Google’s addition to Gmail of something called Verified Mark Certificates (VMCs) is a very big deal in the arcane world of online marketing.
Related: Dangers of weaponized email
This happened rather quietly as Google announced the official launch of VMCs in a blog post on July 12. Henceforth companies will be able to insert their trademarked logos in Gmail’s avatar slot; many marketers can’t wait to distribute email carrying certified logos to billions of inboxes. They view logoed email as an inexpensive way to boost brand awareness and customer engagement on a global scale.
However, there is a fascinating back story about how Google’s introduction of VMCs – to meet advertising and marketing imperatives — could ultimately foster a profound advance in email security. Over the long term, VMCs, and the underlying Brand Indicators for Message Identification (BIMI) standards, could very well give rise to a bulwark against email spoofing and phishing.
I had a chance to sit down with Dean Coclin, senior director of business development at DigiCert, to get into the weeds of this quirky, potentially profound, security development. DigiCert is a Lehi, Utah-based Certificate Authority (CA) and supplier of Public Key Infrastructure services.
Coclin and I worked through how a huge email security breakthrough could serendipitously arrive as a collateral benefit of VMCs. Here are the main takeaways from our discussion:
DMARC’s dead end
To qualify to distribute emails carrying an approved VMC logo a company must first meet the BIMI standards. Among other things, BIMI requires that marketers implement an email security protocol called Domain-based Message Authentication Reporting and Conformance (DMARC) in its most rigorous form.
I first wrote about DMARC shortly after it was launched, with some fanfare, back in 2012. Back then, the big tech companies behind DMARC sought to cast it as something of a silver bullet designed to blunt Business Email Compromise (BEC) attacks and phishing campaigns. It was thought that wide implementation of the DMARC standard would help dramatically reduce BECs and the rising Tsunami of phishing attacks.
Yet here we are nine years later with BEC and phishing – attacks that pivot off spoofed email – continuing to flourish. What happened was that while a good number of enterprises and agencies did implement DMARC, most did so with the policy enforcement mechanism switched off.
“There are three policy choices for each DMARC record; the first is ‘policy equals none’,” Coclin explains. “It basically means DMARC does nothing, except collect information about who is sending spoofed emails. The vast majority of DMARC records out there today have a policy of none.”
The other two DMARC policy choices, Coclin noted, are: “policy equals quarantine” and “policy equals reject.” These selections result in any spoofed message, i.e. one lacking the proper DMARC designator, getting automatically set aside for further review – or rejected outright.
“A lot of people elected not to do DMARC enforcement because they felt they might lose emails or miss emails,” Coclin says.
As DMARC was settling into irrelevance, a vendor-neutral committee of companies formed in 2015 to hammer out a new marketing standard specifically to more uniformly distribute email carrying trademarked company logos. This was the BIMI steering committee.
The BIMI committee came up with a framework that enables email inboxes to display certified company logos on rigorously authenticated messages. BIMI gives the sender, let’s say it’s an athletic shoemaker or a streaming media service, very direct control over logos that get displayed in the emails mass distributed to customers.
“Let’s be clear about this,” Coclin points out. “Verified Mark Certificates in and of themselves are not meant to be a security tool. They’re meant to be a tool that marketers can use to get their brands out there and get brand impressions.”
BIMI sets forth a two-step process. First, the sending organization must implement DMARC – with an enforcement policy switched on. And then the company must also obtain a VMC that’s associated with that DMARC implementation.
“BIMI basically standardizes how logos will be handled worldwide; it covers the format of the logo and how it should look in an email address,” Coclin says. “This gives control of the logo to the senders; now they have a way to send out verified logos carried on authenticated messages.”
Security may not be the main point of BIMI and VMC, but this entire effort results in a win-win-win scenario, nonetheless, in this sense:
•The marketers win because once they implement DMARC and qualify to obtain a VMC, they can distribute logos in trustworthy email at very low cost – and even if only a tiny fraction of these email impressions contributes to the bottom line, it’s well worth it.
•The free email service providers win — by materially reducing the volume of spoofed email suffocating their operations.
•The public wins as email security materially improves. This will happen as DMARC, with enforcement policies switched on, finally begins to take hold.
“The real carrot here is that in order to get the Verified Mark Certificate, you must have the DMARC enforcement,” Coclin points out. “Without that, your logo is not going to show.”
Breathing new life into DMARC is just half of the security story. The other half is the fact that the email providers on the BIMI committee – Google, Verizon Media and Fastmail – have set a sky-high authentication bar for the issuing of VMCs. It’s similar to the steps website publishers are required to take to obtain high-assurance SSL digital certificates, but goes much, much deeper.
The company must provide proof of its existence and also document the legitimacy of the company domain, of course. Additionally, it must supply a copy of its logo in a specific format, along with proof that the logo has been trademarked by one of eight global trademark agencies.
But that’s not all. A company representative must also participate in a webcam session with a certificate authority, such as DigiCert; the rep must show identification and converse in a video session with a CA staffer.
And, finally, a company rep must “wet” sign certain documents in the presence of a notary public. “We have to select the notary to come to your office, or to meet you somewhere, to verify certain information, and when all of that is done, then and only then, can we issue that VMC to your organization,” Coclin says.
This very extensive workflow has been vetted over the past 12 months as part of a pilot program. As of the official July 12 launch of VMCs, some 50 prominent companies already have attained VMC logo issuing capabilities, including Netflix, CNN, Groupon, Comcast, GrubHub, Open Table, KAYAK, eHarmony, CapitalOne, the Royal Bank of Canada and Major League Baseball.
Consumers who use free email provided by Gmail, AOL, Yahoo Mail and Fastmail should very soon start seeing VMC-logoed email from these 50 companies, as well as from many other organizations going forward. Word has gotten out in the marketing community about VMC logos; Coclin says DigiCert received hundreds of inquiries about VMCs during the course of the pilot program.
I can just imagine the scenarios unfolding in marketing departments with word of the availability of VMCs spreading in their circles. The marketers go to the IT department and request the capacity to distribute VMC logos in email campaigns. The IT department then has to learn all about DMARC. The IT staff is then compelled to loop in the security team to see about implementing DMARC, with enforcement switched on.
“This is going to be a huge help in getting DMARC enforcement moving up the chain of command,” Coclin says. “This really is a strong incentive for everyone to move to DMARC enforcement. When you think about it, the email providers really want to see less spam and less phishing attempts. And so having DMARC enforcement helps everybody in the ecosystem.”
Sometimes good things do happen as a collateral benefit. Marketers are chomping at the bit to permeate email with trademarked company logos. To achieve this, DMARC with enforcement teeth must come into play. Clearly, the more traction VMC email logos get, the stronger email security will become. It’s an unexpected email security barometer; I’ll keep watch and keep reporting.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/new-tech-how-the-emailing-of-verified-company-logos-actually-stands-to-fortify-cybersecurity/