What Is BIMI and Why Does It Matter?

BIMI stands for Brand Indicators for Message Identification. It is an email standard that enables mail clients to display your verified brand logo directly in the inbox — next to the sender name, before the recipient even opens the message.

The impact is tangible. When recipients see a familiar logo alongside your domain name, they instantly know the email is legitimate. Studies from the AuthIndicators Working Group have shown that BIMI-enabled emails experience measurably higher open rates and improved brand trust. In an era where phishing and spoofing attacks are widespread, a visible brand logo acts as a trust signal that no subject line alone can provide.

Beyond trust, BIMI also serves as an enforcement milestone. Because BIMI requires your domain to have a fully enforced DMARC policy, implementing it forces organizations to complete their email authentication journey — meaning every legitimate sender is covered by SPF or DKIM, and no unauthorized source can spoof your domain successfully.

Quick summary: BIMI = your logo in the inbox + better open rates + proof that your email authentication is locked down.

Prerequisites Checklist

Before you publish a BIMI record, all of the following must be in place. Skipping any of these will cause BIMI to be silently ignored by receiving mail servers.

  • DMARC policy at p=quarantine or p=reject — a p=none policy does not qualify. This is the single most common reason BIMI fails.
  • SPF record published — a valid SPF record for your sending domain.
  • DKIM signing enabled — at least one DKIM key configured for your domain and aligned with your From address.
  • An SVG logo in SVG Tiny P/S format — a specific, constrained subset of SVG designed for safe rendering across mail clients.
  • Logo hosted on a public HTTPS URL — with CORS headers that allow access from mail provider infrastructure.
  • A Verified Mark Certificate (VMC) — strictly required for Gmail; optional for Yahoo and some others.

Step 1: Verify Your DMARC Setup

Your DMARC policy must be at enforcement level — either quarantine or reject. A DMARC record set to p=none only monitors; it does not authorize BIMI display.

A qualifying DMARC record looks like this:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; adkim=s; aspf=s;

The key element is p=reject (or at minimum p=quarantine). The rua tag pointing to an aggregate report address is strongly recommended — it is how you detect authentication failures before they affect deliverability.

Use the free DMARC Checker to look up your current DMARC record and confirm it meets the enforcement requirement. The tool will show you the exact policy value and flag any syntax errors that might prevent BIMI from working.

Not at enforcement yet? Moving too quickly to p=reject without understanding all your sending sources can break legitimate mail flows. DMARCFlow's reporting dashboard shows you exactly which sources are passing and which are failing, so you can promote to enforcement with confidence.

Step 2: Prepare Your SVG Logo

BIMI does not accept any SVG file — it requires the SVG Tiny Portable/Secure (SVG Tiny P/S) profile. This is a restricted subset of SVG that eliminates scripts, external references, and features that could pose security risks when rendered by mail clients.

SVG Tiny P/S requirements

  • The file must declare the SVG Tiny 1.2 profile in the root <svg> element.
  • File size must be under 32 KB (some providers enforce this strictly).
  • The logo must be square — a 1:1 aspect ratio is required.
  • No embedded scripts, no external font references, no animations.
  • All paths, shapes, and colors must be self-contained within the file.

A minimal compliant SVG header looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg"
     xmlns:xlink="http://www.w3.org/1999/xlink"
     version="1.2"
     baseProfile="tiny-ps"
     viewBox="0 0 100 100">
  <title>Your Brand Name</title>
  <!-- logo content here -->
</svg>

Once the file is ready, host it on a publicly accessible HTTPS URL on your own domain or CDN. The server must return Access-Control-Allow-Origin: * in its response headers so mail providers can fetch the logo without CORS errors blocking them.

Tip: Many graphic designers export standard SVG files that do not comply with the Tiny P/S profile. Use a BIMI SVG validator before publishing your DNS record — it will save you hours of debugging.

Step 3: Obtain a VMC Certificate (Optional but Required for Gmail)

A Verified Mark Certificate (VMC) is a special type of digital certificate that cryptographically ties your logo to your domain and your registered trademark. It is issued by Certificate Authorities that are authorized by the AuthIndicators Working Group.

Currently, the two approved VMC issuers are Entrust and DigiCert. Obtaining a VMC involves:

  1. Providing proof of trademark registration for your logo (in at least one major jurisdiction).
  2. Submitting your SVG Tiny P/S logo file for inclusion in the certificate.
  3. Completing domain validation with the CA.
  4. Receiving a .pem certificate file, which you then host on HTTPS and reference in your BIMI record via the a= tag.

VMCs are not free — they typically cost several hundred dollars per year. However, for Gmail — which accounts for over 1.8 billion users — a VMC is mandatory. Without it, Gmail will not display your logo even if your BIMI DNS record is perfectly formed.

Yahoo Mail, Apple Mail (in some configurations), and Fastmail can display BIMI logos without a VMC, though support varies by implementation version.

Step 4: Create and Publish Your BIMI DNS TXT Record

A BIMI record is a DNS TXT record published at a specific subdomain of your domain. The format is:

default._bimi.yourdomain.com  IN  TXT  "v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem;"

Breaking down the tags:

  • v=BIMI1 — the BIMI version identifier. This must be the first tag.
  • l= — the HTTPS URL of your SVG Tiny P/S logo file. Leave this empty (l=;) if you want to explicitly opt out of BIMI display while keeping the record.
  • a= — the HTTPS URL of your VMC .pem file. Omit this tag entirely if you are not using a VMC.

An example record without a VMC (suitable for Yahoo and others):

default._bimi.yourdomain.com  IN  TXT  "v=BIMI1; l=https://cdn.yourdomain.com/brand/logo-bimi.svg;"

An example record with a VMC (required for Gmail):

default._bimi.yourdomain.com  IN  TXT  "v=BIMI1; l=https://cdn.yourdomain.com/brand/logo-bimi.svg; a=https://cdn.yourdomain.com/brand/vmc.pem;"

You can also create selector-specific BIMI records for different mail streams by replacing default with a selector name and referencing that selector in your email headers. For most organizations, the default selector is sufficient.

Use the free BIMI Record Generator to build your DNS record with the correct syntax — no manual editing required. Just enter your logo URL and optional VMC URL, and the tool generates the exact TXT record value ready to paste into your DNS provider.

Step 5: Verify with a BIMI Checker

After publishing your DNS record, allow a few minutes for it to propagate and then run a verification check. A BIMI checker performs a DNS lookup for your default._bimi record, validates the syntax, fetches the referenced SVG to confirm it is reachable and correctly formatted, and checks DMARC compliance on your domain.

Use the free BIMI Checker to validate your setup in seconds. The tool will surface the most common problems:

  • DMARC policy not at enforcement level
  • Logo URL returning a non-200 HTTP status or missing CORS headers
  • SVG file not conforming to the Tiny P/S profile
  • Incorrect DNS record syntax or missing required tags
  • VMC certificate URL unreachable or certificate expired
All checks passing? Your BIMI setup is live. Send a test email from your domain to a Gmail or Yahoo account and look for your logo in the inbox.

Which Email Providers Support BIMI?

BIMI adoption has grown significantly since 2022. Here is the current state of support across major providers as of 2026:

Provider BIMI Supported VMC Required? Notes
Gmail Yes Yes (mandatory) Displays a blue verified checkmark badge alongside the logo
Yahoo Mail Yes No One of the earliest adopters; logo shown without VMC
Apple Mail Yes (iOS 16+, macOS Ventura+) No (recommended) Support varies by iOS/macOS version and mail account type
Fastmail Yes No Full BIMI support including logo display
Outlook / Microsoft 365 Partial N/A Microsoft uses its own brand indicators system; BIMI not natively supported as of 2026
ProtonMail In progress TBD Announced support; rollout ongoing

Even if Outlook does not display your BIMI logo, publishing a BIMI record is still worthwhile. Gmail and Yahoo alone represent billions of inboxes where your brand will be visually reinforced on every delivered email.

How Long Does BIMI Take to Propagate?

DNS propagation for a new BIMI TXT record typically completes within a few minutes to a few hours, depending on your DNS provider's TTL settings. Most modern DNS providers propagate changes globally within 15–30 minutes.

Mail provider caching is the other variable. Gmail, for example, caches BIMI lookups. After a new or updated record propagates through DNS, it may take 24–72 hours before Gmail consistently shows your logo in all inboxes. This is normal and not an indication that something is broken.

Yahoo Mail tends to pick up BIMI changes faster, often within a few hours of DNS propagation. Apple Mail logo display depends on the client-side cache of individual devices and is harder to predict precisely.

To confirm propagation without waiting, use the BIMI Checker immediately after publishing. If the DNS record resolves correctly and the logo URL is accessible, the setup is technically complete — the delay is only in when providers start displaying it.

Keep BIMI Working: Monitor Your DMARC Reports

BIMI is not a set-and-forget configuration. Because BIMI depends entirely on your DMARC policy staying at enforcement level, any drift in your email authentication setup can silently break logo display — and you might not notice until weeks later.

Common scenarios that break BIMI after initial setup:

  • A new marketing platform or transactional email provider is added without configuring SPF or DKIM for your domain.
  • A DKIM key is rotated without updating the DNS record, causing DKIM failures.
  • An IT change accidentally modifies or deletes the DMARC record.
  • A subdomain is brought into scope with a misconfigured email setup that undermines the parent domain's authentication posture.

DMARC aggregate reports (RUA) tell you exactly what is happening: which sources are sending on behalf of your domain, which are passing or failing SPF and DKIM, and what volume is being processed under your current policy. Without parsing these reports, you are flying blind.

Make sure BIMI keeps working

DMARCFlow automatically collects, parses, and visualizes your DMARC aggregate reports. Get alerted when authentication failures spike, track every sending source, and stay at enforcement so your BIMI logo never disappears from the inbox.

Start monitoring your DMARC reports free

No credit card required. Full reporting dashboard from day one.

BIMI Setup Checklist: Quick Reference

Use this checklist before and after publishing your BIMI record:

  1. DMARC enforcedp=quarantine or p=reject confirmed via DMARC Checker
  2. SPF and DKIM passing for all legitimate sending sources
  3. SVG logo in SVG Tiny P/S format, under 32 KB, square aspect ratio
  4. Logo hosted on HTTPS with Access-Control-Allow-Origin: * header
  5. VMC obtained and hosted on HTTPS (required for Gmail)
  6. BIMI DNS TXT record published at default._bimi.yourdomain.com — use the BIMI Generator to create it
  7. Record verified with the BIMI Checker
  8. DMARC reporting active — aggregate reports flowing to a monitored inbox or dashboard

BIMI is one of the most visible wins you can achieve from your email authentication investment. Get the foundations right with DMARC enforcement, prepare a compliant SVG logo, publish the DNS record, and verify everything is working. Then keep it working by monitoring your DMARC reports continuously — because authentication failures are the fastest way to lose your inbox logo.