E-mail is complicated, sure. But I’ve had it up to here with people who give up running their own server and then go on to vastly exaggerate how infeasible it is, in order to placate their own conscience. It’s not that they’ve gotten tired of doing it, oh no; (they say,) it’s entirely the fault of Google, Microsoft, etc. who’ve made it literally impossible to run your own e-mail server. Except it’s not impossible – lots of us do it, still. And now there’s one fewer of us, so the rest of us have to work that much harder when the next monopolizing standard comes along (BIMI, anyone?). Sure, you don’t owe us anything, but thanks for nothing when making these public rants; you are scaring away people who might still be inclined to help!
There's alot that goes into a mail server stack, but it's no more complicated than k8s or other stacks these days. My preferred setup is rspamd/postfix/dovecot/roundcube. The docs are good and the mailing lists are active & archived for easy searching
For a pre-packaged mailserver environment, take a look at mailcow or mailinabox
There's the catch - VMCs are not a mandatory part of BIMI. Though if you want to establish trust, someone has to be willing to put their name on the line and verify everything required. If you have a better approach in mind, I'm sure a lot of people would love to know.
Trust (by way of VMC) is the whole point of BIMI; it’s what’s in all the marketing copy: The fact that nobody else can send mail with your logo. If you merely wanted to send e-mail with your icon on it, that already existed: the X-Face header has been around for decades.
Absolutely not, BIMI is a way to provide brand identity for recognition/marketing purposes. Trust or security is not the standard's goal. Being able to trust the logo is an optional extra.
You are free to read the BIMI standard's section 2.1 containing its high-level goals.
The next section also literally says "This document does not cover the different verification and reputation mechanisms available, but BIMI relies upon them to be in deployed in order to control abuse." It's not a standard meant for establishing trust, it does not mandate requiring a VMC.
Just like with e-mail, it doesn’t matter what’s in the standard, what matters is what the big providers actually do. If Google (Gmail), Microsoft, etc. will simply show any BIMI logo without VMC verification (which will never happen), then I will concede that BIMI is not a monopolizing standard. It’ll just be a tracking pixel.
Showing any BIMI logo is an absolutely unreasonable thing to demand from a large-scale BIMI implementation. It does not make it "monopolizing", I don't think you even know what the word means.
When the big providers all require VMC to show BIMI, then VMC is not optional, no matter what the spec says. Claiming it is optional is then disingenuous.
As I said in the linked post, logo verification is not a problem which can be solved. Identical trademarks can legitimately be issued in different fields, and both still be valid. Let’s say you are a brick manufacturer, and have paid an arm and a leg to a VMC certificate authority (previously a HTTPS EV certificate authority) for your logo, a nice iconic square logo. Then someone else can simply come along, register a flower shop in another country, use a different VMC issuer and get an identical logo issued to them. They can now send e-mail invoices to your customers with your logo on it, legitimately obtained, and the BIMI system will have trained your customers to trust your logo.
Any fix for this you try to implement will make the system even less usable for its stated purpose, or more suited to only large players and unusable in practice for smaller operators.
> When the big providers all require VMC to show BIMI, then VMC is not optional, no matter what the spec says. Claiming it is optional is then disingenuous.
What do you mean "no matter what the spec says", it is the spec we're talking about. It is what you argued against several times.
If you had started with saying "big providers' implementations of BIMI", then it wouldn't be wrong to say it's required but it's still not "monopolizing". Requiring you to prove your claims using a third unrelated party is simply not that.
> As I said in the linked post, logo verification is not a problem which can be solved. [...] and the BIMI system will have trained your customers to trust your logo.
There are caveats to each system. It does not mean the problem is not solvable to a large extent.
Secondly, it's pretty clear who to jail for the attack described. I'd say it's even a positive side of the system if that's the type of attacks we'd get.
> Any fix for this you try to implement will make the system even less usable for its stated purpose, or more suited to only large players and unusable in practice for smaller operators.
That's simply not true. The price of a VMC is really not that high for any business that doesn't only employ one man and his dog.
Still relevant, since we were discussing email, it would not need the whole "internet community" to agree, just a handful or two of provider could impose it in practice.
Standard are useless if majors providers apply a different de facto norm. That behavior has a name, it is called a cartel. And on some matters, that is punishable by law.
