
Hekikai Shinkin Bank
- BIMI
As a “Social Responsibility” to Protect Customers —
A 13-Month Journey of Pioneering BIMI/VMC Implementation in the Industry
Hekikai Shinkin Bank — Administrative Supervision Department, System Operations Management Group
Hekikai Shinkin Bank is a community-based financial institution headquartered in Anjo City, Aichi Prefecture.
As fraudulent transfer damages caused by spoofing emails became a social issue, the bank made an early decision to take action as a “social responsibility to protect customers,” and was a pioneer in the industry in implementing DMARC (anti-spoofing email configuration), Brand Indicators for Message Identification (BIMI), and Verified Mark Certificates (VMC). We spoke with them about the motivation for implementation, the challenges faced, and their future outlook.
About Email Clients and Delivery Tools
──What email clients or delivery tools are you currently using?
For business emails with business partners, we use a web email service. For email newsletters sent to customers, we use an email delivery service. We also send notifications from customer-facing services using the service’s built-in functions.
──What types of emails do you primarily send?
The most common emails are email newsletters to customers (announcements, campaign information, etc.).
About DMARC Configuration
──What prompted you to start working on DMARC configuration?
As fraudulent transfer damages from “spoofing emails” disguised to look like legitimate companies became increasingly common, strengthening countermeasures against spoofing emails became a social demand. In response to the tightening of email sending requirements by major email services (such as Google), we determined that early action was essential as a “social responsibility” to protect our customers.
──What were the initial hurdles or concerns when configuring DMARC?
We were using multiple email services, and it was necessary to identify all of them and configure appropriate settings for each service. There was a risk that misconfiguration could prevent even legitimate emails from reaching our customers and business partners, so careful verification was essential.
Background and Motivation for Implementing BIMI and VMC
──What was the background or trigger for considering BIMI implementation?
By raising the DMARC policy, we can eliminate spoofing emails impersonating our domain, but from the customer’s perspective, there was still the challenge of being unable to easily identify which emails are genuine. Therefore, to protect our brand and maintain customer trust, we decided to implement BIMI to display our brand logo on emails, enabling customers who receive emails to identify legitimate ones at a glance.
──What email-related challenges were you facing before implementing BIMI?
DMARC policy was not configured, which undermined the credibility of our emails. Since DMARC policy configuration is a prerequisite for BIMI implementation, this ultimately also led to strengthened security.
Decision Factors and Implementation Process
──Why did you choose to implement VMC?
This was because obtaining a “VMC” — which passes a rigorous identity verification audit by a third-party organization — was essential to display the brand logo through BIMI. Another reason was that we wanted to demonstrate our commitment to contributing to a safe digital society by being a pioneer in BIMI/VMC implementation in our industry.
──Please tell us about the schedule and steps leading to implementation.
We first identified all email services and configured appropriate settings (SPF, DKIM) for each service. In parallel, we configured the DMARC policy (p=none) and introduced a DMARC report analysis service to enable continuous monitoring of the current situation. While monitoring that the environment was ready, we proceeded in the following order: raising the DMARC policy (p=quarantine), implementing BIMI, and raising the DMARC policy (p=reject). From the initial identification of email services to the implementation of BIMI took approximately 13 months.
──Were there any challenges or particular efforts during implementation?
Since we started with absolutely no knowledge of SPF, DKIM, or DMARC, it took time to understand them. The DMARC report analysis service was a great help.
Changes and Effects After Implementation
──What changes or effects have you noticed since implementing BIMI/VMC?
We have not yet received specific direct feedback from customers, but we believe it is effective in improving customer trust and brand recognition. We have confirmed through the DMARC report analysis service that spoofing emails using our bank’s domain are not reaching customers due to the DMARC policy (reject), and we believe we are fulfilling part of our social responsibility.
Future Outlook and Message to Other Companies
──Do you have any advice for companies considering implementing BIMI?
Since setting up SPF, DKIM, and DMARC takes time, we recommend identifying (taking stock of) your email services, setting up the environment early, and visualizing the current situation through DMARC reports.
──How do you plan to utilize and expand BIMI going forward?
Some email services do not display BIMI. We hope that it will become displayable across more email clients.