BIMI: Brand Indicators for Message Identification
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/guide/bimi-brand-indicators/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/guide/bimi-brand-indicators/Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/guide/bimi-brand-indicators/)Use the native HTML custom element.
Display your logo next to emails in supporting clients using BIMI DNS records and Verified Mark Certificates.
BIMI: Brand Indicators for Message Identification
What Is BIMI?
BIMI (Brand Indicators for Message Identification) is an email specification that lets organisations display their official brand logo directly inside a recipient's inbox — right next to the sender name — before the email is even opened.
When you receive email from a bank or well-known brand and see a colourful company logo instead of a generic initial avatar, that is BIMI at work. It turns an otherwise anonymous-looking email into an instantly recognisable communication that recipients trust at a glance.
BIMI is built on top of DMARC. A domain that passes DMARC alignment can publish a BIMI DNS record pointing to an SVG logo file, and supporting mail clients will fetch and display that logo.
Why BIMI Matters for Senders
- Brand recognition — Recipients see your logo before opening, increasing open rates
- Trust signals — A displayed logo signals the message passed authentication checks
- Anti-phishing — Impersonators cannot display your logo because they cannot pass DMARC
- Inbox real estate — Logos stand out in crowded inboxes far more than text alone
Prerequisites: What You Need Before BIMI
BIMI is the final layer on top of a complete email authentication stack. You cannot publish a working BIMI record without the following already in place.
1. SPF Must Pass
Your domain needs a valid SPF record that covers all sending IP addresses.
v=spf1 ip4:198.51.100.0/24 include:_spf.mailprovider.com -all
2. DKIM Must Pass
Every outbound message must carry a valid DKIM signature from a key published in your DNS.
3. DMARC Must Be in Enforcement Mode
This is the critical gate. BIMI requires your DMARC policy to be p=quarantine or p=reject. A p=none policy is not sufficient because it means you are still monitoring — not enforcing authentication.
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100
Mail clients validate DMARC before fetching the BIMI logo. A policy of none tells them you do not yet trust your own authentication posture.
SVG Logo Requirements
BIMI uses a very specific SVG profile called Tiny PS (SVG Tiny Portable/Secure). A standard SVG exported from Figma or Illustrator will almost certainly not work without modification.
SVG Tiny PS Rules
| Requirement | Detail |
|---|---|
| File format | SVG Tiny 1.2 or SVG Tiny PS |
| Viewbox | Must be a square aspect ratio (e.g., 0 0 100 100) |
| Background | Must be filled — transparent backgrounds are rejected |
| External references | No external fonts, images, or scripts |
| Maximum file size | 32 KB (some validators allow up to 500 KB, but keep it small) |
| No animations | Static logos only |
| No raster images embedded | Pure vector only |
Validating Your SVG
Use the free BIMI Group validator at https://bimigroup.org/bimi-generator/ or the Entrust BIMI Inspector to check your SVG file before publishing the DNS record.
A minimal compliant SVG looks like:
<?xml version="1.0" encoding="UTF-8"?>
<svg version="1.2" baseProfile="tiny-ps"
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 100 100">
<title>Acme Corp Logo</title>
<circle cx="50" cy="50" r="50" fill="#0055AA"/>
<!-- your logo paths here -->
</svg>
Hosting the SVG Logo
Your BIMI SVG must be hosted on an HTTPS URL. There are two important hosting rules:
- HTTPS is required — HTTP URLs are rejected
- No redirects — The logo URL must resolve directly without 301/302 redirects
- Correct Content-Type — Serve the file with
Content-Type: image/svg+xml - Publicly accessible — No authentication, no Cloudflare challenges, no IP restrictions
A good URL pattern is: https://brand.yourdomain.com/bimi/logo.svg
Verify the file is accessible:
curl -I https://brand.yourdomain.com/bimi/logo.svg
# Expect: HTTP/2 200 and Content-Type: image/svg+xml
The BIMI DNS Record
The BIMI record is a TXT record published under the _bimi subdomain:
_bimi.yourdomain.com TXT "v=BIMI1; l=https://brand.yourdomain.com/bimi/logo.svg; a=;"
Record Fields
| Tag | Required | Description |
|---|---|---|
v=BIMI1 |
Yes | Version indicator, must be first |
l= |
Yes | URL to the SVG logo (HTTPS, no redirects) |
a= |
Conditional | URL to the Verified Mark Certificate (VMC); required by Gmail |
The a= tag points to a PEM-encoded VMC certificate file, not the SVG:
a=https://brand.yourdomain.com/bimi/vmc.pem
If you are testing without a VMC (e.g., for Apple Mail which does not require one), leave the tag empty:
"v=BIMI1; l=https://brand.yourdomain.com/bimi/logo.svg; a=;"
Verified Mark Certificates (VMC)
A Verified Mark Certificate (VMC) is a digital certificate issued by an approved Certificate Authority that ties your registered trademark to your BIMI logo. Gmail and several other large providers require a VMC to display logos.
VMC Issuers
Currently approved VMC Certificate Authorities include:
- Entrust — entrust.com
- DigiCert — digicert.com
What You Need to Obtain a VMC
- Registered trademark — The logo must be registered with a recognised trademark office (USPTO, EUIPO, UK IPO, etc.)
- Trademark certificate — Proof of registration
- Compliant SVG — The same SVG Tiny PS file you will publish
- Domain verification — Proof you control the sending domain
VMC issuance typically takes 1–4 weeks and costs roughly $1,000–$1,500 per year per domain.
VMC Chain of Trust
Root CA Certificate
└── Intermediate CA Certificate
└── VMC (your domain + trademark + SVG hash embedded)
The VMC contains a hash of your approved SVG. If you change the SVG after issuance, you must obtain a new certificate.
Mail Client Support Matrix
Not all mail clients support BIMI equally:
| Client | BIMI Support | VMC Required | Notes |
|---|---|---|---|
| Gmail (web + mobile) | Yes | Yes | Enforces VMC strictly |
| Apple Mail (iOS 16+, macOS Ventura+) | Yes | No | Only requires valid DMARC |
| Yahoo Mail | Yes | No | Uses self-asserted logos |
| Fastmail | Yes | No | |
| Outlook | Partial | N/A | Uses Microsoft's own BIMI system |
| Thunderbird | No | — |
Step-by-Step Implementation Checklist
Follow this sequence to avoid wasted effort:
- Audit authentication — Run
dmarcianorMXToolboxto confirm SPF, DKIM, DMARC are all passing at 100% - Enforce DMARC — Move to
p=quarantineorp=rejectwithpct=100 - Prepare SVG — Convert your logo to SVG Tiny PS; validate with BIMI Group checker
- Host SVG — Upload to an HTTPS endpoint; verify with
curl -I - Publish BIMI record — Add the TXT record under
_bimi.yourdomain.com - Test without VMC — Send from your domain to an Apple Mail address; check if logo appears
- Obtain VMC (for Gmail) — Apply with Entrust or DigiCert; wait for issuance
- Host VMC — Upload
.pemfile; adda=tag to BIMI record - Test with Gmail — Send a test email to a Gmail address and verify the logo appears
- Monitor — Use Google Postmaster Tools to track BIMI status
Troubleshooting Common BIMI Issues
Logo Not Appearing in Gmail
- Verify
p=quarantineorp=rejectin DMARC (notp=none) - Confirm the
a=tag points to a valid, reachable VMC.pemfile - Check that DMARC alignment is passing — not just DMARC policy existing
- Use Google Postmaster Tools → Authentication section
Logo Not Appearing in Apple Mail
- Confirm DMARC is enforced
- Validate the SVG with the BIMI Group checker
- Ensure the SVG URL returns
Content-Type: image/svg+xml - Apple Mail caches logos; force-quit and reopen the app after changes
BIMI Record Syntax Errors
# Query your BIMI record
dig TXT _bimi.yourdomain.com
# Verify it starts with v=BIMI1
Common syntax mistakes: spaces inside the URL, missing semicolons between tags, or v=bimi1 (must be uppercase).
BIMI and Subdomain Senders
BIMI applies per domain. If you send from marketing.yourdomain.com, you need:
- A DMARC record at
_dmarc.yourdomain.comwithp=quarantineorp=reject(the organisational domain policy covers subdomains unless overridden) - A BIMI record at
_bimi.marketing.yourdomain.com— or the parent_bimi.yourdomain.comif no subdomain-specific record exists
Summary
BIMI is the visible reward for getting your full email authentication stack right. It requires discipline — you must enforce DMARC before it does anything — but the payoff is a logo that appears in the inbox and instantly signals to recipients that the email is genuinely from your brand.
For most organisations the path is: fix SPF → fix DKIM → enforce DMARC → prepare SVG → publish BIMI record → optionally obtain VMC for Gmail support. Each step builds on the last, and skipping any foundation layer will prevent BIMI from working.