BIMI Radar

An apex domain is a registered domain that does not contain a subdomain. E.g. example.com is an apex domain, email.example.com is not. You may also see this referred to as organizational domain, company domain or base domain.

We ingest and clean up a number of publicly available feeds to build a picture of active domains on the internet. This is augmented with domains we discover via our own research. Our goal is to cover all domains that are currently sending email though naturally, this is a continuously moving target. Our domain list grows every day as we observe new activity. If you have data you wish to contribute to our effort, please contact us on research@redsift.com.

It does. We characterize our growing list as the ‘useful internet’ and we test it continuously to ensure we are surveying all significant senders on the internet.

We exclude subdomains from the survey as their volume will distort the statistics significantly and make them hard to interpret. As a result, domains are only classified by signals we can observe on the apex domain. For example, if we encounter a domain where a mail sending subdomain is in DMARC policy=reject while the parent domain is DMARC policy=none, it will be classified as having a policy=none.

We check the domains SPF policy to verify if some form of email authentication is currently being used.

The Large Public Company lists are composed of the largest publicly quoted companies in some of the largest economies in the world. When a company is dual-listed on multiple exchanges, it appears only once under the country where it has most operations.

As per the working group, to qualify for BIMI a domain must advertise a DMARC policy of quarantine 100% or a policy of reject. We apply the same criteria to establish if a domain is ready for BIMI.

Domains are DMARC ready for BIMI if they are BIMI Ready or above. i.e. domains that have a VMC or BIMI record published are counted as being DMARC ready for BIMI. The BIMI Ready state does not count any domains that have actually deployed BIMI in some form.

While the BIMI specification allows for an SVG file to be published on the BIMI TXT record, most receivers do not currently utilize this value and the receivers that do, may not render it to end users without manual review. To ensure BIMI is not open to abuse, the VMC is the only supported mechanism by Google for example.

BIMI Readiness relies on domains achieving a DMARC policy of quarantine 100% or higher. Deploying a strong email security control such as this DMARC policy is a complex task and in the real world, administrators occasionally need to drop their authentication posture for a number of reasons such as critical newly discovered services or significant changes to their outbound email architecture. This is observed by us as a domain that is no longer able to qualify for BIMI.

When we analyze domains for their BIMI deployment status, we check that the VMC we have discovered is valid at the current point in time. VMCs that have expired and have not been updated in a manner we can detect are not counted in our survey. We also require the apex domain to advertize a BIMI compliant DMARC policy as per the "lowest common denominator" approach in the current BIMI implementation guidance.

We consider a domain BIMI with VMC on the date the DMARC posture of the domain advertizes a suitable policy as per the BIMI specification and has been issued a certificate that is valid at that moment in time.

Domains must also have a compatible DMARC policy to be considered BIMI Aware. For example as of March 2021, there are thousands of domains publishing a BIMI record where the domain is publishing a DMARC policy of p=none or worse. These will not be classified BIMI Aware as these domains are not aware they need to do DMARC first.

All DNS based technologies take time to propagate changes based on the TTLs specified and the state of various caches. In addition, while we monitor changes very regularly internally, we update the public facing data for this site slightly more slowly. At worst, it could take a day for data to appear hear. You can monitor the advertized "Last updated on" date/time we publish above our charts to establish the freshness of the data.

Not necessarily. The VMC may not be advertized on their DNS or officially accepted by receivers who may have instituted manual checks for a time. We do not verify that these specific logos are showing up in supported email clients.

A number of reasons could hide the VMC from view on this page.
1 - The VMC was issued some time ago. We only show the latest N entries on this page to keep things manageable and it may have aged out.
2 - The VMC was issued for a subdomain only and is not advertized on the apex domain. As per our other FAQ entries, we only track apex domains in this survey.
3 - The VMC was only advertized on a non ‘default’ BIMI selector. This is possible but not commonly observed.

We are always happy to contribute to causes that accelerate BIMI adoption, drop us a note with your request at research@redsift.com and we'll get back to you. Just don't forget the attribution.

We are a cybersecurity platform that focuses on email security and brand protection. We build cloud based, data driven solutions for our customers including SaaS that help brands deploy and maintain modern standards such as DMARC and BIMI. These technologies help make the Internet a safer place for all of us and we hope sharing data and raising awareness will increase the rate of adoption of these widely supported standards. We built BIMI Radar to share our survey findings with our industry partners and the broader email ecosystem.