What Is BIMI and How to Show Your Logo in Email

BIMI, short for Brand Indicators for Message Identification, is an email standard that lets your company logo appear next to your messages in the inbox. Instead of a generic avatar or the first letter of your sender name, supporting mailbox providers display the logo you publish, giving recipients an immediate, visual signal that the mail is genuinely from your brand. It is one of the few email standards that produces a benefit users can actually see.

BIMI is not a security control on its own. It does not authenticate mail or stop spoofing. Instead, it rewards domains that have already done the hard authentication work: a logo only appears when your domain passes strict authentication and meets a strict set of logo, DNS, and (for some providers) certificate requirements. This guide walks through everything you need, in the order you need it, and how to confirm each piece is correct.

Before BIMI can do anything, your domain must have DMARC at an enforcement policy. A DMARC record published at "_dmarc.yourdomain.com" with "p=none" is not enough; BIMI requires "p=quarantine" or "p=reject". Most providers also expect the policy to apply to all mail rather than a sample, so if you use the "pct" tag it should be set to 100 (or omitted, since 100 is the default). This is the single most common reason a correctly published logo never shows up.

DMARC in turn depends on SPF and DKIM, because a message passes DMARC only when SPF or DKIM passes in alignment with the visible From domain. So the real prerequisite chain is SPF and DKIM first, then DMARC moved up to enforcement, and only then BIMI. If you are not already at enforcement, treat that as a separate project: publish DMARC at "p=none", read the aggregate reports until every legitimate sender passes, and step up to quarantine and then reject. Confirm your policy with the DMARC Check checker, and validate the underlying SPF Check and DKIM Check records so you know enforcement will not break your own mail.

BIMI does not accept ordinary PNG or JPEG logos. The logo must be an SVG, and not just any SVG: it has to conform to the "SVG Tiny Portable/Secure" profile, written as SVG Tiny PS or SVG P/S. This is a deliberately restricted subset of SVG Tiny 1.2 that strips out anything dynamic or risky, including scripts, external references, animation, and embedded raster images. The result is a file safe enough for mailbox providers to render inline at scale.

Beyond the profile, the artwork itself has rules. The logo must be square (a 1:1 aspect ratio) because providers crop it into a circle or rounded square, so any important detail near the corners will be lost. It needs a solid, non-transparent background rather than a transparent one, since transparency renders unpredictably across clients. Keep the file small and simple, include a "title" element describing the logo, and set the SVG "baseProfile" to "tiny-ps". Many design tools export plain SVG that is not compliant, so plan to run the file through a BIMI-specific converter or validator rather than assuming an export is correct.

BIMI is published as a DNS TXT record at a selector-based name. The default selector lives at "default._bimi.yourdomain.com". The record value starts with the version tag and then points at your logo and, optionally, your certificate. A complete record looks like "v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/vmc.pem".

The three tags are simple. "v=BIMI1" declares the version and must come first. The "l" tag is the HTTPS URL of your SVG Tiny PS logo; it must be served over HTTPS from a valid certificate, and it can be left empty ("l=") to explicitly indicate no logo. The "a" tag is the HTTPS URL of your Verified Mark Certificate, also called the authority evidence. You can run multiple selectors (for example a product-specific logo) by publishing additional "selector._bimi" records and referencing the selector in a message header, but most organizations only ever need "default". After publishing, confirm the TXT record resolves with a DNS Lookup lookup before testing anything downstream.

A Verified Mark Certificate (VMC) is a special certificate that cryptographically proves you are entitled to use the logo, typically because it is a registered trademark. It is issued by a small number of certification authorities after they verify your organization and your right to the mark, and it is referenced by the "a" tag in your BIMI record. A VMC is not free; expect an annual cost in the hundreds of dollars, plus the time and expense of holding a registered trademark for the logo in question.

There is a second type, the Common Mark Certificate (CMC), aimed at logos that are in use but not formally trademarked, such as some government or non-profit marks. Support for CMCs is more limited than for VMCs. The practical question is whether you actually need a certificate at all, and the answer depends entirely on which mailboxes you care about, covered next.

Support is not uniform, and the certificate requirement is where providers diverge. Gmail displays BIMI logos but requires a valid VMC (or CMC); without the certificate referenced in the "a" tag, Gmail will not show your logo no matter how perfect the rest of your setup is. Because of Gmail's reach, the certificate requirement effectively becomes mandatory for most senders who want broad coverage.

Apple Mail supports BIMI across iOS, iPadOS, and macOS and also expects a certificate for the logo to appear in the headline position. Yahoo Mail was an early BIMI adopter and displays logos as well. Microsoft Outlook has been slower and historically more limited in its BIMI support, so do not assume it behaves like the others. The takeaway is that a logo-only record with no VMC will display in fewer places than you might hope, and for the major consumer providers you should plan on a certificate.

Work through the prerequisites in sequence rather than jumping straight to the logo. First, get SPF and DKIM passing in alignment for all of your legitimate mail; verify both with the SPF Check and DKIM Check tools. Second, publish DMARC, monitor its reports, and move the policy up to "p=quarantine" or "p=reject" with the policy applying to all mail; confirm enforcement with the DMARC Check checker.

Only once authentication is solid should you tackle BIMI itself. Create or convert your logo to a compliant square SVG Tiny PS file and host it over HTTPS. If you are targeting Gmail or Apple Mail, obtain a VMC from a recognized certification authority for your trademarked logo and host the certificate over HTTPS too. Then publish the TXT record at "default._bimi.yourdomain.com" with the "v", "l", and the "a" tags. Finally, confirm the record resolves with a DNS Lookup lookup and validate the whole chain before announcing anything internally.

After publishing, do not rely on sending yourself a test email and squinting at the avatar, because rendering can lag and depends on factors like sender reputation. Instead, validate the record directly. A BIMI checker fetches the TXT record at your selector, parses the "v", "l", and "a" tags, downloads the logo to confirm it is reachable over HTTPS and conforms to SVG Tiny PS, and inspects the VMC to confirm it is valid and matches your domain. Run your domain through the BIMI Check tool to see each of these results in one place.

If the logo still does not appear after the record validates cleanly, the cause is almost always one of two things: DMARC is not actually at enforcement (re-check it with the DMARC Check tool, since a record left at "p=none" silently disables BIMI), or the targeted provider requires a VMC that you have not yet obtained. Allow time for DNS and provider caches to update, keep sending well-authenticated mail to build reputation, and re-test periodically. Once everything lines up, your logo becomes a small but persistent trust signal in every inbox that supports it.