Introduction
BIMI — Brand Indicators for Message Identification — is the standard that puts your verified brand logo next to your email in supported inboxes. Gmail, Yahoo, Apple Mail, Fastmail, and others now render BIMI logos. The catch: BIMI requires your domain to be at DMARC enforcement (p=quarantine or p=reject) before any of it renders.
This article explains what BIMI is, how it interacts with DMARC, and what to do to deploy it.
Why this topic matters
BIMI is the visible payoff of a clean DMARC rollout. After months of authentication work, your brand logo shows up in customers' inboxes as a tangible signal of legitimacy. For businesses, it's the marketing-friendly outcome that makes the authentication investment legible to non-technical stakeholders.
How BIMI works
The mechanism is straightforward:
- You publish an SVG logo at an HTTPS URL.
- You publish a BIMI record in DNS pointing to that logo.
- Supported mailbox providers fetch the logo and display it next to your messages.
A typical BIMI record:
“text v=BIMI1; l=https://example.com/bimi/logo.svg; a=https://example.com/bimi/vmc.pem “
The l= tag is the logo location. The a= tag is the Verified Mark Certificate (VMC), required by Gmail and others as proof you own the trademark.
The DMARC prerequisite
BIMI requires DMARC at p=quarantine or p=reject with pct=100 (no partial enforcement). The reason: BIMI is a brand-trust signal, and providers won't put your logo on mail that might be spoofed. DMARC enforcement is what makes the logo trustworthy.
BIMI requirements: why DMARC enforcement comes first covers the policy detail.
Step-by-step approach to BIMI
- Confirm DMARC at
p=quarantineorp=rejectwithpct=100. - Prepare an SVG logo in SVG Tiny PS format (the constrained variant BIMI requires). Square, RGB, under 32KB.
- Host the SVG at HTTPS. Stable URL, not behind authentication.
- Obtain a VMC. Issued by trademark-validating CAs (DigiCert, Entrust). Requires a registered trademark.
- Publish BIMI record at
default._bimi.yourdomain.comas TXT. - Test rendering. Send a test message to a Gmail account; confirm logo display.
Best practices
- Get the SVG format exactly right. BIMI's SVG Tiny PS profile is strict; standard SVG won't work.
- Trademark the logo first. VMC requires a registered trademark.
- Use a stable HTTPS URL. Logo changes require updating the record.
- Monitor rendering. Different providers show BIMI logos in different positions.
- Don't skip DMARC enforcement. No shortcuts; BIMI without enforcement just doesn't render.
Recommended next step
If you're at DMARC p=reject pct=100, your next email-security milestone is BIMI. Start with the trademark registration (if you don't have one) — that's the long lead-time item. Logo prep and DNS publication are quick once the VMC is in hand.
FAQ
Do I need a VMC?
For Gmail, yes. For some providers (Yahoo, Fastmail), it's optional but recommended. Without a VMC, BIMI rendering is limited.
How much does a VMC cost?
Around $1,500-1,800/year as of 2026, varies by CA.
Will BIMI work with p=quarantine pct=10?
No. BIMI requires pct=100 enforcement.
How long does BIMI take to render after publishing?
DNS propagation: minutes. Provider-side caching: hours to a day.
Can I use BIMI for multiple subdomains?
Yes — publish BIMI records per subdomain. Each can point to a different logo or the same one.
Final thoughts
BIMI turns DMARC enforcement into a visible brand-trust signal. The authentication work most teams already do becomes visible in the inbox, where customers see it.
The prerequisite is real — no BIMI without DMARC enforcement. But for domains that have done the rollout, BIMI is the natural next step and the visible payoff.