Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
56,989
19,833


iOS 16 and macOS Ventura add support for the Brand Indicators for Message Identification (BIMI) standard in the Mail app, helping users to easily verify authenticated emails sent by brands by displaying the brand's logo alongside the email's header.

iOS-16-Digitally-Certified-Mail.jpeg

In the Mail app, emails sent by brands with a BIMI record are marked with a "Digitally Certified" label, which is visible after tapping to expand the email's header. Next to the label, a "Learn More" link leads to the following message: "This email was verified as coming from the owner of the logo shown and the domain [example.com.]"

For a brand's logo to be displayed, the sender's domain must pass DMARC authentication checks, according to the BIMI Group website. If the email passes authentication, the Mail app queries the DNS for a corresponding BIMI record.

Based on a tweet shared by software engineer Charlie Fish, it appears that Chase Bank is an example of a brand that has implemented BIMI, with the Chase logo appearing next to an email sent by the bank in the Mail app on iOS 16. BIMI is also supported by Gmail, Yahoo Mail, and Fastmail, according to BIMI Group.


This is just one of several new features added to the Mail app on iOS 16 and macOS Ventura, with others including the ability to unsend an email up to 10 seconds after sending it, scheduled emails, notifications if you forget to include an attachment on an email, support for rich links in emails, improved search functionality, and more.

Article Link: iOS 16 and macOS Ventura Combat Email Spoofing With Support for Verified Brand Logos in Mail App
 
Last edited:
  • Like
Reactions: KeithBN

aja_96

macrumors newbie
Apr 8, 2021
7
12
This sounds like a step in the right direction against phishing, but not perfect because socially engineered hacks towards the companies could still entrap end users (as they would then correspond with end users using legitimate email addresses)
 
  • Like
Reactions: ian87w

KaliYoni

macrumors 6502a
Feb 19, 2016
879
1,851
While I always welcome features that increase security or privacy, I don't think this will make much of a difference because inattentive or ignorant users are easily fooled by logo graphics attached by scammers to messages. Plus from a behavioral perspective, scammers rely on fear and greed emotions. The human fight-or-flight reflex means that red flags such as obviously bogus URLs, awful grammar, bizarre word choice, or a government agency asking for gift cards are all too often ignored or discounted.
 
Last edited:
  • Like
Reactions: julesme

DHagan4755

macrumors 68000
Jul 18, 2002
1,737
4,319
Massachusetts
This is a great idea. I get spoof emails regularly and delete them. But some people are fooled. Making them aware to seek the verified brand logo is going to help a lot in combating the spoofing problem.
 
  • Like
Reactions: KeithBN

mikethemartian

macrumors 65816
Jan 5, 2017
1,153
1,607
Melbourne, FL
While I always welcome features that increase security or privacy, I don't think this will make much of a difference because inattentive or ignorant users are easily fooled by logo graphics attached by scammers to messages. Plus from a behavioral perspective, scammers rely on fear and greed emotions. The human fight-or-flight reflex means that red flags such as obviously bogus URLs, awful grammar, bizarre word choice, or a government agency asking for gift cards are all too often ignored or discounted.
Reminds me of the scene in Catch Me If You Can when Abagnale takes the Pan-Am logos off of model planes and placed them on forged checks.
 

[AUT] Thomas

macrumors 6502a
Mar 13, 2016
737
916
Graz [Austria]
Not a fan of BIMI because it's once again not a solution, but just another overly complex workaround to fixing a broken system.

If all mail-servers required and enfored an organization validated server certificate for inbound connections from other servers the amount of spoofed mails and junk would be reduced by 99+%. Unfortunately, no mail provider can do that alone...

If that was about to be required by law, there would be an instant adoption and the problem essentially solved.
 

mariusignorello

macrumors 68020
Jun 9, 2013
2,081
3,135
$1-1.5k for a checkmark?? These companies know how to cook up BS to make money on user “trust”. So glad that the certificate step is optional.
 

nwcs

macrumors 68020
Sep 21, 2009
2,423
4,182
Tennessee
What they need is not only the verified logo thing but also some kind of warning icon to show when enough evidence indicates that the email name/address doesn’t correspond to the sender.
 
  • Like
Reactions: Apple_Robert

lordofthereef

macrumors G5
Nov 29, 2011
13,034
3,584
Boston, MA
I have just made it a point NOT to click links in my email. Regardless what the email is about, if I want to check the account it was supposedly sent from, I go to the web page manually. Takes just a few seconds of extra effort, and it buys me 100% peace of mind.
 

chr1s60

macrumors 68020
Jul 24, 2007
2,034
1,735
California
This will provide an additional tool for those who are already cautious. Unfortunately, there are still far too many out there uneducated when it comes to phishing and the various scams utilized.
 

Megagator

macrumors regular
Aug 25, 2010
120
1
USA
Unfortunately in order to support this, on top of an https domain and the required DNS records, you have to get a bespoke "verified mark certificate" that signs the logo. There are currently only two options, costing between $1000-1500 per year. Feels like a scam.

 
  • Wow
Reactions: kitKAC

HQuest

macrumors regular
Jan 10, 2012
156
402
$1-1.5k for a checkmark?? These companies know how to cook up BS to make money on user “trust”. So glad that the certificate step is optional.
Not exactly optional. I have it on my personal site since it’s inicial inceptions and without the “optional” certificate, my logo is not displayed at any BIMI compatible service - Apple Mail included. Until I shelled the $1k for the certificate, which as any certificate, expires, and here is the cash grab that makes it stupid for an email standard.
 

PinkyMacGodess

macrumors G3
Mar 7, 2007
8,937
4,934
Midwest America.
This is great news! I have an extensive list of spam senders domains, and they are by and large real corporate brands names. Hundreds of them, and yet if I read the headers, I can see the ORIGINAL SOURCE, and yet no email filter seems to be nearly that intelligent?

WE PUT MEN ON THE MOON, AND AN EMAIL CLIENT CAN'T SIFT THE HEADERS AND BLOCK THE REAL SOURCE?

Good grief!!!

I started blocking whole spans of IP addresses from China, and occasionally picked a subnet that actually had an IP address that a real company I used apparently was using for some part of their website. I found that really odd and majorly suspicious. Why the heck would a legitimate company be using an IP address in a, to me, known spammer/phisher domain? Many of the addresses were in honey pot registers as being spamming hives.

Are the Chinese deliberately using legitimate address schemes to help proliferate spammers and phishers? If so, that's a damn huge incriminating problem for them, and America should be enforcing edge routers to block traffic from them.

I mean, we DO have edge routers for all traffic that enters the country, right?
 
  • Like
Reactions: FelixDerKater

NoGood@Usernames

macrumors regular
Dec 3, 2020
141
137
United States
My Outlook address displays logos in the inbox list when I access through the web (or using the outlook iOS app, which I don’t), and if nothing else I think it looks nice and makes emails from those supported senders easy to find.

Since I use Apple’s mail app on both iOS and Mac, this will be a nice addition!
 

StellarVixen

macrumors 68030
Mar 1, 2018
2,531
4,083
Earth
Oh, it’s a cat and mouse games, I think there is high probability scammers will adapt somehow.

And remember, email as a form of communication is insecure by design. Because it comes from some other era where people still believed that we can trust each other to be nice, honest and trustworthy. Those times are long gone and no one really believes that anymore.
 

CarAnalogy

macrumors regular
Jun 9, 2021
235
343
Not a fan of BIMI because it's once again not a solution, but just another overly complex workaround to fixing a broken system.

If all mail-servers required and enfored an organization validated server certificate for inbound connections from other servers the amount of spoofed mails and junk would be reduced by 99+%. Unfortunately, no mail provider can do that alone...

If that was about to be required by law, there would be an instant adoption and the problem essentially solved.
Gmail basically does that now. As of recently if a sender doesn’t have a good SPF record at the very least, the email is flagged. DKIM is preferred. Unfortunately DKIM adoption seems slow even now that SPF has finally caught on.

Between Google and Microsoft that’s 90% of (business) email, which is pretty close and as good as we can get in this duopoly system.

Unfortunately it seems like e-mail is fundamentally not designed for what we’ve made it into. Hard to believe that in the year 2022 communications are still so fragmented. I do like the federated nature but it seems it’s doomed to consolidation like everything else.
 

mariusignorello

macrumors 68020
Jun 9, 2013
2,081
3,135
Not exactly optional. I have it on my personal site since it’s inicial inceptions and without the “optional” certificate, my logo is not displayed at any BIMI compatible service - Apple Mail included. Until I shelled the $1k for the certificate, which as any certificate, expires, and here is the cash grab that makes it stupid for an email standard.
I set it up a couple hours ago and wondered why the logo never appeared. This is definitely some corporate identity branding BS disguised as “protection”.
 

mannyvel

macrumors 65816
Mar 16, 2019
1,170
2,008
Hillsboro, OR
Apple (or the IETF) needs to replace IMAP. It was written for another age, and it's way long in the tooth.

Basically, security needs to be baked in instead of security as an afterthought. Verified senders needs to be a part of the infrastructure. It's ok to have unverified senders, but they should be marked as-such.

These days, certs are free and processing power is cheap, so issuing everyone a cert and using them for validation shouldn't be as much of a burden as it was back in the day.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.