Interview: DMARC, BIMI and Bootcamps with GCA Director of Operations Shehzad Mirza

Today we are again talking to our Director of Operations, Shehzad Mirza. In addition to hearing about our next DMARC Bootcamp we’d like to understand a little more about some ongoing initiatives and standards surrounding email security.

Hello Shehzad and welcome back to the forum!

Thank you for having me

As we know DMARC is an important standard for the verification of sender email addresses which is extremely effective through mass takeup. BIMI (Brand Indicators for Message Identification) is an emerging standard related to DMARC - what is it?

BIMI allows you to add a verified image to marketing type email that is sent out using your domain. It’s a form of brand recognition, as people relate more to your organization’s logo. It is quite a process to get a verified image in place, and you must have DMARC at an enforcement level in order to start the process.

What do you mean by verified image?

Verified image means that you need to have a verified markup certificate associated with an approved image. This is something that is not self-serve certificate like SSL. In order to get a verified markup certificate you need to work with either DigiCert or Entrust Datacard. It is quite a process and you must valid who you are via a valid government ID (passport or drivers licenses).

That sounds interesting - what is the status of the pilot right now and what are your thoughts on its future?

Right now, Yahoo and Google are piloting the BIMI project. So there is a selective amount of organizations that are allowed to participate. I am not aware of timetables as to when the pilot will end.

But, that doesn’t mean the organization can’t start getting prepared for BIMI. Start the process and get the right components in place (DMARC at quarantine/reject, a verified image, certificate and DNS record). That way when BIMI goes live you are already set. You can get more information about BIMI here:

Thanks for that clarification.

Are there any other developments specific to DMARC since our last forum interview?

Denmark and Canada required the implementation of DMARC for government entities earlier this year.

There are also reports that by the end of 2019 there were close 2 million domains that have implemented DMARC, which is great. I’m sure by now, the number has probably hit 2 million or gone over. DMARC Policies Increase 300% over 2019 –

BIMI and ARC are starting to become a focus now as well. BIMI most likely will help to drive the adoption of DMARC, but time will tell.

ARC is more for those that have mailing lists and mail forwards. It is not required for everyone to use or implement to help with email authentication.

The next Defend and Deliver Bootcamp will be taking place from 15 September (register by 8th). What can you tell us about that?

Building on the success of the previous Bootcamps our next one starts on September 15th. We initially started with one session at 8am EST, but due to the number of people, locations and email requests, we opened another session at 1pm EST.

We are seeing continued growth in DMARC implementations and progress through to reject from our previous alumni which is great - we hope to replicate this on our next bootcamp!

The Fall 2019 bootcamp - current stats (Aug 27th) show that 212 organizations implemented DMARC out of 766 that started the bootcamp with no DMARC policy - 28% implementation rate.

The Spring 2020 bootcamp (which ended Jun 5th) - current stats (Aug 27th) show that 93 organizations implemented DMARC (out of 487 that started the bootcamp with no DMARC policy - 19% implementation rate.

You can find out more and register for it here: DMARC Bootcamp Fall 2020 Registration

All resources and recorded session will be made freely available via the forum. So if you are unable to attend in person you can still implement DMARC and get all the support you need via the DMARC forum: DMARC - GCA Community

We are also holding a special pre Bootcamp webinar on 1st September alongside Pablo López-Aguilar Beltrán, Head of IT & Cybersecurity at entitled ‘Phishing A Global Pandemic’ where we ask What is Phishing and Why is it so prevalent. You can register by following this link:

Thanks Shehzad. I understand Bootcamp registrations are already high and that additional sessions are being scheduled to accommodate more global time zones. If anyone has any questions they’d like to ask please feel free to post here or if DMARC specific on that section of the forum.

Thank you Rodney! Happy to be here and help anyone with the implementation of DMARC.