Re: [Bimi] Independent BIMI-capable Email Client

["Brotman, Alex" <Alex_Brotman@comcast.com>]

I do have that app, but I haven’t yet pointed it at a platform utilizing BIMI.  I’ll make a note to give it a try.

From below:


  *   They aren't entirely clear on how (or why) to evaluate a logo referenced by the BIMI record and the one retrieved from a VMC.

What about the BIMI-Location header instance, if present? (assuming you want to trust that header, etc).  After that, I’d probably use the VMC if present.  Should we add an evaluation path to the core document?


  *   It's also not all that clear where to retrieve the BIMI logo when the email is sent from a subdomain, and match that up with the DMARC results.

I’m not sure I follow the issue here.  Is there some example that shows the questionable path?


  *   There's also the question about whether or not an independent client can/should trust the authentication results performed by the mailbox provider when deciding to display the BIMI logo.

If you go back to -00 of the core spec, there was an IMAP flag that was meant to be set (Section 8.6).  That was removed in -01.  I don’t recall the justification, but may have had to do with MUA workload.  Seems like the IMAP flag could be reintroduced (POP3 would be an issue though).  Or perhaps something akin to a DKIM signature signed by the inbound MTA that could be verified by the MUA.  The latter could potentially be reused though?


  *   There is a non-zero addition of processing required by the client to handle BIMI, leading to the question about what impact this may have on a client... and what efficiencies can be introduced with local caching (if any).

I’d think at least equivalent to the TTL of the BIMI DNS record, perhaps even up to the expiration of the VMC (though I could understand where a domain holder could refresh their VMC and change logos, etc).  I’m sure there’s a better answer somewhere in between.


--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

From: bimi <bimi-bounces@ietf.org> On Behalf Of Trent Adams
Sent: Friday, July 23, 2021 5:36 PM
To: bimi@ietf.org
Subject: [Bimi] Independent BIMI-capable Email Client


Since Gmail's announcement, more companies are starting to play around with BIMI (no surprise there).  And, as expected, the increased attention is helping to put more eyeballs on the experiment.

And while some of the major mailbox providers are adding BIMI support to their own mobile clients, I ran into a FOSS project run by a developer in the Netherlands who has already added BIMI to their independent mobile mail client.

If you get a chance, I'd suggest taking a look at their FairEmail implementation as they made some interesting choices:

https://email.faircode.eu/<https://urldefense.com/v3/__https:/email.faircode.eu/__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHfdsADeC4$>

The current Android client package can be downloaded from their GitHub repository:

https://github.com/M66B/FairEmail/releases<https://urldefense.com/v3/__https:/github.com/M66B/FairEmail/releases__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHf2gwnAj4$>


So far, they've already found some useful results from their experiment.  And now we're finally at a point where we can test the architecture (and pressure-test the specifications) beyond the handful of usual suspects.

For example, here're a few issues this work as already surfaced when interpreting the specifications [1] [2] [3]:


  *   They aren't entirely clear on how (or why) to evaluate a logo referenced by the BIMI record and the one retrieved from a VMC.
  *   It's also not all that clear where to retrieve the BIMI logo when the email is sent from a subdomain, and match that up with the DMARC results.
  *   There's also the question about whether or not an independent client can/should trust the authentication results performed by the mailbox provider when deciding to display the BIMI logo.
  *   There is a non-zero addition of processing required by the client to handle BIMI, leading to the question about what impact this may have on a client... and what efficiencies can be introduced with local caching (if any).

What I found most interesting was how the specifications assume a tight coupling between the client and the mailbox provider.  It definitely opens the question of whether it's possible (or recommended) for an independent client to support BIMI even for email received by mailbox providers that don't support it.  It's real-world interop testing like this that I hope will highlight issues that need to be discussed as the experiment continues.

Also, if anyone would be willing to test the FairEmail client, I'd be keen to hear if you think that the way it leverages BIMI matches your expectations.  Also, are there any others out there that might contribute their learnings to the conversation?

Anyway, thanks for any feedback you may have.  It'll be useful to hash out ideas for improvements and next steps on the list.

Cheers,
Trent

[1] https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi-02<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-blank-ietf-bimi-02__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHfVUyABq4$>
[2] https://datatracker.ietf.org/doc/html/draft-fetch-validation-vmc-wchuang-00<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-fetch-validation-vmc-wchuang-00__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHfIMZn7Z8$>
[3] https://datatracker.ietf.org/doc/html/draft-brotman-ietf-bimi-guidance-03<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-brotman-ietf-bimi-guidance-03__;!!CQl3mcHX2A!UUyJEN3_Ay0ac-Ux9txqVoPDIfnSSmOT5S-OCXjjRVeXJEEqrPRjGUg2a_oFLJHfQyodXbk$>


--
J. Trent Adams
Director, Ecosystem Security
Proofpoint

tadams@proofpoint.com<mailto:tadams@proofpoint.com>