Prepare your email server for BIMI support in Apple Mail

Apple Mail in macOS Ventura 13, iOS 16, and iPadOS 16, or later supports BIMI (Brand Indicators for Message Identification), an email specification that enables email clients to show brand-controlled logos based on information provided by the corresponding organization. Get an overview of how BIMI works and learn how to ensure eligible BIMI logos are displayed for Apple Mail clients.

Overview

BIMI is designed to ensure that logos are displayed only for messages that properly originate from a sending organization. BIMI1, 2 leverages a domain’s deployment of DMARC (Domain-based Message Authentication, Reporting & Conformance) to prevent domain impersonation. It works with VMCs (Verified Mark Certificates)3, 4 and other forms of BIMI Evidence Documents to verify the ownership and authenticity of a logo and the logo's connection to that domain.

BIMI compliance is managed by the mail provider on the server. An organization's logo appears in Apple Mail for a given email message when the mail provider has:

  • Ensured message and domain compliance according to the BIMI specification.
  • Verified a BIMI Evidence Document (for example, a VMC trusted by the mail provider).
  • Added the required headers vouching for these checks described under “Support Apple Mail clients.”

If a mail provider hasn't performed these actions for a given mail message, that message won't show an organization’s logo in Apple Mail.

Support Apple Mail clients

In addition to the requirements outlined in the BIMI specification, Apple Mail clients require that a DKIM (DomainKeys Identified Mail) signature be inserted by the mail provider. The signature must cover an Authentication-Results header (also from the mail provider) including a bimi statement. This additional requirement establishes a basis for Apple Mail clients to trust inserted BIMI headers.

A valid BIMI-compliant email contains all of the following headers (configured as described):

  • A DKIM-signature header, where the h value contains all Authentication-Results up to the ones the server inserted
    • The d value must have the same organizational domain (eTLD+1) as the recipient mail server
    • The l value must equal 0
  • An Authentication-Results header with bimi=pass and policy.authority=pass
    • The authserv-id value must have the same organizational domain as either:
      • The recipient mail server
      • The authserv-id value of the first (most recently added) Authentication-Results header
  • A BIMI-Location header that includes both l and a values
  • A BIMI-Indicator header

Example headers

All examples in this section assume the mail server is imap.example.com.

A correctly formed mail header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
    s=foo1234; t=1645949369;
    bh=bYktD+FKmAvkst9op6KYg+JHRznF/tB4agLqrbfatKo=; l=0;
    h=Authentication-Results:Authentication-Results:Authentication-Results:Authentication-Results:From;
    b=tpMLTXB...kQ==
Authentication-Results: bimi.example.com;
    bimi=pass header.d=examplesender.com header.selector=default
    policy.authority=pass
    policy.authority-uri=https://media.examplesender.com/media/vmc.pem
Authentication-Results: dmarc.example.com;
    dmarc=pass header.from=examplesender.com
Authentication-Results: dkim-verifier.example.com;
    dkim=pass (2048-bit key) header.d=examplesender.com header.i=@examplesender.com
    header.b=GyICAm88
Authentication-Results: spf.example.com;
    spf=pass smtp.mailfrom="delivery1234@send.examplesender.com"
BIMI-Indicator: eZvIB...kQ==
BIMI-Location: v=BIMI1;
    l=https://media.examplesender.com/media/logo.svg
    a=https://media.examplesender.com/media/vmc.pem

An incorrectly formed header (a wrong DKIM domain)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wrongdomain.com;
    s=foo1234; t=1645949369;
    bh=bYktD+FKmAvkst9op6KYg+JHRznF/tB4agLqrbfatKo=; l=0;
    h=Authentication-Results:Authentication-Results:Authentication-Results:Authentication-Results:From;
    b=tpMLTXB...kQ==
Authentication-Results: bimi.example.com;
    bimi=pass header.d=examplesender.com header.selector=default
    policy.authority=pass
    policy.authority-uri=https://media.examplesender.com/media/vmc.pem
Authentication-Results: dmarc.example.com;
    dmarc=pass header.from=examplesender.com
Authentication-Results: dkim-verifier.example.com;
    dkim=pass (2048-bit key) header.d=examplesender.com header.i=@examplesender.com
    header.b=GyICAm88
Authentication-Results: spf.example.com;
    spf=pass smtp.mailfrom="delivery1234@send.examplesender.com"
BIMI-Indicator: eZvIB...kQ==
BIMI-Location: v=BIMI1;
    l=https://media.examplesender.com/media/logo.svg
    a=https://media.examplesender.com/media/vmc.pem

An incorrectly formed header (a wrong Authentication-Results domain)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
    s=foo1234; t=1645949369;
    bh=bYktD+FKmAvkst9op6KYg+JHRznF/tB4agLqrbfatKo=; l=0;
    h=Authentication-Results:Authentication-Results:Authentication-Results:Authentication-Results:From;
    b=tpMLTXB...kQ==
Authentication-Results: dkim-verifier.example.com;
    dkim=pass header.d=example2.com header.i=@example2.com
    header.b=tfwjEzge
Authentication-Results: bimi.wrongdomain.com;
    bimi=pass header.d=examplesender.com header.selector=default
    policy.authority=pass
    policy.authority-uri=https://media.examplesender.com/media/vmc.pem
Authentication-Results: dmarc.example.com;
    dmarc=pass header.from=examplesender.com
Authentication-Results: dkim-verifier.example.com;
    dkim=pass (2048-bit key) header.d=examplesender.com header.i=@examplesender.com
    header.b=GyICAm88
Authentication-Results: spf.example.com;
    spf=pass smtp.mailfrom="delivery1234@send.examplesender.com"
BIMI-Indicator: eZvIB...kQ==
BIMI-Location: v=BIMI1;
    l=https://media.examplesender.com/media/logo.svg
    a=https://media.examplesender.com/media/vmc.pem