CATEGORY: NewsPublic SectorSecurity

Are your emails digitally certified? 

Are your emails digitally certified? 

Apple is set to make changes to the way email is handled on the iPhone in September with the introduction of the iOS16 update. From this point, emails from ‘digitally certified senders’ will display a verified logo in the inbox of Apple’s Mail application on iPhones and iPads.. 

Becoming a digitally certified sender involves acquiring a Verified Mark Certificate (VMC) which is part of the Brand Indicators for Message Identifiers (BIMI) standard. 

iOS16 first look 

In testing with the iOS16 public beta, we were able to see the logo and the digitally certified sender verification for several brands with an existing BIMI record. Never let it be said that you can’t mix business with pleasure as we use Domino’s Pizza as a test example here. We were fortunately already subscribed to their emails. 

Inbox view 

There are no visual differences to the Inbox view for emails with a VMC certificate in iOS16. The list view still presents unread emails with a blue dot next to them. This is in contrast to the Gmail app experience where VMC certified emails will show the logo in the inbox view. The VMC therefore does not help to reassure email recipients until they click through to the email. 

Email view 

Once looking at the email individually, the avatar space adjacent to the From field is populated with the BIMI logo file. This is the same space as avatars for contacts with a profile picture show in Mail.  

Domino's digitally certified

A new line appears under the To: field with the message “Digitally Certified” and a “Learn More” link.  

By showing both the logo and the “Digitally Certified” message, the user is offered reassurance that this is a genuine email. 

Contact record 

If the user clicks on the From name, then a contact card loads which shows an additional explanation. 

Digitally certified contact

The message on the contact card states: 

“Digitally Certified Email – This email was verified as coming from the owner of the logo shown and the domain “ – Learn More” 

A similar message is shown on a solus popup if the user clicks on the Learn More link under the To: field. 

This is a beta, so the spelling and grammatical errors in these messages are likely to change in due course. The Learn More link on the contact card also only lead to a generic Apple help page at present. 

Emails from Dominos (in the UK) come from a subdomain: 

It is on this subdomain, that you will find a valid BIMI SVG image and corresponding VMC certificate. The logo file referenced in the VMC certificate must match the SVG to achieve compliance with the BIMI standard.  

Our testing confirmed that self-certified BIMI records do not display the logo in iOS16. This is consistent with Gmail’s implementation of BIMI which also requires the VMC. 

The BIMI standard 

The BIMI standard is a relatively new email authentication standard that provides a mechanism to display a logo or brand mark in the inbox. 

Adoption of BIMI has been slow, but is gaining momentum. There are two types of BIMI record though; self-certified and VMC certified. The VMC route involved a Certificate Authority verifying the ownership of the logo used in the BIMI record. 

Until recently, a prerequisite for obtaining a VMC was the ownership of a registered trademark for the brand identity. This presented challenges to many organisations, particularly public sector organisations, as they do not possess a trademark in the conventional sense. 

New requirements for public sector organisations 

The latest version of the VMC specification includes new provisions for government organisations to obtain a VMC and to consequently publish a BIMI record that meets the standards set by Apple for display of the digitally certified sender message in iOS16. 

In the latest VMC requirements, the concept of a Government Mark has been introduced, recognising that a Mark (a logo) was granted to or claimed by a Government entity or Non-Commercial Entity (International Organisation) by way of statute, regulation, treaty, or government action. 

The full specification is available here:

DMARC pre-requisite 

Protecting your email sending domain using a VMC certificate can only be achieved when other forms of email verification are in place already. All emails sent via e-shot have these and we work with public sector senders to ensure that their emails are protected in line with the NCSC guidance. We also proactively monitor public sector customers’ domains via the NCSC Mailcheck service. 

It will likely be some time before we see any official guidance on using BIMI and VMC certificates in government, but we are working with industry partners and several existing customers to implement BIMI in a test capacity. 

We do still encounter many official organisations that do not have the proper email authentications set up to protect their emails from fraudulent activity. To learn more about protecting your existing emails via established methods, we offer a free email healthcheck to public sector organisations which includes a full report on the security of your existing domain. Find out more 

Free email marketing healthcheck - icon

Email marketing healthcheck

We are confident that we can help you, which is why we offer a free healthcheck to identify potential issues with your current programme and free advice on things that could be done to improve it.

Get started