BIMI: Display Your Brand Logo in Email Inboxes and Prove Domain Authenticity
BIMI lets your brand logo appear next to emails in supporting inboxes. Learn how to set up BIMI, the DMARC prerequisite, and whether a VMC certificate is needed.
What is BIMI?
Brand Indicators for Message Identification (BIMI) is an email standard that displays your organisation's logo next to authenticated emails in supporting inboxes. When a recipient sees your email in Gmail, Apple Mail, or Yahoo Mail, your verified brand logo appears instead of a generic avatar or initial.
BIMI is not just about branding -- it is the visual payoff for investing in email authentication. To display a logo via BIMI, your domain must have strong email authentication already in place, which means BIMI indirectly encourages organisations to deploy DMARC at enforcement level.
How BIMI works
The process is:
- Your domain has a DMARC policy of
p=quarantineorp=reject(enforcement level) - You publish a BIMI DNS record pointing to your logo (an SVG file)
- Optionally, you obtain a Verified Mark Certificate (VMC) that proves you own the trademark for the logo
- When a receiving mail server delivers an authenticated email from your domain, it looks up the BIMI record
- If the email passes DMARC and the BIMI record is valid, the inbox displays your logo
Sender sends email
→ Receiving server checks SPF/DKIM/DMARC
→ DMARC passes with p=quarantine or p=reject
→ Server looks up BIMI record
→ Fetches SVG logo (and validates VMC if present)
→ Inbox displays logo next to the email
Prerequisites
DMARC at enforcement level
This is the hard prerequisite. Your domain must have a published DMARC record with either:
_dmarc.yourcompany.com. IN TXT "v=DMARC1; p=quarantine; ..."
or
_dmarc.yourcompany.com. IN TXT "v=DMARC1; p=reject; ..."
A policy of p=none (monitoring only) is not sufficient. If you have not yet reached enforcement level, see our DMARC policy guide and DMARC aggregate reports guide for the rollout path.
SPF and DKIM properly configured
DMARC relies on SPF and DKIM alignment. Both should be correctly configured and passing for all legitimate email sources before deploying BIMI.
SVG logo in the correct format
BIMI requires a specific SVG format called SVG Tiny Portable/Secure (SVG P/S). This is a restricted subset of SVG:
- Must be SVG Tiny 1.2 profile
- No scripts, no external references, no animations
- Square aspect ratio (the inbox will display it in a circle or rounded square)
- Should look good at small sizes (as small as 16x16 pixels)
- File must be served over HTTPS
<?xml version="1.0" encoding="UTF-8"?>
<svg version="1.2" baseProfile="tiny-ps"
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 100 100">
<!-- Your logo here -->
<circle cx="50" cy="50" r="45" fill="#0066CC"/>
<text x="50" y="60" text-anchor="middle"
font-size="40" fill="white" font-family="sans-serif">YC</text>
</svg>
Most designers will need to convert an existing logo. Tools like the BIMI SVG converter can help validate the format.
Setting up BIMI
Step 1: Verify your DMARC enforcement
dig TXT _dmarc.yourcompany.com +short
Confirm the output shows p=quarantine or p=reject.
Step 2: Prepare your SVG logo
Create an SVG P/S file and host it at a publicly accessible HTTPS URL:
https://yourcompany.com/.well-known/bimi/logo.svg
The .well-known/bimi/ path is conventional but not required.
Step 3: Publish the BIMI DNS record
default._bimi.yourcompany.com. IN TXT "v=BIMI1; l=https://yourcompany.com/.well-known/bimi/logo.svg"
If you have a VMC certificate:
default._bimi.yourcompany.com. IN TXT "v=BIMI1; l=https://yourcompany.com/.well-known/bimi/logo.svg; a=https://yourcompany.com/.well-known/bimi/certificate.pem"
Step 4: Validate
# Check the DNS record
dig TXT default._bimi.yourcompany.com +short
# Verify the SVG is accessible
curl -sI https://yourcompany.com/.well-known/bimi/logo.svg
Use the BIMI Inspector to validate your complete setup.
Do you need a VMC certificate?
A Verified Mark Certificate (VMC) is a certificate issued by a CA (currently DigiCert and Entrust) that proves your organisation owns the trademark associated with the logo. VMCs cost approximately $1,000--1,500 per year and require a registered trademark.
Gmail requires a VMC
Google requires a VMC for BIMI logos to appear in Gmail. Without a VMC, Gmail will not display your logo even if your BIMI record is correctly configured.
Apple Mail does not require a VMC
Apple Mail displays BIMI logos without a VMC, checking only that DMARC passes and the BIMI record is valid.
Yahoo/AOL does not require a VMC
Yahoo displays BIMI logos without a VMC for domains with strong DMARC records.
Summary
| Provider | VMC required | BIMI supported |
|---|---|---|
| Gmail | Yes | Yes |
| Apple Mail | No | Yes |
| Yahoo/AOL | No | Yes |
| Microsoft Outlook | No (preview) | Limited/rolling out |
If Gmail is important to your audience (it usually is), plan for a VMC. If you want quick wins while waiting for the VMC, Apple Mail and Yahoo users will see your logo immediately.
Obtaining a VMC
Requirements:
- Registered trademark -- your logo must be a registered trademark in an accepted trademark office (USPTO, EUIPO, UKIPO, CIPO, JPIPO, and others)
- DMARC enforcement --
p=quarantineorp=reject - SVG P/S logo matching the registered trademark
Process:
- Apply with DigiCert or Entrust
- Provide trademark registration details
- The CA validates your trademark and domain ownership
- You receive a PEM certificate file to host alongside your logo
The validation process typically takes 2--4 weeks depending on how quickly trademark verification completes.
Common BIMI mistakes
Logo does not display in Gmail
Most common cause: no VMC. Gmail strictly requires a VMC certificate.
SVG format rejected
The SVG must be SVG Tiny PS, not standard SVG. Common issues include embedded fonts, external references, JavaScript, or CSS animations. Strip everything down to basic shapes and inline styles.
DMARC policy too weak
p=none does not qualify. Even p=quarantine; pct=50 may cause inconsistent logo display because only quarantined messages trigger BIMI. For reliable BIMI, use p=reject or p=quarantine with pct=100 (the default).
Logo looks bad at small sizes
Your logo will be displayed as small as 16x16 pixels. Detailed logos with thin lines or small text become unrecognisable. Use a simplified version -- an icon or logomark rather than a full wordmark.
BIMI record on subdomain
If you send email from marketing.yourcompany.com, you need a BIMI record for that subdomain specifically:
default._bimi.marketing.yourcompany.com. IN TXT "v=BIMI1; l=..."
BIMI as the capstone of email authentication
BIMI sits at the top of the email authentication stack:
- SPF -- authorises sending IPs
- DKIM -- cryptographically signs messages
- DMARC -- enforces alignment and sets policy
- BIMI -- rewards all of the above with visible brand presence
Each layer builds on the one below. You cannot deploy BIMI without DMARC enforcement, and DMARC is ineffective without properly configured SPF and DKIM. For the full picture, see our email spoofing prevention guide.
How SurfaceScan helps
SurfaceScan checks your BIMI configuration alongside the rest of your email authentication stack. It validates that your DMARC policy meets BIMI requirements, that your BIMI DNS record is correctly formatted, that the SVG logo URL is accessible and returns a valid SVG P/S file, and that your VMC certificate (if present) is valid and matches the logo. The Email Security dashboard shows your BIMI readiness and what steps remain before your logo can appear in inboxes.
Related articles
DMARC Policy: From None to Quarantine to Reject
DMARC ties SPF and DKIM together. Learn the three policy levels (none, quarantine, reject) and how to implement DMARC safely without breaking email.
Email Spoofing Prevention: The Complete SPF, DKIM, and DMARC Guide
Prevent email spoofing with SPF, DKIM, and DMARC working together. Step-by-step implementation guide for IT admins to fully protect their domain from impersonation.
How to Set Up DKIM for Your Domain
DKIM prevents email spoofing by adding a cryptographic signature to outgoing emails. Step-by-step setup guide for common email providers.