Email Security and Branding Impact Combined: Why DMARC and BIMI are Essential for Companies

The implementation of DMARC (Domain-based Message Authentication, Reporting and Conformance) and BIMI (Brand Indicators for Message Identification) is crucial for companies across all industries to enhance their IT security and strengthen their branding through email communication. Our study shows that the e-commerce industry in Germany is particularly active in this area, but that there is still considerable room for improvement. The full report outlines the latest findings and offers recommendations for action.

The importance of DMARC for IT security

Email security is crucial in today’s business world. Phishing and email spoofing are still among the most common attack methods used by cybercriminals. In turn, emails are an essential part of corporate communication. Every day, millions of emails are exchanged between companies and their customers, partners, and suppliers. This can lead to attacks in which the sender’s address is spoofed in order to gain the recipient’s trust.

DMARC was developed to precisely address this problem. It combines the two email security protocols, SPF and DKIM, and allows domain owners the option to specify how unauthenticated emails should be handled. This can be achieved, for instance, by rejecting, quarantining or forwarding them to the spam folder. Another key feature of DMARC is the ability to regularly receive reports on the state of email traffic and potential abuse attempts.

In addition to the benefits for IT security and marketing, there are external factors driving the adoption of DMARC and BIMI. Since February 2024, major email providers like Gmail and Yahoo have required incoming emails to comply with DMARC; otherwise, there is a risk that emails will end up in the spam folder or even  get bounced. Companies, especially those in the e-commerce sector, are obligated to ensure their emails meet the requirements to guarantee deliverability. Standards such as the Payment Card Industry Data Security Standard (PCI DSS) 4.0 or the Technical Guideline TR-03182 of the German Federal Office for Information Security (BSI) also recommend the implementation of DMARC to secure email communication.

Our study, focusing on the 100 largest e-commerce companies in Germany, revealed that 45% of companies do not have a sufficiently strict DMARC implementation. This makes them vulnerable to spoofing attacks. What is particularly concerning is that 23% of companies do not receive reports on potential attacks. This means they cannot even perceive potential threats.

The relevance of DMARC extends beyond e-commerce

While our study focuses on e-commerce companies, the relevance of DMARC is also of great importance for other industries. Organizations that rely on email communication – whether in finance, healthcare, manufacturing, or education – can benefit from implementing this protocol. Phishing attacks do not only affect e-commerce, but also banks, the healthcare industry, and government institutions.

BIMI: More than just IT security – a marketing tool

While DMARC primarily serves to prevent cybercrime, BIMI provides an additional layer that strengthens both a company’s security and marketing. BIMI utilizes the authentication of DMARC to provide the recipient with a visual confirmation that an email actually originates from the stated sender. The company’s brand logo is then displayed directly in the email preview in the inbox.

Our study found that 25% of the analyzed e-commerce companies have already implemented BIMI. This has enabled them to improve their security measures and enhance their brand awareness. For e-commerce companies that rely on online marketing and customer interaction, the increased brand visibility in the inbox is a crucial advantage.

Beyond the e-commerce sector, BIMI can also provide significant added value. The visual confirmation via a logo can help to build trust in the authenticity of emails and prevent important information from ending up in the spam folder.

The challenges and opportunities in implementation

Despite the numerous benefits, many companies face difficulties in the correct implementation of DMARC and BIMI. Our study showed that 31% of e-commerce companies are using a “none” policy. This means that, although reports can be generated for suspicious emails, no active measures are implemented to prevent them. Unfortunately, this approach does not provide sufficient protection against attacks, as insecure emails can still be delivered.

For companies wishing to start with the implementation, there are some essential steps to bear in mind:

1. SPF and DKIM check: Ensure that all outgoing servers are correctly configured with SPF and DKIM to provide a foundational layer of security.
2. Setting the DMARC policy: We recommend that you first implement a “quarantine” policy and then gradually move to a “reject” policy to ensure comprehensive protection.
3. BIMI implementation: Using BIMI requires a DMARC policy of “quarantine” or “reject”. In addition, a Verified Mark Certificate (VMC) is required to verify the brand logo.
4. Regular reports and analyses: Utilize the DMARC reports to identify potential vulnerabilities and continuously optimize your security measures.

Results of our study on DMARC and BIMI implementation among the 100 largest e-commerce companies in Germany:

While there has been progress, many companies still lag behind current standards. Only 35% of companies have implemented a “reject” policy for DMARC, and just 25% use BIMI to enhance their brand presence.

The full German-language study on DMARC and BIMI implementation in e-commerce in Germany is available for download here: https://www.nameshield.com/de/e-mail-sicherheit-und-zustellbarkeit-im-e-commerce-sektor-in-deutschland/

Nameshield as the ideal partner for implementing DMARC and BIMI

Our team specializes in providing solutions for the implementation of DMARC and BIMI for companies of all sizes. Our long-standing expertise enables us to understand the specific requirements and challenges that companies face when introducing these technologies. Our range of services includes the setup of SPF and DKIM, the implementation of a robust DMARC policy, and the introduction of BIMI. With the help of our comprehensive reporting tools and personal consulting, we help companies to optimize their email security while also enhancing the efficiency of their marketing efforts. Many leading European companies already rely on our expertise.

Jochen Schönweiß is Head of Business Development Germany at Nameshield GmbH and is responsible for supporting customers who want to secure their domains and DNS systems. Mr. Schönweiß has had over eight years of experience in the IT security sector, around five of which have been in customer service. This makes him very familiar with current market developments and customer needs. As DMARC is an important component for IT security and marketing, Jochen Schönweiß also deals with this topic extensively.