Case Study

Comprehensive Implementation of Security Measures

The Kita-Nippon Bank, Ltd. implements a wide range of security measures through a specialized department. As part of these comprehensive efforts, they introduced BIMI. With a deep understanding of the BIMI framework, the bank acted quickly for the benefit of its customers.

Background of DMARC Implementation

――What triggered your initiative to address email security?

We began our efforts in response to the changes in Google’s “Email Sender Guidelines.”

Background of BIMI Implementation

――What led you to decide on implementing BIMI, and what were your objectives?

We decided to implement it as part of our overall cyber security strategy. Both the Financial Services Agency’s (FSA) Cyber Security Self-Assessment (CSSA) and its guidelines require measures for email sender domain authentication (SPF/DKIM/DMARC). Because of our high level of awareness regarding these requirements, we were able to respond early.

――What were your expectations for BIMI?

Our objective was to visually demonstrate to email recipients that we are the “authorized sender,” thereby reducing the security risks associated with phishing emails. We believe that allowing recipients to distinguish official emails from spoofed ones at a glance not only serves as an effective anti-spoofing measure but also enhances our corporate image.

Current Status of Email Distribution

――How do you currently send emails to customers and system notifications?

While we do not send a large volume of emails (such as newsletters) to individual customers, we do communicate with business partners using the email domain where BIMI has been implemented. We are also in the process of migrating email notifications from various systems and services to the BIMI-enabled domain. Some systems still send from different domains, so we intend to transition those to the BIMI-enabled domain in the future.

Challenges During Implementation

――Were there any difficulties encountered during the implementation process?

The internal department handled the DMARC settings and the policy elevation. To facilitate this, we even developed and utilized our own proprietary tool to analyze DMARC reports. In this initiative, elevating the DMARC policy required a significant amount of time and effort. In particular, identifying all the email systems managed by the bank was a major task. We spent several months verifying the status of emails sent from systems used by various departments and investigating DMARC reports to ensure that legitimate emails were not being flagged as authentication errors.

Reasons for Choosing GMO Brand Security

――What was the deciding factor in choosing our company for the implementation?

The deciding factor was the speed with which you answered our questions regarding the registered trademarks required for the application, combined with the fact that your proposal came at exactly the right time while we were considering the implementation.

Future Outlook and Message to Other Companies

――How do you plan to expand the use of BIMI in the future?

Since some email transmissions still remain on different domains, we plan to consolidate those into the BIMI-enabled domain.

――What is your outlook for future security measures?

We will continue to strengthen our security measures on an ongoing basis. As part of our overall security initiatives, we will also continue to conduct internal training for our staff.

――Do you have a message for companies considering BIMI implementation?

We believe this is an initiative that will become essential in the future, so we recommend considering early implementation. If your corporate logo is already a registered trademark, implementing BIMI is relatively straightforward. Considering the security benefits for email recipients (customers) and the improvement in reliability, we believe the costs associated with implementation represent a very effective investment.