver Actions
8.1. Authentication Requirements
8.2. Assertion Record Discovery
8.3. Indicator Discovery.
8.4. Indicator Discovery With Evidence.
8.5. Indicator Discovery Without Evidence.
8.6. Indicator Validation
8.7. Affix BIMI Status to Authentication Results Header
Field
8.8. Handle Existing BIMI-Location and BIMI-Indicator
Headers
8.9. Construct BIMI-Location URI
8.10. Construct BIMI-Indicator header
9. Security Considerations
9.1. Indirect Mail Flows
9.2. Lookalike Domains and Copycat Indicators
9.3. Large files and buffer overflows
9.4. Slow DNS queries
9.5. Unaligned Indicators and asserting domains
9.6. Unsigned BIMI-Selector Header
9.7. CGI scripts in Indicator payload
9.8. Metadata in Indicators
10. IANA Considerations
10.1. Permanent Header Field Updates
10.2. Registry for Supported BIMI Formats
10.3. Other IANA needs
11. References
11.1. Normative References
11.2. Informative References
Appendix A. Example Selector Discovery (INFORMATIVE)
A.1. No BIMI-Selector Header
A.2. With BIMI-Selector Header
A.3. Without BIMI-Selector Header on a subdomain
A.4. With BIMI-Selector Header on a subdomain
A.5. Invalid BIMI-Selector Header
Appendix B. Example Authentication-Results entry (INFORMATIONAL)
B.1. Successful BIMI lookup
B.2. No BIMI record
B.3. Declination to Publish
B.4. Subdomain has no default record, but organizational
domain does
B.5. Subdomain and orgznizational domain have no record
for selector, but organization domain has a default
B.6. Subdomain has no record for selector, but
organization domain does
Appendix C. Example BIMI Headers Construction (INFORMATIONAL)
C.1. MTA Receives an email
C.2. MTA does its authentication checks
C.3. MTA performs BIMI Assertion
C.4. MTA appends to Authentication-Results
C.5. MTA Constructs BIMI-Location and BIMI-Indicator
headers
C.6. The MUA displays the Indicator
Appendix D. Acknowledgements
Authors' Addresses
1. Introduction
This document defines Brand Indicators for Message Identification
(BIMI), which enables Domain Owners to coordinate with Mail Box
Providers (MBPs), Mail Transfer Agents (MTAs), and Mail User Agents
(MUAs) in the display of brand-specific Indicators next to properly
authenticated messages.
BIMI is designed to be open and to work at Internet scale. BIMI is
intended to drive adoption of email authentication best practices by
leveraging existing [DMARC] policies, the supporting authentication
methods [DKIM] and [SPF], and other associated standards such as
[ARC].
The approach taken by BIMI is heavily influenced by the approach
taken in [DKIM], in that BIMI:
* has no dependency on the deployment of any new Internet protocols
or services for Indicator registration or revocation;
* makes no attempt to include encryption as part of the mechanism;
* is compatible with the existing email infrastructure and
transparent to the fullest extent possible;
* requires minimal new infrastructure;
* can be implemented independently of clients in order to reduce
deployment time;
* can be deployed incrementally; and
* allows delegation of Indicator hosting to third parties.
To participate in BIMI, Domain Owners MUST have a strong [DMARC]
policy (quarantine or reject) on both the Organizational Domain, and
the RFC5322.From Domain of the message. Quarantine policies MUST NOT
have a pct less than pct=100.
This document defines how Domain Owners specify their desired
Indicators through the BIMI Assertion Record in DNS and how that
record is to be interpreted by MTAs and MUAs. This document does not
cover how domains or Indicators are verified, how MUAs should display
the Indicators, or how other protocols (i.e. IMAP, JMAP) can be
extended to work with BIMI. Other documents may cover these topics.
MUAs and Mail Box Providers (MBPs) are free to define their own
policies for making use of BIMI data and for Indicator display as
they see fit.
2. Overview
The Sender Policy Framework ([SPF]), DomainKeys Identified Mail
([DKIM]), Domain-based Message Authentication, Reporting, and
Conformance ([DMARC]), and Authenticated Received Chain ([ARC])
provide mechanisms for domain-level authentication of email messages.
They enable cooperating email senders and receivers to distinguish
messages that are authorized to use the domain name from those that
are not. BIMI relies on these authentication protocols, but is not a
new authentication protocol itself.
MUAs are increasingly incorporating graphical Indicators to indicate
the identity of the sender of a message. While a discussion of the
merits of doing this is beyond the scope of this document, at present
there are no open standards for publishing and aiding discovery of
preferred Indicators or for tying display of them to authentic
messages only.
Because of the desire to have brand-specific Indicators available,
some mail-receiving organizations have developed closed systems for
obtaining and displaying Brand Indicators for select domains. While
this has enabled these mail-receiving organizations to display brand
Indicators for a limited subset of messages, this closed approach has
a number of downsides:
* It puts a significant burden on each mail-receiving organization,
because they must identify and manage a large database of Brand
Indicators.
* Scalability is challenging for closed systems that attempt to
capture and maintain complete sets of data across the whole of the
Internet.
* A lack of uniformity across different mail-receiving organizations
- each organization will have its own Indicator set, which may or
may not agree with those maintained by other organizations for any
given domain.
* Domain Owners have limited ability to influence the Brand
Indicator for the domain(s) they own, and any ability they do have
is likely to be dependent upon direct coordination with each of
many mail-receiving organizations.
* Many Domain Owners have no ability to participate whatsoever as
they do not have the appropriate relationships to coordinate with
mail-receiving organizations.
* MUAs that are not associated with a particular mail-receiving
organization are likely to be disadvantaged, because they are
unlikely to receive Indicators in a standardized manner or
optimized for their user interfaces.
This shows the need for a standardized mechanism by which Domain
Owners interested in ensuring that their Indicators are displayed
correctly and appropriately can publish and distribute Brand
Indicators for use by any participating MUA.
BIMI removes the substantial burden of curating and maintaining an
Indicator database from MUAs and MBPs, and allows each domain owner
to manage their own Indicators. As an additional benefit, mail-
originating organizations are incentivized to authenticate their
email as doing so will enable them to influence how email and
Indicators from the organization are displayed.
The structure of BIMI is as follows:
* Domain Owners: Publish their preferred Brand Indicators via the
[DNS].
* Senders: Ensure mail is properly authenticated, and has a
sufficiently strict [DMARC] policy.
* MTA:
- Confirm authenticity of the message using [DMARC] and whatever
other authentication mechanisms they wish to apply.
- Check for a corresponding BIMI record, obtaining references to
the Indicator media and optional substantiation of Indicator
ownership rights
- If both the message is authentic and the Indicator is deemed
acceptable, the receiver adds a header to the message which can
be used by the MUA to obtain the Domain Owner's preferred Brand
Indicator.
* MUA: retrieves and displays the Brand Indicator as appropriate
based on its policy and user interface.
The purpose of this structure is to reduce operational complexity at
each step. It is also to consolidate validation and Indicator
selection operations into the MTA, so that Domain Owners need only
publish a few simple records and MUAs only need simple display logic.
It is expected that MBPs implementing BIMI will do so in both their
MTAs and MUAs.
3. Requirements
Specification of BIMI in this document is guided by the following
high-level goals, security dependencies, detailed requirements, and
items that are documented as out of scope.
An overview of the security challenges and design decisions is
documented at [BIMI-OVERVIEW].
3.1. High-Level Goals
BIMI has the following high-level goals:
* Allow Domain Owners to suggest appropriate Indicators for display
with authenticated messages originating from their domains.
* Enable the authors of MUAs to display meaningful Indicators
associated with the Domain Owner to recipients of authenticated
email.
* Provide mechanisms to prevent attempts by malicious Domain Owners
to fraudulently represent messages from their domains as
originating with other entities.
* Work at Internet Scale.
* Encourage the adoption of Email Authentication Best Practices.
3.2. Security
Brand Indicators are a potential vector for abuse. BIMI creates a
relationship between sending organization and Mail Receiver so that
the receiver can display appropriately designated Indicators if the
sending domain is verified and has meaningful reputation with the
receiver. Without verification and reputation, there is no way to
prevent a bad actor exxample.com from using example.com's Brand
Indicators and behaving maliciously. This document does not cover
the different verification and reputation mechanisms available, but
BIMI relies upon them to be in deployed in order to control abuse.
3.3. Out of Scope
Several topics and issues are specifically out of scope for the
initial version of this work. These include the following:
* Publishing policy other than via the DNS.
* Specific requirements for Indicator display on MUAs.
* The explicit mechanisms used by Verifying Protocol Clients - this
will be deferred to a later document.
4. Terminology and Definitions
This section defines terms used in the rest of the document.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KEYWORDS].
Readers are encouraged to be familiar with the contents of [EMAIL-
ARCH]. In particular, that document defines various roles in the
messaging infrastructure that can appear the same or separate in
various contexts. For example, a Domain Owner could, via the
messaging mechanisms on which BIMI is based, delegate reponsibility
for providing preferred Brand Indicators to a third party with
another role. This document does not address the distinctions among
such roles; the reader is encouraged to become familiar with that
material before continuing.
Syntax descriptions use Augmented BNF [ABNF].
"Author Domain", "Domain Owner", "Organizational Domain", and "Mail
Receiver" are imported from [DMARC] Section 3.
4.1. BIMI Assertion
The mechanism through which a Protocol Client verifies the BIMI
Assertion Record and constructs the URI(s) to the requested
Indicator(s) to be placed in the BIMI-Location header.
4.2. Indicator
The icon, logo, image, mark, or other graphical representation of the
brand. The Indicator is defined in a common image format with
restrictions detailed in the Assertion Record definition
(Section 5.2).
4.3. Mark Verifying Authority (MVA)
An entity or organization that can provide evidence of verification
of Indicators asserted by a Domain Owner to Verifying Protocol
Clients. The MVA may choose to uphold and confirm the meeting of
certain Indicator standards (ie. size, trademark, content, etc).
4.4. BIMI Evidence Document
A document published by a Mark Verifying Authority to assert evicence
of verification. These are defined in a separate document.
4.5. Verified Mark Certificate (VMC)
A certificate issued by a Certificate Authority in accordance with
the Verified Mark Certificate Guidelines. These guidelines are
defined in a separate document.
A Verified Mark Certificate is one example of a BIMI Evidence
Document.
4.6. Protocol Client
An entity designed to obtain and correctly interpret the records
defined in this specification for the purpose of discovering and
fetching published Indicators.
4.7. Verifying Protocol Client
A Protocol Client that uses optional capabilities to obtain and
evaluate evidence concerning the Domain Owner's rights to use the
published Indicators.
5. BIMI DNS Records
Domain owners publish BIMI policies by adding BIMI Assertion Records
in the DNS as TXT records.
Published policies are interpreted and applied by Protocol Clients.
A Domain Owner signals intended BIMI participation for one or more of
its domains by publishing an Assertion Record in a subdomain under
it. In doing so, Domain Owners make specific requests of MUAs
regarding the preferred set of Indicators to be displayed with
messages that are confirmed to be authorized to appear from the
Domain Owner's domain.
The use of BIMI is opt-in. Receivers default to performing no BIMI-
specific message handling until they choose to do so, and then only
if a BIMI record for the sender's domain is found.
BIMI's use of the DNS is driven in part by BIMI's use of domain names
as the basis of sender identity and message authentication. Use of
the DNS as the policy publication service also has the benefit of
reusing an extremely well-established operations, administration, and
management infrastructure, rather than creating a new one.
BIMI's policy payload is intentionally only published via a DNS
record and not via one or more email headers. This serves three
purposes:
* There is one and only one mechanism for both simple and complex
policies to be published.
* Operational complexity is reduced. MTAs only need to check a
single record in a consistent manner to discover and enforce
policy.
* Indicators SHOULD be verified and cached in advance, so that
malicious headers cannot be used as an attack vector.
Per [DNS], a TXT record can comprise several "character-string"
objects. BIMI TXT records with multiple strings must be treated in
an identical manner to SPF Section 3.3 (https://tools.ietf.org/html/
rfc7208#section-3.3).
5.1. MUA Obligations
MUAs implementing the BIMI mechanism SHOULD make a best-effort
attempt to adhere to the Domain Owner's published BIMI policy.
However, MUAs have final control over the user interface published to
their end users, and MAY use alternate Indicators than those
specified in the BIMI assertion record or no Indicator at all.
5.2. Assertion Record
All Domain Owner BIMI preferences are expressed in DNS TXT records
published in subdomains named "_bimi". Multiple sets of preferences
can be associated with a single RFC5322.From domain. To distinguish
between these different preferences, BIMI defines and uses selectors.
Senders declare which selector to use for a given message by
specifying the selector in an optional BIMI-Selector header
(Section 6.1).
For example, the Domain Owner of "example.com" would post BIMI policy
in a TXT record at "default._bimi.example.com". Similarly, a Mail
Receiver wishing to query for BIMI policy regarding mail with an
RFC5322.From Author Domain of "example.com" and a selector "default"
(the default) would query the TXT record located at the subdomain of
"default._bimi.example.com". The DNS-based BIMI policy record is
referred to as the "BIMI Assertion Record" or "Assertion Record".
BIMI Assertion Records follow the extensible "tag-value" syntax for
DNS-based key records as defined in [DKIM].
Assertion Records are defined precisely. Mail receivers MUST NOT
attempt to fix syntactical or capitalization errors. If a required
tag is missing, or its value not well-formed, it is an error.
This section creates a registry for known BIMI tags and registers the
initial set defined in this document. Only tags defined in this
document or in later extensions, and thus added to the registry, are
to be processed; unknown tags MUST be ignored.
The following tags are introduced as the initial valid BIMI tags:
v= Version (plain-text; REQUIRED). Identifies the record retrieved
as a BIMI record. It MUST have the value of "BIMI1" for
implementations compliant with this version of BIMI. The value of
this tag MUST match precisely; if it does not match or it is absent,
the entire retrieved record MUST be ignored. It MUST be the first
tag in the list.
ABNF:
bimi-version = %x76 *WSP "=" *WSP %x42.49.4d.49 1DIGIT
a= Authority Evidence Location (plain-text; URI; OPTIONAL). If
present, this tag MUST have an empty value or its value MUST be a
single URI. An empty value for the tag is interpreted to mean the
Domain Owner does not wish to publish or does not have authority
evidence to disclose. The URI, if present, MUST contain a fully
qualified domain name (FQDN) and MUST specify HTTPS as the URI scheme
("https"). The URI SHOULD specify the location of a publicly
retrievable BIMI Evidence Document. The format for evidence
documents is defined in a separate document.
If the a= tag is not present, it is assumed to have an empty value.
ABNF:
bimi-evidence-location = %x61 *WSP "=" bimi-uri
bimi-uri = \[FWS\] URI \[FWS\]
; "URI" is imported from [URI]
; HTTPS only
; commas within a URI (ASCII ; 0x2C) MUST be encoded
l= location (URI; REQUIRED). The value of this tag is either empty
indicating declination to publish, or a single URI representing the
location of a Brand Indicator file. The only supported transport is
HTTPS.
ABNF:
bimi-location = %x6c *WSP "=" bimi-uri
Therefore, the formal definition of the BIMI Assertion Record, using
[ABNF], is as follows:
bimi-sep = *WSP %x3b *WSP
bimi-record = bimi-version (bimi-sep bimi-location) (bimi-sep bimi-evidence-location) \[bimi-sep\]
; components other than bimi-version may appear in any order
5.2.1. Declination to Publish
If both the "l=" and "a=" tags are empty, it is an explicit refusal
to participate in BIMI. This is distinct from not publishing a BIMI
record. For example, an empty BIMI record enables a Domain Owner to
decline BIMI participation for a subdomain when its organizational
domain has default Indicators available. Furthermore, messages sent
using a selector that has declined to publish will not show an
Indicator while messages with other selectors would display normally.
An explicit declination to publish looks like:
v=BIMI1; l=; a=;
5.2.2. Supported Image Formats for l= tag
Any format in the BIMI-formats IANA registry are acceptable targets
for the l= tag. If an l= tag URI ends with any other image format
suffix, or if the document retrievable from the location(s) in the l=
tag are of any other format, the evaluation of the record MUST be
treated as a permanent error.
As of the publishing of this document, only SVG and SVGZ, as defined
in RFC6170 section 5.2 (https://tools.ietf.org/html/rfc6170#section-
5.2) is acceptable in the l= tag. Further restrictions apply to the
SVG; these are documented elsewhere.
5.3. Selectors
To support publishing and display of more than one distinct Brand
Indicator per domain, the brand Indicator namespace is subdivided for
publishing of multiple Assertion Records using "selectors".
Selectors allow the Domain Owner to choose the brand Indicator, for
example, by type of recipient, by message source, or by other
considerations like seasonal branding. BIMI selectors are modeled
after DKIM selectors (https://tools.ietf.org/html/rfc6376#section-
3.1).
The selector "default" is the default Assertion Record. Domain
Owners can specify which other selector to use on a per-message basis
by utilizing the BIMI-Selector Header (Section 6.1).
Periods are allowed in selectors and are component separators. When
BIMI Assertion Records are retrieved from the DNS, periods in
selectors define DNS label boundaries in a manner similar to the
conventional use in domain names. In a DNS implementation, this can
be used to allow delegation of a portion of the selector namespace.
ABNF:
selector = sub-domain *( "." sub-domain )
; from [SMTP] Domain,
; excluding address-literal
The number of selectors for each domain is determined by the Domain
Owner. Many Domain Owners will be satisfied with just one selector,
whereas organizations with more complex branding requirements can
choose to manage disparate selectors. BIMI sets no maximum limit on
the number of selectors.
6. BIMI Header Fields
Once BIMI policies are published in DNS via Assertion Records, Domain
Owners can provide additional guidance to Mail Receivers, and Mail
Receivers to their MUAs through the use of BIMI header fields.
BIMI header fields are case insensitive. If a required tag is
missing, it is an error.
6.1. BIMI-Selector Header
BIMI DNS records are placed in <selector>._bimi.<domain>, and by
default they are placed in default._bimi.<domain>. That is, for
example.com, the default Assertion Record is located in the DNS at
default._bimi.example.com. However, a Domain Owner may override the
use of the default selector and specify the use of an alternative
using the RFC5322-compliant header 'BIMI-Selector'. The BIMI-
Selector header consists of key value pairs:
v= Version (plain-text; REQUIRED). The version of BIMI. It MUST
have the value of "BIMI1" for implementations compliant with this
version of BIMI. The value of this tag MUST match precisely; if it
does not or it is absent, the entire retrieved record MUST be
ignored. It MUST be the first tag in the list.
ABNF:
bimi-header-version = "v" *WSP "=" *WSP "BIMI" 1DIGIT
s= Selector (plain-text; REQUIRED). The location of the BIMI DNS
record, when combined with the RFC5322.From domain.
ABNF:
bimi-selector = "s" *WSP "=" *WSP selector
And the formal definition of the BIMI Selector Header, using ABNF, is
as follows:
bimi-selector-header = bimi-header-version bimi-sep bimi-selector \[bimi-sep\]
6.2. BIMI-Location Header
BIMI-Location is the header a Mail Receiver inserts that tells the
MUA where to get the BIMI Indicator from.
The syntax of the header is as follows:
v= Version (plain-text; REQUIRED). The version of BIMI. It MUST
have the value of "BIMI1" for implementations compliant with this
version of BIMI. The value of this tag MUST match precisely; if it
does not or it is absent, the entire header MUST be ignored. It MUST
be the first tag in the list.
The ABNF for bimi-header-version is imported exactly from the [BIMI Selector Header](#bimi-selector).
l: location of the BIMI Indicator (URI; OPTIONAL if a bimi-evidence-
location-header-uri is specified, otherwise REQUIRED.). Inserted by
the MTA after performing the required checks and obtaining the
applicable domain's published Assertion Record. The value of this
tag is a URI representing the location of the Brand Indicator file.
HTTPS is the only supported transport.
ABNF:
bimi-location-header-uri = "l" *WSP "=" bimi-uri
a: location of the BIMI Evidence Document (URI; REQUIRED if the BIMI
Evidence Document was verified). Inserted by the MTA after
performing the required checks and obtaining the applicable domain's
published Assertion Record. The value of this tag is a URI
representing the location of the BIMI Evidence Document. HTTPS is
the only supported transport.
ABNF:
bimi-evidenced-location-header-uri = "a" *WSP "=" bimi-uri
And the formal definition of the BIMI Location Header, using ABNF, is
as follows:
bimi-location-header-location-only = bimi-location-header-uri
bimi-location-header-evidence-only = bimi-evidence-location-header-uri
bimi-location-header-both = bimi-location-header-uri bimi-evidence-location-header-uri
bimi-location-options = bimi-location-header-location-only / bimi-location-header-evidence-only / bimi-location-header-both
bimi-location-header = bimi-header-version bimi-sep bimi-location-options \[bimi-sep\]
6.3. BIMI-Indicator Header
BIMI-Indicator is the header a Mail Receiver inserts to pass a
verified Indicator to the MUA.
The header contains the SVG of the Indicator encoded as base64, and
is inserted by the MTA after performing the required checks and
obtaining the applicable domain's published Assertion Record. The
contents of this tag MUST match the SVG Indicator content retrieved
from the URI specified in the BIMI-Location header. If he Indicator
was supplied as a gzipped SVGZ file then the MTA MUST uncompress the
file before base64 encoding.
base64string = ALPHADIGITPS *([FWS] ALPHADIGITPS)
[ [FWS] "=" [ [FWS] "=" ] ]
And the formal definition of the BIMI Indicator Header, using ABNF,
is as follows:
bimi-indicator-header = bimi-sep base64string \[bimi-sep\]
6.4. Header Signing
If present, the BIMI-Selector header SHOULD be included in the DMARC-
aligned DKIM signature used to confirm authenticity of the message.
If it is not included in the DMARC-compliant DKIM signature, the
header SHOULD be ignored.
Receivers MAY choose to apply additional methods to validate the
BIMI-Selector header, for example by evaluating a trusted [ARC]
chain. In this case the Receiver MAY choose to treat the message as
if the BIMI-Selector header was signed.
The BIMI-Location and BIMI-Indicator headers MUST NOT be DKIM signed.
This header is untrusted by definition, and is only for use between
an MTA and its MUAs, after DKIM has been validated by the MTA.
Therefore, signing this header is meaningless, and any messages with
it signed are either coming from malicious or misconfigured third
parties.
7. Domain Owner Actions
This section includes a walk through of the actions a Domain Owner
takes when setting up Assertion Records and sending email messages.
7.1. Determine and Publish Indicator(s) for Use
Domain Owners should consider which Indicator file formats to choose
when setting up their BIMI Assertion Records. For a Sender, BIMI
provides control over which Indicators are eligible and can be chosen
for display, but not the ultimate manner in which the MUA will
display the Indicator.
7.2. Publish Assertion Records
For each set of Indicators and domains, publish the appropriate
Assertion Record as either "default" or a named selector as a DNS TXT
record within the appropriate "_bimi" namespace.
7.3. Manage multiple uses of the same Indicator(s) within a trust boundary
For Domain Owners with multiple domains that wish to share the same
set of Indicators within a trust boundary and only manage those
Indicators from a single DNS location, it is RECOMMENDED to use DNS
CNAMEs.
Using a CNAME here is functionally similar to the SPF redirect
modifier. Since BIMI does not require l= tags to be aligned to the
Author Domain, CNAMEs present a cleaner solution than extending the
protocol.
7.4. Set the headers on outgoing email as appropriate
Once a default Assertion Record has been published for an Author
Domain, all emails from this domain should display the appropriate
Indicator in participating MUAs.
If a non-default Indicator is desired, the BIMI-Selector header
should be set appropriately. If for some reason this selector cannot
be accessed by the Protocol Client, the fallback is the default
Assertion Record on the Organization domain.
The BIMI-Location header MUST NOT be set by email senders, and
Protocol Clients MUST ignore it.
8. Receiver Actions
This section includes a walk through of the actions a Protocol Client
takes when evaluating an email message for BIMI Assertion.
8.1. Authentication Requirements
Before applying BIMI processing for a message, a receiver MUST verify
that the message passed the following BIMI authentication
requirements:
1. If more than 1 RFC5322.From header is present in the message, or
any RFC5322.From header contains more than 1 email address then
BIMI processing MUST NOT be performed for this message.
2. Start with the DNS domain found in the RFC5322.From header in the
message. Define this DNS domain as the Author Domain.
3. Find the Organizational Domain for the Author Domain. Define
this DNS domain as the Author Organizational Domain. If the
Author Domain is an Organizational Domain then this will be
identical to the Author Domain.
4. Evaluate the [DMARC] result for the Author Domain. Define the
result as the BIMI DMARC Result.
5. If the BIMI DMARC result is not 'pass', then the receiver MAY
choose to apply additional authentication methods, for example by
evaluating a trusted [ARC] chain, a list of trusted forwarders,
or by applying a local policy. In this case the Receiver MAY
choose to treat the message as if the BIMI DMARC Result was
'pass'.
6. If the [DMARC] result for the Author Domain is not 'pass', and
the message could not be authenticated by any additional
authentication method, then BIMI processing MUST NOT be performed
for this message.
7. If the [DMARC] policy for the Author Domain or Author
Organizational Domain is p=none then BIMI processing MUST NOT be
performed for this message.
8. IF the [DMARC] record for the Author Domain or Author
Organizational Domain includes a subdomain policy, and that
subdomain policy is sp=none then BIMI processing MUST NOT be
performed for this message.
9. If the [DMARC] policy for the Author Domain or Author
Organizational Domain is p=quarantine, and the [DMARC] record
defines a percentage tag, then that tag MUST be pct=100,
otherwise BIMI processing MUST NOT be performed for this message.
8.2. Assertion Record Discovery
Through the BIMI Assertion Record (Section 5.2), Domain Owners use
DNS TXT records to advertise their preferences. Preference discovery
is accomplished via a method similar to the method used for [DMARC]
records. This method, and the important differences between BIMI and
[DMARC] mechanisms, are discussed below.
Assertion Record Discovery MUST NOT be attempted if the message
authentication fails per Receiver policy.
To balance the conflicting requirements of supporting wildcarding,
allowing subdomain policy overrides, and limiting DNS query load,
Protocol Clients MUST employ the following lookup scheme for the
appropriate BIMI record for the message:
1. Start with the DNS domain found in the RFC5322.From header in the
message. Define this DNS domain as the Author Domain.
2. If the message for which the Indicator is being determined
specifies a selector value in the BIMI Selector Header
(Section 6.1), use this value for the selector. Otherwise the
value 'default' MUST be used for the selector.
3. Clients MUST query the DNS for a BIMI TXT record at the DNS
domain constructed by concatenating the selector, the string
'_bimi', and the Author Domain. A possibly empty set of records
is returned.
4. Records that do not start with a "v=" tag that identifies the
current version of BIMI MUST be discarded.
5. If the set is now empty, the Client MUST query the DNS for a BIMI
TXT record at the DNS domain constructed by concatenating the
selector, the string '_bimi', and the Organizational Domain (as
defined in [DMARC]) corresponding to the Author Domain. A custom
selector that does not exist falls back to
<selector>._bimi.<organizationalDomain>. A possibly empty set of
records is returned.
6. Records that do not start with a "v=" tag that identifies the
current version of BIMI MUST be discarded.
7. If the remaining set contains multiple records or no records,
Assertion Record Discovery terminates and BIMI processing MUST
NOT be performed for this message.
8. If the remaining set contains only a single record, this record
is used for BIMI Assertion.
8.3. Indicator Discovery.
1. If the retrieved Assertion Record does not include a valid bimi-
location in the l= tag, then Indicator Discovery has failed, and
the Indicator MUST NOT be displayed. The bimi-location entry
MUST be a URI with a HTTPS transport.
2. If the retrieved Assertion Record includes a bimi-evidence-
location entry in the a= tag, and the receiver supports BIMI
Evidence Document validation, then proceed to the Indicator
Discovery With Evidence (Section 8.4) step.
3. If the receiver does not support BIMI Evidence Document
validation, or the retrieved Assertion Record does not include a
bimi-evidence-location entry, then proceed to the Indicator
Discovery Without Evidence (Section 8.5) step.
8.4. Indicator Discovery With Evidence.
Individual types of BIMI Evidence Document MAY specify extra
discovery and validation steps. These will be defined in separate
documents.
8.5. Indicator Discovery Without Evidence.
If an Assertion Record is found, and it has empty bimi-location and
bimi-evidence-location then this is a Declination to Publish record.
BIMI processing MUST not occur on this message and the MTA SHOULD
reflect this in the Authentication-Results header by adding a
bimi=declined entry.
If an Assertion Record is found, and has an empty or missing bimi-
evidence-location entry then no evidence has is presented, and the
Indicator MUST be retrieved from the URI specified in the bimi-
location entry using the following algorithm:
1. Retrieve the SVG Indicator from the URI specified in the l= tag.
This MUST be a URI with a HTTPS transport.
2. If the TLS server identity certificate presented during the TLS
session setup does not chain-up to a root certificate the Client
trusts then Indicator validation has failed and the Indicator
MUST NOT be displayed.
3. Proceed to the Indicator Validation (Section 8.6) step.
8.6. Indicator Validation
1. Check the file size of the retrieved Indicator against
recommended maximum sizes as defined in this document, and in the
BIMI SVG document. A receiver MAY choose to implement their own
file size restrictions. If the Indicator is larger than the
maximum size the the receiver MAY choose not to display the
Indicator. A receiver MAY choose to implement the size limit as
a retrieval limit rather than retrieving the entire document and
then checking the size.
2. If the SVG Indicator is missing, or is not a valid SVG or SVGZ
document then validation has failed and the Indicator MUST NOT be
displayed.
3. Check the retrieved Indicator against the SVG validation steps
specified in this document, and in the BIMI SVG document. (Note
to WG, do we want to specify the SVG_1.2_PS profile here or leave
that to the other document?)
4. If Indicator verification has passed, and the Indicator is from a
trusted source, then the Indicator MAY be displayed per receiver
policy.
(Note to WG, add link to BIMI SVG document)
8.7. Affix BIMI Status to Authentication Results Header Field
Upon completion of Assertion Record Discovery, Indicator Discovery,
and Indicator Validation, an MTA SHOULD affix the result in the
Authentication-Results header using the following syntax, with the
following key=value pairs:
bimi: Result of the bimi lookup (plain-text; REQUIRED). Range of
values are 'pass' (BIMI successfully validated), 'none' (no BIMI
record present), 'fail' (syntax error in the BIMI record, failure in
Discovery or Validation steps, or some other error), 'temperror' (DNS
lookup problem), 'declined' (The domain owner published an explicit
declination record), or 'skipped' (BIMI check was not performed,
possibly because the message did not comply with the minimum
requirements such as passing DMARC, or the MTA does not trust the
sending domain). The MTA MAY put comments in parentheses after bimi
result, e.g., "bimi=fail (Invalid SVG)", "bimi=skipped (sender not
trusted)" or "bimi=skipped (message failed DMARC)".
header.d: Domain of the BIMI Assertion Record which was evaluated
(plain-text; REQUIRED if bimi=pass). For example, this will be the
organizational domain if the BIMI lookup used the fallback record,
otherwise it will be the RFC5322.From domain.
header.selector: Selector of the BIMI Assertion Record which was
evaluated (plain-text; REQUIRED if bimi=pass). For example, if a
BIMI-Selector Header was present and used to discover a BIMI
Assertion Record then this will be the Selector used, otherwise this
will be 'default'.
policy.authority: Authority verification status of the Brand
Identifier (plain-text; REQUIRED if the BIMI Evidence Document was
checked). If the Authority Evidence presented in the BIMI Assertion
Record was checked and found to be valid then this MUST be set to
pass. If the validation failed then this MUST be set to fail. If no