schedule 6-min read

BIMI (Brand Indicators for Message Identification)

Display your verified brand logo in the inbox. The complete BIMI implementation guide — SVG requirements, VMC certificates, DNS record syntax, and email client support.

01

tips_and_updates
Key Takeaways

01

BIMI displays a verified brand logo next to a sender’s name in the inbox, but only on messages that already pass DMARC.

02

BIMI requires a DMARC policy of p=quarantine or p=reject at pct=100 — observation mode is not enough.

03

Logos must be in SVG Tiny PS (Portable Secure) format. Standard SVG exports from design tools won’t pass validation.

04

A Verified Mark Certificate (VMC) — and increasingly a Common Mark Certificate (CMC) — is required by Gmail and Apple Mail for logo display.

02

What is BIMI?

Brand Indicators for Message Identification (BIMI) is the standard that lets a verified brand logo appear in the inbox beside authenticated messages. BIMI is not, on its own, an authentication protocol — it is a visual reward layered on top of a strong DMARC deployment. When a receiving mail provider sees a passing DMARC message from a BIMI-enabled domain, it fetches the brand’s logo from a DNS-published URL and renders it as the avatar in the inbox view.

BIMI was developed by the AuthIndicators Working Group and is in active use by Gmail, Yahoo Mail, Apple Mail (iOS 16+ and macOS 13+), Fastmail, and several smaller providers. Microsoft 365 has been piloting BIMI display since 2023; rollout is still partial.

03

BIMI prerequisites

Before you publish a BIMI record, every one of the following must be true:

  • A passing DMARC policy. Your domain must publish p=quarantine or p=reject at pct=100. Observation mode (p=none) disqualifies you, and so does a fractional rollout.
  • Trademark ownership. The logo you publish must be a registered trademark in a jurisdiction recognized by the certificate authorities (USPTO, EUIPO, JPO, and a handful more).
  • An SVG Tiny PS file. The logo must be in the BIMI-specific Portable Secure SVG profile — a stripped-down subset of SVG 1.2 Tiny.
  • HTTPS hosting. The logo file must be served over HTTPS from a stable URL. Most teams host it on a dedicated subdomain (e.g. brand.example.com/logo.svg).
  • A Verified Mark Certificate. Gmail and Apple Mail will only display logos that come with a valid VMC (or, since late 2024, a CMC) chained to a recognized CA.
04

Publishing a BIMI DNS record

A BIMI record is a DNS TXT record at default._bimi.{your-domain}. The default selector covers all mail from the domain; in advanced setups you can publish per-selector records that match the DKIM selector used to sign each message.

BIMI record example

v=BIMI1; l=https://brand.example.com/logo.svg; a=https://brand.example.com/cert.pem;

05

BIMI record tags reference

vVersion (required)
Currently always BIMI1. Future versions will keep this slot.

lLogo location
HTTPS URL of the SVG Tiny PS logo. Required unless you intend the record to act as a “no logo for this selector” override (in which case l= is left empty).

aAuthority evidence (VMC / CMC)
HTTPS URL of the PEM-formatted certificate file. Optional under the spec, but required in practice — Gmail and Apple Mail will not display a logo without it.

06

Logo file requirements

  • Format: SVG Tiny Portable Secure. Not standard SVG. The file must declare the baseProfile="tiny-ps" attribute on the root <svg> element.
  • Aspect ratio: 1:1. The viewport must be square. Most receivers crop to a circle, so keep the meaningful artwork inside an inscribed circle.
  • File size: under 32 KB. Optimize aggressively. Anything larger and many receivers refuse to fetch it.
  • No scripts, links, or external references. The SVG file must be fully self-contained. No <script>, no <a>, no xlink:href to remote resources.
  • Solid background. Transparency is technically allowed but discouraged — the rendered avatar can sit on either a light or dark UI surface depending on the recipient’s theme.
  • Trademark match. The artwork must match the mark on file with the VMC issuer. Even minor revisions invalidate the certificate.
07

Verified Mark Certificates (VMC) and Common Mark Certificates (CMC)

A Verified Mark Certificate (VMC) is a specialized X.509 certificate that binds your registered trademark to your domain. It is issued by a certificate authority accredited by the CA/Browser Forum’s Mark Certificate Working Group — currently DigiCert and Entrust. Issuance involves a trademark verification step that can take several weeks.

Common Mark Certificates (CMC), introduced in 2024, lower the bar by accepting marks established through prior use rather than formal registration. CMCs are accepted by Gmail but not yet universally honored elsewhere.

  • Annual cost. $1,000–$1,500 for a VMC; $500–$900 for a CMC. Prices vary by issuer and validity period.
  • Validity period. Typically 12 months. Renewal restarts the trademark verification process.
  • Eligible jurisdictions. USPTO, EUIPO, UK IPO, IP Australia, JPO, KIPO, IPI (Switzerland), DPMA (Germany), CIPO (Canada), and INPI (Brazil). Other registries are added periodically.
  • What it isn’t. A VMC is not a TLS certificate. Don’t install it on your web server — host the .pem file at the URL referenced in your a= tag and nothing else.
08

Implementing BIMI end-to-end

  1. Confirm your DMARC policy is at p=quarantine or p=reject with pct=100. The DMARC analyzer will verify in one click.
  2. Prepare your logo: convert your SVG to SVG Tiny PS, validate it against the BIMI Group’s test tool, and host it at a stable HTTPS URL.
  3. Apply for a VMC (or CMC) through DigiCert or Entrust. Have your trademark registration documents ready — the verification step typically takes two to four weeks.
  4. Host the issued .pem certificate file alongside your logo, on the same HTTPS origin.
  5. Publish the BIMI DNS record at default._bimi.{your-domain} with v=BIMI1;, the l= URL, and the a= URL.
  6. Send a test message to a Gmail or Yahoo account that already has your sender history. Logo display can take up to 48 hours to appear as receivers cache the BIMI lookup.
09

Email client BIMI support

Display behavior varies between providers. The grid below summarizes the current state of BIMI rendering across major inbox clients.

  • Gmail (web & mobile)Displays logos for VMC- and CMC-backed domains. Logos appear in the sender avatar slot in the inbox list and conversation view.
  • Apple Mail (iOS 16+ / macOS 13+)Renders logos for VMC-backed domains. The logo appears in the conversation header.
  • Yahoo MailWas the first major BIMI adopter. Displays logos with or without a VMC, though VMC remains recommended.
  • FastmailFull BIMI support including VMC display.
  • Microsoft 365 / Outlook.comBIMI rollout has been announced and piloted but is not consistently visible across tenants as of mid-2026.
  • Outlook (desktop)The classic Outlook desktop client does not display BIMI logos. The new Outlook (Monarch) shares the Outlook.com pilot status.
  • ProtonMailNo BIMI display today. The team has indicated interest but no roadmap.
10

Next steps

BIMI is the visible payoff for a fully deployed email-authentication stack. If you have not yet completed the underlying layers, walk back through SPF, DKIM, and DMARC first — BIMI cannot rescue a domain that isn’t already authenticating properly.

Ready to Implement?

Get authenticated mail moving in minutes — start free, book a guided demo, or talk to the team about your stack.

Start free arrow_forward event Book demo mail Contact us