TL;DR
BIMI (Brand Indicators for Message Identification) is the final layer in the email authentication stack, allowing organizations to display their brand logo directly in recipients' inboxes next to authenticated messages. Built on top of DMARC enforcement, BIMI transforms email authentication from an invisible infrastructure concern into a visible brand asset. This guide covers the DNS record format, SVG Tiny PS requirements, VMC certificates, provider support, cost analysis, and the full setup procedure — including when BIMI is (and isn't) worth the investment.
📑 Table of Contents
- How BIMI Works
- DNS Record Format
- SVG Tiny PS Requirements
- VMC Certificates
- Provider Support Matrix
- DMARC Prerequisite
- Cost Analysis
- Setup Steps
- Best Practices
- Common Mistakes
- Tools
- Sources & References
1. How BIMI Works
BIMI leverages the existing email authentication stack (SPF, DKIM, DMARC) and adds a visual trust indicator. When a message passes DMARC with an enforcement policy, the receiving mail client looks up the sender's BIMI DNS record to retrieve a logo URL and (optionally) a VMC certificate that validates brand ownership.
Message arrives
The receiver performs standard SPF, DKIM, and DMARC evaluation. The message must pass DMARC with p=quarantine or p=reject.
BIMI DNS lookup
The receiver queries default._bimi.example.com for a TXT record containing the logo URL and optional VMC URL.
Logo retrieval & VMC validation
The receiver fetches the SVG logo from the l= URL. If a a= (authority) URL is present, it fetches and validates the VMC certificate against the domain and logo.
Logo display
If all checks pass, the mail client displays the brand logo as the sender's avatar. Without BIMI, a generic initial or silhouette is shown.
📖 Definition — BIMI (Brand Indicators for Message Identification) is an email specification that enables domain owners to display a verified brand logo in supporting email clients, contingent on DMARC enforcement and (for some providers) a Verified Mark Certificate (VMC).
💡 BIMI is not just cosmetic. Research from the BIMI Working Group shows that brand logos increase email open rates by 10–39% and significantly improve brand recall. It's a deliverability and marketing asset as much as a security one.
2. DNS Record Format
A BIMI record is a DNS TXT record published at default._bimi.yourdomain.com:
default._bimi.example.com TXT "v=BIMI1; l=https://example.com/brand/logo.svg; a=https://example.com/brand/vmc.pem"
| Tag | Required | Meaning | Value |
|---|---|---|---|
v |
Yes | Version | BIMI1 |
l |
Yes | Logo URL (HTTPS) | URL to SVG Tiny PS file |
a |
No* | Authority (VMC certificate URL) | URL to PEM-encoded VMC |
Gmail and Apple Mail **require* a VMC (a= tag) to display the logo. Without it, only providers like Fastmail and Yahoo display BIMI logos.
⚠️ The l= URL must use HTTPS with a valid TLS certificate. HTTP URLs are rejected. The SVG file must be served with Content-Type: image/svg+xml and appropriate CORS headers.
Selector Variants
The default selector covers all mail. You can publish additional selectors for different use cases (e.g., marketing._bimi.example.com), though receiver support for non-default selectors is limited.
# Default BIMI record — applies to all mail
default._bimi.example.com TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem"
# To explicitly disable BIMI for a domain:
default._bimi.example.com TXT "v=BIMI1; l=;"
3. SVG Tiny PS Requirements
BIMI does not accept standard SVG files. The logo must conform to SVG Tiny PS (Portable/Secure), a restricted profile designed for security and consistent rendering across mail clients.
📖 Definition — SVG Tiny PS is a constrained subset of the SVG Tiny 1.2 specification, created specifically for BIMI. It removes scripting, external references, and other features that could pose security risks in email clients.
Key Requirements
| Requirement | Detail |
|---|---|
| Profile declaration | Must include baseProfile="tiny-ps" and version="1.2"
|
| Dimensions | Square aspect ratio required; viewBox must be square |
| Title element | Must contain a `` element |
| No scripting | No ``, event handlers, or JavaScript |
| No external references | No xlink:href to external resources, no `` elements |
| No animations | No , , or SMIL elements |
| No raster images | No embedded PNG/JPEG via data URIs or external links |
| File size | Should be under 32 KB (recommended limit) |
| Background | Should have a solid background — transparent logos render poorly on varied email client backgrounds |
Minimal Valid SVG Tiny PS Template
`plaintext
Example Corp Logo
E
`
🚫 Common SVG errors that break BIMI: Missing baseProfile="tiny-ps", non-square viewBox, embedded tags, xlink:href references, inline styles using url() for external resources, gradients referencing filters. Always validate with the BIMI Group's SVG checker.
⚡ Pro Tip: Export your logo from a vector editor (Illustrator, Figma), then manually clean the SVG: remove metadata, comments, embedded fonts, and Illustrator-specific namespaces. Add the baseProfile="tiny-ps" and version="1.2" attributes. Validate with the BIMI validator before publishing.
4. VMC Certificates
A Verified Mark Certificate (VMC) is an X.509 certificate that cryptographically binds your brand logo to your domain. It is issued by a Certificate Authority after verifying your trademark registration and domain ownership.
VMC Issuers
| Certificate Authority | Annual Cost (approx.) | Trademark Requirement |
|---|---|---|
| DigiCert | $1,299 – $1,499/year | Registered trademark (USPTO, EUIPO, WIPO Madrid, etc.) |
| Entrust | $1,299 – $1,499/year | Registered trademark |
💡 As of 2024, DigiCert and Entrust are the only two Certificate Authorities authorized to issue VMC certificates. The BIMI Working Group requires CAs to be members and follow strict validation procedures.
VMC Validation Requirements
Registered trademark — Your logo must be a registered trademark in an accepted jurisdiction (USPTO, EUIPO, CIPO, IP Australia, WIPO Madrid Protocol, and others).
Domain ownership — You must prove ownership/control of the domain specified in the certificate.
Logo match — The SVG file referenced in your BIMI record must match the trademarked logo in the VMC.
DMARC enforcement — Your domain must have
p=quarantineorp=reject.
⚠️ The VMC issuance process typically takes 3–6 weeks due to trademark verification. Plan ahead — you cannot rush this step.
5. Provider Support Matrix
| Mail Provider | BIMI Support | VMC Required? | Notes |
|---|---|---|---|
| Gmail | Yes | Yes | Full support since July 2021; requires VMC |
| Apple Mail | Yes | Yes | Supported since iOS 16 / macOS Ventura |
| Yahoo/AOL | Yes | No | Displays BIMI logos without VMC |
| Fastmail | Yes | No | Early BIMI adopter; no VMC needed |
| Microsoft Outlook | Partial | — | Uses proprietary "Brand Indicators" via Microsoft 365 admin; not standard BIMI |
| Zoho Mail | Yes | No | Supports BIMI without VMC |
| ProtonMail | No | — | No BIMI support as of 2025 |
| Thunderbird | No | — | No BIMI support |
1.8B+mailboxes support BIMI (Gmail + Apple Mail + Yahoo)
6. DMARC Prerequisite
BIMI has a hard dependency on DMARC enforcement. Your domain must have a DMARC record with p=quarantine or p=reject for BIMI logos to be displayed.
| DMARC Policy | BIMI Effect |
|---|---|
p=none |
BIMI ignored — logo is not displayed |
p=quarantine |
BIMI active — logo displayed for passing messages |
p=reject |
BIMI active — logo displayed for passing messages |
🎯 If you haven't deployed DMARC yet, start there. Follow the phased rollout (p=none → p=quarantine → p=reject) before investing in BIMI and VMC. BIMI is the reward for achieving full email authentication maturity.
7. Cost Analysis
BIMI itself is free (it's a DNS record). The costs come from the VMC certificate and preparation:
| Item | Cost | Frequency |
|---|---|---|
| BIMI DNS record | Free | One-time setup |
| SVG Tiny PS logo creation | $0 – $500 | One-time (designer time or self-service) |
| Trademark registration (if not already registered) | $250 – $2,000+ | Initial filing + maintenance |
| VMC certificate (DigiCert or Entrust) | $1,299 – $1,499 | Annual renewal |
| DMARC enforcement (prerequisite) | $0 – varies | Ongoing monitoring & management |
💡 Without VMC: For Yahoo, Fastmail, and Zoho, you can deploy BIMI for free (just a DNS record + SVG). For Gmail and Apple Mail (the vast majority of consumer mailboxes), you need a VMC. The total first-year cost with VMC is typically $1,500 – $3,500.
When BIMI Is Worth It
High email volume
If you send millions of emails monthly, a 10–39% increase in open rates easily justifies the VMC cost.
Strong brand recognition
Recognizable logos (retail, finance, SaaS) benefit most. A logo people don't recognize adds no value.
Already have a trademark
If your logo is already registered, VMC cost is the only expense — the ROI is very favorable.
Phishing target
Financial institutions, e-commerce platforms, and government agencies that are frequently impersonated get anti-phishing benefits from visual brand verification.
⚠️ BIMI is NOT worth it if: You haven't achieved p=reject DMARC yet, you send very low volume, your brand is new/unknown, or your logo isn't trademarked and you don't plan to trademark it.
8. Setup Steps
Achieve DMARC Enforcement
Ensure your domain has p=quarantine or p=reject with 100% alignment. BIMI requires DMARC to work.
Prepare SVG Tiny PS Logo
Convert your logo to SVG Tiny PS format. Square aspect ratio, no scripts, no external references, no raster images. Set baseProfile="tiny-ps" and version="1.2".
Validate SVG
Use the BIMI Group's SVG validator or the BIMI Inspector tool to check compliance before publishing.
Obtain VMC (Optional/Required)
If targeting Gmail/Apple Mail, purchase a VMC from DigiCert or Entrust. Provide your trademark registration number and domain verification.
Host Assets
Upload the SVG and VMC PEM file to your web server over HTTPS. Ensure correct Content-Type headers and public accessibility.
Publish DNS Record
Add a TXT record at default._bimi.yourdomain.com with the v=BIMI1; l= and a= tags pointing to your hosted files.
Test & Verify
Send a test email to a Gmail account and check if the logo appears. Use BIMI Inspector to verify DNS, SVG, and VMC configuration.
`plaintext
Complete DNS configuration example:
1. DMARC record (prerequisite)
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
2. BIMI record
default._bimi.example.com TXT "v=BIMI1; l=https://example.com/brand/logo.svg; a=https://example.com/brand/vmc.pem"
`
9. Best Practices
Validate SVG rigorously
Use the official BIMI Group validator. Even minor deviations from SVG Tiny PS will cause silent failures — no logo, no error.
Use a solid background
Transparent SVG backgrounds render differently across email clients. Use a solid brand-color background for consistent appearance.
Keep SVG under 32 KB
While not a hard limit, larger files may be rejected or slow to render. Optimize paths and remove unnecessary metadata.
Monitor DMARC continuously
BIMI vanishes if your DMARC policy drops below enforcement. A single misconfiguration can remove your logo from billions of inboxes.
Plan for VMC renewal
VMC certificates expire annually. Set a calendar reminder 30 days before expiration and renew early to avoid logo disappearance.
Cache and CDN considerations
Receivers cache your SVG logo. After updating, it may take days for the new version to propagate. Use a different filename or cache-busting query parameter.
10. Common Mistakes
🚫 Using standard SVG instead of SVG Tiny PS. Regular SVG files exported from Illustrator, Figma, or Inkscape include features not allowed in Tiny PS (gradients with filters, embedded images, metadata). The logo will silently fail to display.
🚫 Deploying BIMI with p=none DMARC. BIMI requires DMARC enforcement (quarantine or reject). With p=none, receivers ignore the BIMI record entirely.
⚠️ Non-square logo. BIMI requires a square aspect ratio. Rectangular logos will be rejected or cropped unpredictably by mail clients.
⚠️ Hosting SVG over HTTP. The l= tag must point to an HTTPS URL with a valid TLS certificate. HTTP URLs are rejected by all BIMI-supporting receivers.
⚠️ Expecting instant display. After publishing a BIMI record, it can take 24–72 hours for receiver caches to populate. Gmail specifically crawls BIMI records on its own schedule.
⚠️ Forgetting the VMC for Gmail. About 30% of all email goes to Gmail. Without a VMC, your BIMI setup covers only Yahoo, Fastmail, and smaller providers — a fraction of your audience.
11. Tools
| Tool | Purpose |
|---|---|
| BIMI Record Checker | Look up BIMI DNS records, validate SVG URL, and check VMC presence |
12. Sources & References
📄 BIMI Group — Implementation Guide
📄 BIMI Group — SVG Tiny PS Specification
📄 Google Workspace — Set up BIMI
📄 Google — BIMI requirements and troubleshooting
📄 DigiCert — Verified Mark Certificates (VMC)
📄 Entrust — Verified Mark Certificates (VMC)
📄 RFC 7489 — DMARC (BIMI dependency)
📄 RFC 6376 — DKIM (authentication layer)
📄 RFC 7208 — SPF (authentication layer)
🎯 Key Takeaway: BIMI is the visible payoff of a mature email authentication stack. It requires DMARC enforcement (p=quarantine or p=reject), a logo in SVG Tiny PS format, and — for Gmail and Apple Mail — a Verified Mark Certificate (~$1,500/year). Deploy BIMI after you've achieved full DMARC enforcement, not before. For high-volume senders with recognized brands, the ROI in open rates and brand protection is substantial. For everyone else, get your DMARC house in order first — BIMI is the cherry on top.
Originally published on StarNomina ToolBox. Try our free online tools — no signup required.
Top comments (0)