Back to blog
Threat Intel
Phishing Forensics

BIMI Records: A Red Teamer's Guide to OSINT Gold

A failed BIMI implementation is a powerful OSINT signal, pointing attackers to brand-conscious targets with exploitable gaps in their email security posture.

MailSleuth Research
Email Security Team
July 16, 20267 min read
An incomplete puzzle of a city, with the central logo-shaped piece lying beside it, symbolizing a failed or incomplete B

A company spending thousands on a Verified Mark Certificate (VMC) is making a statement. It signals investment, brand-consciousness, and a certain level of security maturity. But from an attacker's perspective, a company that *tries* to implement BIMI and fails is an even more interesting signal. It screams 'high-value target' and 'potential implementation gaps' in the same breath.

Brand Indicators for Message Identification, or BIMI, isn't just another email authentication checkbox. To even qualify, a domain must have a DMARC policy of `p=quarantine` or `p=reject`. This alone tells a red teamer that the target has moved beyond basic SPF and DKIM. They are playing in the big leagues.

This isn't about finding domains with no security. This is about finding domains that have invested heavily in their security and brand reputation, but left a crack in the wall. That crack is where we build a pretext. That's where the most effective phishing campaigns are born.

BIMI as an Attacker's Signal Filter

Before you send a single phishing email, you need to do your homework. Open-source intelligence (OSINT) is about separating the signal from the noise. We want targets that are valuable enough to have assets worth protecting but are potentially careless enough to have misconfigured something along the way. A BIMI record is a fantastic filter for finding exactly these targets.

Think about the prerequisites. RFC 7489 dictates that for a BIMI logo to be displayed by major mailbox providers, the domain's DMARC policy must be at enforcement (`p=quarantine` or `p=reject`). This simple fact weeds out millions of domains that are still stuck on `p=none` or have no DMARC record at all. It automatically elevates our target pool to organizations that take email authentication seriously.

Furthermore, the pursuit of a VMC—a digital certificate that proves ownership of a trademarked logo—is a financial and legal commitment. It's not something a small, insignificant company undertakes. Finding a domain with a VMC is like finding a company that just advertised, 'Our brand reputation is extremely important to us.' For a social engineer, that's a bright green light.

Scouting Technique 1: Bruteforcing 'default._bimi'

The most direct way to find BIMI adopters is to look for their public DNS records. The specification mandates a specific location: a TXT record at the subdomain `default._bimi` of the target domain.

A simple `dig` or `nslookup` command against a list of target domains is brutally effective. You're looking for a TXT record that starts with `v=BIMI1;`. A high-quality target will have a record containing both a location (`l=`) for the SVG logo file and an authority (`a=`) tag for the VMC.

default._bimi.example.com. 3600 IN TXT "v=BIMI1; l=https://media.example.com/logo.svg; a=https://media.example.com/vmc.pem;"

Interpreting the Absence of a Record

An `NXDOMAIN` response isn't a dead end. It's just a data point. It means this specific domain likely hasn't deployed BIMI. This is useful for baseline analysis, but it's not where the interesting failures lie. The real value comes from records that exist but are flawed, or from cross-referencing this absence with other data, like Certificate Transparency logs.

Mass Scanning for Signals

Scaling this up is trivial. Using a list of domains from a source like the Alexa Top 1 Million or a curated list of Fortune 500 companies, a simple script can query for `default._bimi` records in parallel. The goal isn't just to get a 'yes' or 'no.' It's to categorize the responses: `NXDOMAIN`, `NOERROR` with no TXT record, or `NOERROR` with a parsable BIMI record. Each tells a different story about the target's technical journey.

Scouting Technique 2: Hunting VMCs in Certificate Transparency Logs

Relying on DNS alone is short-sighted. A company may have successfully acquired a VMC but failed to publish the corresponding DNS record. This is a five-star OSINT finding. It indicates a project that was funded, approved by legal, but fumbled by IT. To find these, we turn to Certificate Transparency (CT) logs.

VMCs are a specific type of X.509 certificate, and like all publicly trusted certificates, their issuance is logged in public CT logs. These logs are a firehose of data, but services like `crt.sh` allow us to query them effectively.

Querying for VMC Issuance

VMCs are issued by a small number of Certificate Authorities (like DigiCert or Entrust) and often contain specific identifiers in the certificate fields. You can search CT logs for certificates issued to your target domain that also match the profile of a VMC. For instance, you might look for certificates with specific OIDs (Object Identifiers) related to BIMI or with 'Verified Mark Certificate' in the description.

When you find a domain that has been issued a VMC but has no `default._bimi` DNS record, you've struck gold. This is a concrete signal of a stalled or failed implementation. The organization has spent the money and done the legal legwork, but they haven't stuck the landing. This makes them a prime candidate for a pretexting call or email. 'Hi, this is Mark from [trusted vendor]. We're tracking a compliance issue with your new email branding certificate and need to verify some DNS settings...'

Anatomy of a Failed BIMI Implementation

Finding a BIMI record is just the start. The next step is to analyze it for weaknesses. A misconfigured record is often more valuable than no record at all because it reveals specific technical oversights that can be used to build credibility in a phishing campaign.

The 'p=none' Paper Tiger

The most glaring weakness is a BIMI record on a domain with a `p=none` DMARC policy. While some providers might technically display the logo, the underlying security is a facade. The `p=none` policy tells receivers to take no action on failing messages. An attacker can spoof email from this domain, fail SPF and DKIM, and still land in the inbox.

In this scenario, the presence of the legitimate logo on real emails actually aids the attacker. It trains users to associate the logo with authenticity. When a well-crafted spoof (from a lookalike domain, for example) arrives without the logo, the user may not even notice the absence. The brand signal has been established, but the enforcement mechanism is disabled.

Broken SVGs and Hosting Gaffes

The BIMI standard is notoriously picky about the logo file. It must be an SVG Tiny P/S profile, served over HTTPS with the correct `image/svg+xml` content type, and cannot contain scripts or external links. A surprising number of organizations get this wrong. Running a quick `curl -I` on the SVG URL from the `l=` tag can reveal hosting errors, incorrect content types, or redirect loops.

This kind of mistake is a perfect pretext. An email from `support@brand-compliance-solutions.com` saying, 'We've detected your BIMI logo at [URL from DNS] is not rendering in Gmail due to a content type mismatch' is incredibly specific and believable. It demonstrates inside knowledge and offers a helpful solution, lowering the target's guard.

The Defensive Counterpart: Auditing Your Footprint

If you're on the blue team, this attacker-centric view should be a wake-up call. Every public security control is also a public statement. A misconfigured one is a statement of vulnerability. The defense against this type of reconnaissance is proactive and continuous auditing.

Don't just set and forget. Use external BIMI checker tools to validate your entire email authentication stack from an outside perspective. These tools simulate how a provider like Gmail or Apple Mail processes your record. They will check your DMARC policy for enforcement, fetch your BIMI record, download and validate your SVG, and verify your VMC chain.

This isn't a one-time check. Your SVG hosting can break. Your certificates can expire. Your DNS records can be accidentally modified during a migration. This validation needs to be part of a regular security hygiene process. An attacker is looking for the gaps that appear between the moment something breaks and the moment you notice.

The takeaway

Security protocols are not just shields; they are signals. Every TXT record you publish is OSINT. The complexity of modern standards like DMARC, ARC, and BIMI creates new opportunities for subtle misconfigurations that an attacker can easily spot and exploit. A failed BIMI roll-out tells a story of an organization with money and brand awareness, but a potential deficit in technical execution—the perfect target.

The takeaway is simple: audit your public-facing security controls as rigorously as an attacker would. Assume every DNS record is being scrutinized for weaknesses. Continuous monitoring of your entire email authentication posture, from SPF alignment to the content-type of your BIMI logo's server response, is no longer optional. Using a platform like MailSleuth.AI can automate this auditing process, but the principle is what matters: see yourself as the attacker sees you.

#bimi#osint#red-team#phishing#email-security#dns
MailSleuth Research
Email Security Team

We dissect phishing campaigns and email infrastructure so you don't have to.