Case Study

In recent years, as email spoofing and phishing attacks have surged, JINUSHI Financial Advisors Inc. took decisive action with a strong sense of urgency, recognizing that these threats are a direct concern for every organization. Inspired by case studies from other companies, they focused on “BIMI (Brand Indicators for Message Identification)” as a solution to simultaneously enhance security measures and visualize their brand identity.

In this interview, we spoke with the project lead, who spearheaded this initiative and even went as far as obtaining a security certification specifically for this project.

Current Usage of Email Clients and Delivery Tools

──What kind of email delivery environments do you currently use?

We use multiple environments depending on the purpose. For internal communication and business correspondence with partners, we use Microsoft Outlook (Microsoft 365). For customer announcements, we utilize a dedicated email delivery system.
In particular, for customer-facing emails, we use a different domain from the one used internally. From the perspective of protecting our brand value, enhancing the reliability of this customer-facing domain had become a critical priority for us.

──Microsoft Outlook currently does not support BIMI logo display. Did you face any challenges with internal approvals or stakeholder explanations when deciding to implement it?

We explained that since a large majority of our individual customers use Gmail, implementing BIMI would have a significant impact on our primary target audience. Furthermore, because the importance of information security was already well-understood within the company, we were able to move from planning to execution very smoothly.

Regarding Emails Sent to Customers

──What types of emails do you mainly send?

We send out information about our services and important announcements to our customers. Because we frequently send emails to a large number of people, our top priority is ensuring that recipients recognize our emails as legitimate and feel comfortable opening them.

Regarding DMARC Configuration

──What prompted you to implement DMARC configuration?

With Google’s changes to its “Email Sender Guidelines” and the increase in phishing scams, strengthening the security of outgoing emails became an urgent necessity. Furthermore, the actual observation of phishing emails impersonating legitimate parties created a strong sense of urgency, making us realize that this was “not someone else’s problem.” This was the direct trigger. At this time, we decided to fully implement DMARC.

──Were there any hurdles or concerns when proceeding with the setup?

Although I had a basic understanding of SPF/DKIM/DMARC, I was very cautious about things like “Am I actually setting it up correctly?”, “Is there a risk that legitimate emails will stop being delivered?”, and “Have I identified all the sending paths?“. Therefore, instead of immediately setting the policy to “reject,” I adopted a strategy of gradually strengthening it through monitoring.

Background and Motivation for Considering BIMI and VMC

──What led you to consider implementing BIMI?

The primary catalyst was our research into ways to further enhance email reliability after completing our DMARC implementation. While DMARC is a robust technical foundation, the security measures it provides are not directly visible to our customers.
When we came across case studies of other companies using BIMI, we were immediately struck by its dual benefits: it not only reinforces our security posture but also serves as a powerful branding tool by displaying our logo directly in the inbox. This ability to ‘visualize’ our commitment to security was a significant factor for us.

──Prior to implementing BIMI, what specific challenges were you facing regarding your email communications?

Our main challenge was that it was difficult to communicate to our customers that we were actively taking measures against email spoofing. Even with DMARC in place, several issues remained:
・It was not immediately obvious to recipients that the email was legitimate.
・We couldn’t fully eliminate customer anxiety regarding potential phishing attempts.
・There was a lack of visual presence and recognizability within a crowded inbox.
We felt that technical back-end security alone wasn’t enough to provide the peace of mind our customers deserve.

──Why did you choose to implement the Verified Mark Certificate (VMC)?

Obtaining a Verified Mark Certificate (VMC) was an essential requirement to ensure that our logo displays reliably across major email platforms like Gmail. By displaying our officially trademarked logo, our goal was to solidify both our brand protection and the overall trustworthiness of our communications.

Challenges and Solutions During Implementation

──Were there any particular challenges you faced or specific strategies you employed during the implementation process?

Initially, we faced a hurdle because our specific service logo had not yet completed its trademark registration. To overcome this, we developed a two-phase plan: first, we obtained the VMC using our group company’s already trademarked logo to get the system up and running.
Simultaneously, we proceeded with the trademark application for our service logo. This approach allowed us to start reaping the benefits of BIMI at an early stage. We plan to switch to the official service logo during the next certificate renewal.

Realizing the Impact and Benefits After Implementation

──Now that you have implemented BIMI, what specific changes or benefits have you noticed?

The most significant change is the increased reliability of our emails, which has effectively reduced concerns regarding spoofing. We also conducted an internal demonstration to show exactly how our logo appears in the inbox, and the feedback from within the company was overwhelmingly positive.

──What are your thoughts on the security benefits and the sense of safety this provides?

By elevating our DMARC policy to ‘reject’ and making that security layer visible through BIMI, we have been able to externally demonstrate that we are a company that takes security measures seriously.

We feel that this has evolved beyond a mere internal ‘defensive’ measure; it has become a proactive initiative that ‘broadcasts our trustworthiness’ to the world.

Future Outlook and Messages to Other Companies

──How do you plan to utilize or expand the use of BIMI in the future?

We will continue to balance brand enhancement with strengthened security through email, which remains a vital touchpoint with our customers. Furthermore, we intend to advocate for the implementation of BIMI across our group companies, striving to maintain and elevate the security standards of the entire group.

──What advice would you give to companies that are currently considering BIMI?

The most important first step is to gain a clear understanding of DMARC and conduct a thorough inventory of your email delivery paths as early as possible.

I believe the key to a safe and successful implementation is to avoid jumping straight to a strict policy. Instead, follow a phased approach: start with monitoring (p=none) and gradually strengthen the policy. This process ensures that you can transition securely and reliably without disrupting your legitimate email flow.