Revisiting the eMail BIMI verification thing

Gotta tip my hat to post #127232 for starting the conversation.

Bear in mind that it appears most freemail companies’ web interfaces and installed mail clients have no facility to display the BIMI. I have proof of concept through a Thunderbird plugin.

The view from my old Yahoo! Mail; a lightning rod for spam.


So I sent tests over a couple of days, and once I got things right, all the old failed test messages had the image appear.

That logo was drawn with LibreOffice Draw about 10 years ago by using the text tool and right-clicking the image to select Convert To Curve. That gets you a Bézier curve ready for most vector graphic devices like die cutters, lasers, and goo-printers. LibreOffice also has an export feature to save the selected graphic as a SVG file. I think people with actual art skills would draw it in Inkscape. While testing I may have needed to convert that image into a Tiny SVG, or to have fixed the typos in my BIMI DNS record earlier. Probably the prior.
Side Note: my original SVG is 8.6 KB, and the converted one mentioned below is 8.2 KB.

A long, long time ago, when I first heard about this, I wanted one. :star_struck:

Because I struggled to migrate this second top-level virtual server and its sub-servers, where the eMails didn’t seem to work as expected, I was led to Cloudflare and its settings to help get things working. Mail seems to be working pretty well right now, but last night I got my own second-class-citizen BIMI graphic to work at the cost of $0.00 USD. (I’m still worried that free means I’m the product. :grimacing: :flushed_face:)

The Cloudflare portion was pretty much just copying & pasting records from Virtualmin DNS, but the BIMI was one extra record.


I did also put a copy of that BIMI DNS record in that Virtualmin’s virtual server’s DNS records. I’m not sure if Cloudflare tells people’s mail clients where to get it from, or if Webmin is doing it via BIND.

So here’s the thing I did that’s probably a bad security hole. On the bright side, it got to the proof of concept that Virtualmin might not have a “hard-lift” to add this feature in the future as the standard solidifies.
I went to this website and uploaded my SVG: https://verifybimi.com/

It’s a really simple converter where people should insert a fake logo they won’t use to get the output and reverse engineer what it did. They give you two outputs after you upload a graphic; a modified SVG, and a TXT output of the vector instructions to make that graphic.

So if my privately created non-PEM image is supposed to be a way of showing my authenticity with eMail, why did I hand that image to a stranger who made the version I will host on my Virtualmin server? Their website could have a copy of my production BIMI file to sell off if I started doing something successful, or use it to spoof my mail identity for malicious ideological reasons.

Thoughts anybody? :grinning_face:

I added BIMI to one of my domains in the past but I found that nobody really displays it if you dont have an expensive cert for it:

I guess it would be cool if there was some kind of letsencrypt for it available but I guess it is that expensive as a “safety” feature so only larger companies can afford it for it to appear more “official”

But if there was adoption even without certs then it would be great.

I think it could be implemented in the virtualmin GUI but I doubt it is all that high as a priority.

IMO mail stack in virtualmin has more pressing issues, for example DMARC is only implemented as DNS records, but not actually enforced locally, only opendkim is installed opendmarc is not installed by default.

and spamassassin does not enforce it either.

I think future mail stack might use rspamd which seems more complete.

I forgot to mention this thingie at Cloudflare in the DNS → Settings

That is the part where I thought it would be benificial to run the DNS mail entries at both Cloudflare and Virtualmin.

Did I do anything wrong? :grimacing: :grimacing: :grimacing: :grimacing: