DMARC + BIMI: How to Combat Email Fraud and Improve your Business Reputation

02 November 2020

By Paul Bendall


When it comes to email, one shared sentiment is often about its abundance. We all send and receive a lot of email these days, especially as employees and customers conduct more business remotely amidst the COVID-19 pandemic. However, the challenge of a full email inbox seems somewhat quaint when compared to the growing threat of business email compromise (BEC) and email fraud. According to Gartner, BEC attacks against businesses increased by nearly 100% in 2019, and a recent study from Coalition observed a 67% increase in the number of email attacks since the start of the pandemic

As we explored last month, BEC attacks are perpetrated when attackers spoof a trusted identity to lure their targets into revealing confidential, sensitive information or reroute funds to criminal accounts. These attacks can be very difficult to detect and can have devastating effects. It’s a particularly troubling threat as email is not going away any time soon. One report even revealed a “specialised economy” that is emerging around email account takeovers. What makes email threats even more troublesome is that they’re not limited to leadership; everyone at your organisation is a target, from finance and HR units to new hires.

The good news is there are steps you can take to protect your employees and your organisation. In this post, we highlight DMARC and BIMI, two effective measures that, when combined, will help your business combat email fraud and improve your reputation. We also introduce you to our KA2 Smarter Email Authentication Assessment, a 30-day, accelerated and customised programme to assess, optimise and implement the appropriate email protocols across your business.

Be Deterministic: Domain-Based Message Authentication, or DMARC

DMARC stands for Domain-Based Message Authentication, Reporting and Conformance. It’s an email authentication protocol that can mitigate against email fraud attempts. Essentially, DMARC functions as a gatekeeper to allow or deny email based on set delivery policies. DMARC is designed to be a powerful tool for email domain owners to protect their domain from unauthorised use, such as in phishing emails, email scams and BEC.

How it works: DMARC combines and adds an additional layer of security to your established policies and standards for email authentication, specifically your Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). DMARC acts as a signal of sorts. It uses public Domain Name Systems (DNS) to alert your receiving mail servers how individual emails should be treated.

It’s effective because it’s deterministic, meaning that any sender (even those using trusted domains) that doesn’t meet the standard will be blocked by receivers under an enforced DMARC policy. The result? DMARC ensures that senders are legitimate and using trusted domains to email employees, customers and other key stakeholders, like partners and vendors.

DMARC happens at the domain level, so emails with attachments, suspicious URLs or even no malicious content at all – will all be blocked. It’s no surprise that we’re seeing more and more initiatives to encourage DMARC adoption at businesses.


While DMARC offers an effective layer of protection for your business email, implementing it can be a complex process, even for a well-resourced technology team. First, implementing DMARC will require a combined, organisation-wide effort. Without a clear definition and process around DMARC policy and governance, the project risks stalling.

Further, if the configurations are not accurate, the DMARC policy will remain at none, which leaves your business with no protection (and in a precarious situation if your business has the impression that DMARC is indeed properly functioning). A basic analogy might be a high-quality lock on an office building; it can prevent physical intruders but only when the door is closed and the lock is properly engaged. DMARC can only protect your organisation’s email domains when quarantine and reject alerts are in place.

Another reason that implementing DMARC is challenging is based on email volume: DMARC reports are voluminous and often lack clarity, adding confusion and time to the process. While there are some DMARC parsing tools available to make sense of things, often the best solution is to partner with a third-party. A trusted vendor with DMARC expertise can help your team identify legitimate senders and properly configure the protocol for maximum protection.

What is BIMI and how does it improve brand reputation?

BIMI, which stands for Brand Indicators for Message Identification, is a new standard that ensures that your approved logo is displayed next to your message in a recipient’s email inbox. This helps verify to recipients that an email does indeed come from a verified sender. BIMI works alongside DMARC (and other measures) to signal to others that you are, indeed, you.


The BIMI boost: Without the BIMI standard in place, email clients will display a generic or placeholder logo. As such, recipients may struggle to recognise your brand at a glance. Displaying your brand identity next to your emails helps build user trust and prevent email fraud. It also builds brand awareness and boosts engagement rates. So, if you leverage email marketing campaigns for new or repeat business, BIMI might be an especially smart and timely addition to your cybersecurity strategy.

Combined, DMARC, BIMI and other authentication methods will make for more reliable email deliverability and a better reputation, overall. BIMI also can be tricky to implement due to the new standards and exacting requirements on the logo format. Furthermore, it’s intertwined with DMARC: since brand logos are displayed only for authenticated messages, you must have DMARC at quarantine and preferably reject in order to use BIMI. If you seek assistance to implement DMARC, we suggest you have the same experts set up BIMI as well.

Implementing proper email security is a critical component of your overall cybersecurity and business continuity strategy. Given the complexities of DMARC implementation, we’ve made it simple to accelerate your email security with our KA2 Smarter Email Authentication Assessment. This 30-day programme utilises the KA2 Compliance Workflow Engine for policy management as well as our experts’ domain knowledge to deliver an accelerated assessment of your existing email protocols, optimise where appropriate and implement the recommended message authentication, including DMARC and BIMI.

Please get in touch today to book your assessment and boost your email security.