Introduction
BIMI — the standard that puts your brand logo in supported inboxes — has a small but strict requirements list. The headline item: DMARC at enforcement. No BIMI without it.
This article covers the full requirements set, why each exists, and how to verify you meet them.
Why this topic matters
BIMI is the visible payoff of DMARC enforcement. Teams that publish BIMI without completing the DMARC rollout discover their logo simply doesn't render — there's no error, just absence. Understanding the requirements upfront prevents the surprise.
The full requirements list
To get BIMI rendering at major providers:
- DMARC policy
p=quarantineorp=rejectwithpct=100(no partial enforcement). - Subdomain policy
sp=also at enforcement. - SVG Tiny PS logo (constrained SVG profile, square, RGB, under 32KB).
- HTTPS hosting of the SVG with stable URL.
- Verified Mark Certificate (VMC) for Gmail and most major providers.
- BIMI TXT record at
default._bimi.yourdomain.com.
Each is gating. Missing any one means BIMI doesn't render.
Why DMARC enforcement is required
BIMI is a brand-trust signal: the provider shows your logo next to your mail. They will only do this for mail they can verify is actually yours. DMARC enforcement is the mechanism that produces that verification.
If your DMARC is at p=none, attackers can still spoof your domain at major providers. Showing your logo on a spoofed message would be worse than not showing it — it would actively mislead the recipient. Providers protect against this by requiring enforcement before rendering.
The VMC explained
The Verified Mark Certificate is a digital certificate proving you own the trademark for the logo. Issued by VMC-authorized CAs (DigiCert, Entrust) after a trademark and identity verification.
Cost: ~$1,500-1,800/year. Lead time: 2-6 weeks for issuance after submission.
Some providers (Yahoo, Apple Mail, Fastmail) render BIMI without a VMC but with reduced visibility. Gmail requires it.
Step-by-step approach to meeting requirements
- Achieve DMARC
p=reject pct=100. Orp=quarantine pct=100at minimum. - Set
sp=to match. - Register the trademark for your logo (if not already).
- Prepare SVG Tiny PS file. Most agencies need guidance on the constrained format.
- Apply for VMC via a BIMI-authorized CA.
- Host SVG and VMC at HTTPS.
- Publish BIMI TXT record.
- Test rendering with a Gmail account.
Total time: 6-12 weeks depending on trademark and VMC lead times.
Best practices
- Don't rush BIMI before DMARC is solid. Publishing BIMI without enforcement just doesn't work; do it once.
- Trademark first. It's the longest lead-time component.
- Keep the SVG simple. Tiny PS is restrictive; complex logos may need simplification.
- Document the BIMI infrastructure. Logo URL, VMC location, DNS record — note for future engineers.
- Watch for VMC expiry. Annual renewal; calendar it.
Recommended next step
If you're at DMARC p=reject pct=100, start the VMC application. If you're not, BIMI is the wrong next thing — finish the DMARC rollout first.
FAQ
Will p=quarantine pct=50 work for BIMI?
No. Must be pct=100.
Can I use BIMI without a VMC?
At some providers (Yahoo, Apple Mail), yes — with reduced visibility. Gmail requires VMC.
What if my logo isn't trademarked?
Register the trademark first. Without one, you can't get a VMC.
How long does VMC issuance take?
2-6 weeks from application to issuance, depending on CA and trademark verification.
Does BIMI work on mobile?
Yes, at supported providers' mobile apps.
Final thoughts
BIMI requirements are strict but logical. Each gating item exists for a reason — DMARC enforcement so the logo can be trusted, VMC so trademark fraud isn't possible, SVG Tiny PS for rendering reliability.
Meet them all and BIMI delivers; skip any and it doesn't. There's no middle ground.