Prepare your email server for BIMI support in Apple Mail
Apple Mail in macOS Ventura 13, iOS 16, and iPadOS 16, or later supports BIMI (Brand Indicators for Message Identification), an email specification that enables email clients to show brand-controlled logos based on information provided by the corresponding organization. Get an overview of how BIMI works and learn how to ensure eligible BIMI logos are displayed for Apple Mail clients.
Overview
BIMI is designed to ensure that logos are displayed only for messages that properly originate from a sending organization. BIMI1, 2 leverages a domain’s deployment of DMARC (Domain-based Message Authentication, Reporting & Conformance) to prevent domain impersonation. It works with VMCs (Verified Mark Certificates)3, 4 and other forms of BIMI Evidence Documents to verify the ownership and authenticity of a logo and the logo’s connection to that domain.
BIMI compliance is managed by the mail provider on the server. An organization’s logo appears in Apple Mail for a given email message when the mail provider has:
- Ensured message and domain compliance according to the BIMI specification.
- Verified a BIMI Evidence Document (for example, a VMC trusted by the mail provider).
- Added the required headers vouching for these checks described under “Support Apple Mail clients.”
If a mail provider hasn’t performed these actions for a given mail message, that message won’t show an organization’s logo in Apple Mail.
Support Apple Mail clients
In addition to the requirements outlined in the BIMI specification, Apple Mail clients require that a DKIM (DomainKeys Identified Mail) signature be inserted by the mail provider. The signature must cover an Authentication-Results header (also from the mail provider) including a bimi statement. This additional requirement establishes a basis for Apple Mail clients to trust inserted BIMI headers.
A valid BIMI-compliant email contains all of the following headers (configured as described):
- A
DKIM-signatureheader, where thehvalue contains allAuthentication-Resultsup to the ones the server inserted- The
dvalue must have the same organizational domain (eTLD+1) as the recipient mail server - The
lvalue must equal0
- The
- An
Authentication-Resultsheader withbimi=passandpolicy.authority=pass- The
authserv-idvalue must have the same organizational domain as either:- The recipient mail server
- The
authserv-idvalue of the first (most recently added)Authentication-Resultsheader
- The
- A
BIMI-Locationheader that includes bothlandavalues - A
BIMI-Indicatorheader
Example headers
All examples in this section assume the mail server is imap.example.com.
A correctly formed mail header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
s=foo1234; t=1645949369;
bh=bYktD+FKmAvkst9op6KYg+JHRznF/tB4agLqrbfatKo=; l=0;
h=Authentication-Results:Authentication-Results:Authentication-Results:Authentication-Results:From;
b=tpMLTXB...kQ==
Authentication-Results: bimi.example.com;
bimi=pass header.d=examplesender.com header.selector=default
policy.authority=pass
policy.authority-uri=https://media.examplesender.com/media/vmc.pem
Authentication-Results: dmarc.example.com;
dmarc=pass header.from=examplesender.com
Authentication-Results: dkim-verifier.example.com;
dkim=pass (2048-bit key) header.d=examplesender.com header.i=@examplesender.com
header.b=GyICAm88
Authentication-Results: spf.example.com;
spf=pass smtp.mailfrom="delivery1234@send.examplesender.com"
BIMI-Indicator: eZvIB...kQ==
BIMI-Location: v=BIMI1;
l=https://media.examplesender.com/media/logo.svg
a=https://media.examplesender.com/media/vmc.pemAn incorrectly formed header (a wrong DKIM domain)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wrongdomain.com;
s=foo1234; t=1645949369;
bh=bYktD+FKmAvkst9op6KYg+JHRznF/tB4agLqrbfatKo=; l=0;
h=Authentication-Results:Authentication-Results:Authentication-Results:Authentication-Results:From;
b=tpMLTXB...kQ==
Authentication-Results: bimi.example.com;
bimi=pass header.d=examplesender.com header.selector=default
policy.authority=pass
policy.authority-uri=https://media.examplesender.com/media/vmc.pem
Authentication-Results: dmarc.example.com;
dmarc=pass header.from=examplesender.com
Authentication-Results: dkim-verifier.example.com;
dkim=pass (2048-bit key) header.d=examplesender.com header.i=@examplesender.com
header.b=GyICAm88
Authentication-Results: spf.example.com;
spf=pass smtp.mailfrom="delivery1234@send.examplesender.com"
BIMI-Indicator: eZvIB...kQ==
BIMI-Location: v=BIMI1;
l=https://media.examplesender.com/media/logo.svg
a=https://media.examplesender.com/media/vmc.pemAn incorrectly formed header (a wrong Authentication-Results domain)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
s=foo1234; t=1645949369;
bh=bYktD+FKmAvkst9op6KYg+JHRznF/tB4agLqrbfatKo=; l=0;
h=Authentication-Results:Authentication-Results:Authentication-Results:Authentication-Results:From;
b=tpMLTXB...kQ==
Authentication-Results: dkim-verifier.example.com;
dkim=pass header.d=example2.com header.i=@example2.com
header.b=tfwjEzge
Authentication-Results: bimi.wrongdomain.com;
bimi=pass header.d=examplesender.com header.selector=default
policy.authority=pass
policy.authority-uri=https://media.examplesender.com/media/vmc.pem
Authentication-Results: dmarc.example.com;
dmarc=pass header.from=examplesender.com
Authentication-Results: dkim-verifier.example.com;
dkim=pass (2048-bit key) header.d=examplesender.com header.i=@examplesender.com
header.b=GyICAm88
Authentication-Results: spf.example.com;
spf=pass smtp.mailfrom="delivery1234@send.examplesender.com"
BIMI-Indicator: eZvIB...kQ==
BIMI-Location: v=BIMI1;
l=https://media.examplesender.com/media/logo.svg
a=https://media.examplesender.com/media/vmc.pem