What is BIMI? Brand logo display in the inbox, explained

BIMI — Brand Indicators for Message Identification — is a DNS-based email standard that tells participating mailbox providers which logo to display next to messages you send. When BIMI is correctly configured, your logo appears in the avatar slot in Gmail, Apple Mail, Yahoo Mail, and a growing list of other providers — only on messages that pass authentication.

It is a small visual change with a large operational story behind it. Getting BIMI working is a forcing function for getting DMARC right, which is the actual security win.

What BIMI looks like

In a Gmail inbox without BIMI, an email from Acme Corp shows a default avatar — the first letter of the sender name in a colored circle, or a generic mail icon. With BIMI, the same message shows Acme's logo in that slot. Users see it before they open the message. It is the same affordance Twitter used to give to verified accounts before that program changed — a passive trust signal embedded in the existing UI.

BIMI does not change the body of your email. It does not show on every device — Outlook, ProtonMail, and several others either don't support BIMI yet or have their own brand-display programs. It does not display on messages that fail DMARC. It does not display on messages from a domain that hasn't enrolled.

What BIMI is not

• Not authentication. BIMI relies on DMARC having already authenticated the message. If DMARC fails, BIMI cannot display. BIMI on its own provides no security.
• Not a deliverability boost. Mailbox providers have not publicly committed to inbox-placement preference for BIMI senders. Anecdotal reports vary. Plan as if BIMI will not affect whether your mail lands in spam — it might, but treat that as a bonus.
• Not a replacement for DMARC. The opposite. BIMI requires DMARC at quarantine or reject — strict mode — and is a way to get organizational stakeholders to care about completing the DMARC rollout that engineering already wants to do.

How BIMI works

Three DNS records and one image file. The key parts:

1. The BIMI DNS record

Published at default._bimi.<your-domain> as a TXT record. Example:

default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem"

Tags:

• v=BIMI1 — version, always BIMI1.
• l= — URL of the logo file.
• a= — URL of the Verified Mark Certificate (VMC). Required by Gmail and Apple Mail; Yahoo also enforces. Without a valid VMC the logo will not display in those providers.

The default record applies to every message from the domain. You can publish provider-specific records (e.g., marketing._bimi) and have your sending platform select which one applies via a BIMI-Selector header — useful if your transactional and marketing mail use different brand marks.

2. The SVG Tiny PS logo

Not any SVG. BIMI requires the SVG Tiny Portable / Secure (SVG Tiny PS) profile — a constrained subset of SVG with no script, no animations, no external references, no embedded base64 images. The mark must be a square aspect ratio. The file must be served from an HTTPS URL with no redirects.

Most logos need to be redrawn or simplified to comply. The tooling has matured; vendors offer paid services to do the conversion if your designer doesn't want to.

3. The Verified Mark Certificate (VMC)

A VMC is an X.509 certificate, like the one your TLS uses, except issued by a Certificate Authority that specifically verifies trademark ownership. Currently issued by DigiCert and Entrust. The CA confirms with a national trademark registry (USPTO, EUIPO, etc.) that the logo on file matches your registered trademark. The certificate is then bound to your domain and the logo file URL.

Cost: $1,500–$2,500 per year, valid for one year, renewable. Some CAs offer multi-year discounts.

Common Mark Certificates (CMCs) are a less-strict variant introduced by Google in 2024 that does not require a registered trademark — useful for logos that are distinctive but not legally trademarked. Support is more limited than VMCs and the cost is comparable.

4. DMARC at quarantine or reject

BIMI requires that the sending domain has DMARC at p=quarantine or p=reject, with pct=100. DMARC at p=none does not qualify. This is the rollout gate that catches most organizations — they publish the BIMI record, see the logo not display, and discover their DMARC has been at p=none for two years because nobody finished the rollout.

Why BIMI exists

The historical problem: phishing email is structurally hard to distinguish from legitimate email at the visual layer. Receivers had no way to surface "this message passed authentication" except via the small lock icon nobody looks at. BIMI is the email industry's answer — a high-visibility brand signal that can only be used by senders who have completed the authentication chain.

For brands, BIMI is the carrot that gets DMARC enforcement past the finish line. Many large enterprises moved from p=none to p=reject specifically because their marketing or brand teams wanted BIMI and that required strict DMARC.

What you need before enrolling

Working backward from the BIMI record:

1. DMARC at p=quarantine or p=reject, pct=100. This usually means a 6–12 month rollout from p=none with aggregate-report monitoring. Plan for that runway.
2. A registered trademark on the logo if you're going for a VMC (the most-supported option). National registrations are valid; the USPTO and EUIPO are the most commonly accepted.
3. The logo redrawn as SVG Tiny PS. A vector designer or one of the BIMI-specific conversion services.
4. An HTTPS URL under your domain to host the logo. Cannot redirect. Must serve Content-Type: image/svg+xml.
5. A VMC purchased and validated. DigiCert and Entrust are the two issuers as of 2026.
6. The DNS record published. TXT at default._bimi.<your-domain> with the v, l, and a tags.

Provider support

As of mid-2026, the main mailbox providers handling BIMI:

• Gmail — full BIMI support including VMC validation. The largest receiver to display BIMI logos.
• Yahoo Mail — full support.
• Apple Mail (iCloud + iOS Mail) — supports BIMI with VMC and Apple-specific behaviors around logo caching.
• AOL — same engine as Yahoo, full support.
• Fastmail — supports BIMI without requiring a VMC, displays the logo if DMARC passes.

Microsoft 365 and Outlook.com do not currently support BIMI. They have their own "Brand Send" program that overlaps in goal but uses different infrastructure.

How to test BIMI

Once your record is published:

1. Send a message from your authenticated domain to a Gmail address you control.
2. Open the message. Look at the avatar slot — your logo should appear.
3. If it doesn't, click the message details. Gmail will show "via" and authentication status. If DMARC failed for any reason, BIMI cannot display.

Common failure modes for "logo not appearing":

• DMARC is at p=none. Strengthen first.
• DMARC pct<100. Set to 100.
• VMC URL returns a 404 or wrong content type.
• SVG file has prohibited features (script, embedded images, viewBox not square). Validate at any of the public BIMI inspector tools.
• Logo is cached at the receiver. Gmail caches BIMI assets aggressively; new records can take up to 24 hours to appear.

Set up BIMI monitoring

DomainCare watches default._bimi.<your-domain> on the same cadence as your other email deliverability checks. The check verifies the record's presence, parses the l= and a= tags, fetches and validates the SVG, and checks that the VMC at the a= URL is currently valid. You get an alert if the VMC expires, the logo URL stops responding, the SVG fails validation, or the BIMI record is removed entirely.

The expiry alert matters most. VMCs are annual; if your renewal slips, the logo silently disappears from inboxes everywhere — which most senders don't notice until the brand team flags it weeks later.

Related

• SPF vs DKIM vs DMARC — the three records BIMI depends on.
• What is DMARC? — the policy gate BIMI requires.
• Email deliverability check reference — what DomainCare's email deliverability check looks at on every run.

Common questions

Do I need a VMC, or is a CMC enough? A VMC requires a registered trademark and is supported by every BIMI provider. A CMC (Common Mark Certificate, introduced by Google in 2024) does not require a registered trademark but has limited provider support — Gmail honors them, others vary. Start with a VMC if you have a registered trademark; otherwise a CMC is a reasonable interim.

Why does Gmail show no logo even though everything is configured? Three most common causes: DMARC not at quarantine/reject, VMC URL returns wrong content-type, or BIMI cache hasn't refreshed yet. Check the message details in Gmail — it surfaces the specific BIMI failure reason.

Does BIMI work for transactional mail from third-party senders (Sendgrid, Mailgun, etc.)? Yes if and only if your DMARC passes for the sending domain. Most transactional providers send from a subdomain like mail.yourbrand.com — you publish the BIMI record on that subdomain. The logo displays as long as the subdomain's DMARC is at quarantine/reject.

Is BIMI worth $1,500/year? Depends entirely on whether your customers see your email and whether visual brand recognition affects open rates. For consumer brands with high email volume, the answer tends to be yes. For B2B vendors with low-volume technical email, the answer is usually no — but the DMARC enforcement BIMI forces is worth the work regardless of whether you ever publish the BIMI record.