BIMI — Brand Indicators for Message Identification — is a standard that lets a verified brand logo appear beside your messages in a supporting mailbox. Instead of a grey placeholder or an auto-generated initial, recipients see your actual logo in the message list and, in some clients, on the open message. It is a small change with an outsized effect: a recognisable mark is one of the clearest signals that an email is genuinely from you.
The important thing to understand up front is that BIMI is a reward for authenticated mail, not a security control in its own right. A logo only appears once a domain has already proven that its mail is genuine. That is what makes the logo trustworthy — it cannot simply be attached by anyone. BIMI sits on top of the email authentication your domain already publishes, and most of the work of adopting it is getting that authentication right.
How BIMI works
BIMI is published as a single DNS TXT record. For the default configuration it lives
at default._bimi.yourdomain.com, and it looks like this:
default._bimi.example.com. TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem" v=BIMI1— the BIMI version. There is currently one version.-
l=— the HTTPS URL of your logo, published as an SVG file in the restricted SVG Tiny PS profile. -
a=— the HTTPS URL of a certificate that attests the logo is yours. This is a VMC or CMC certificate. It is optional in the standard, but the largest mailbox providers require it before they will show a logo.
When a message arrives, a supporting receiver first checks that the message is authenticated and
aligned under DMARC. If it is, the receiver looks up the BIMI record for the sending domain,
fetches the logo (and, where required, verifies the certificate), and displays the mark. The
_bimi label can also carry named selectors, so a domain can serve different logos
for different mail streams — but most senders only ever need default.
What your domain needs
Three things have to be in place, and they are worth tackling in this order:
- DMARC at enforcement. Your domain must publish a DMARC policy of
quarantineorreject— notnone— built on aligned SPF and DKIM. This is the non-negotiable prerequisite, and it is where most of the effort goes. The full chain is covered in BIMI and DMARC. - A compliant SVG logo. The logo must be a square SVG in the SVG Tiny PS profile, served over HTTPS. The exact rules — and the common reasons a logo is rejected — are set out in BIMI SVG logo requirements. Our SVG converter can produce a compliant file from a PNG, JPG or GIF.
- A certificate, for the providers that require one. Gmail and several other inboxes only display a logo when the record references a valid VMC or, where supported, a CMC. These are issued by a small number of certificate authorities and, for a VMC, require a registered trademark — see VMC and CMC certificates.
Only once DMARC is enforcing do the logo and certificate become worth publishing. Adding a BIMI
record while your DMARC policy is still p=none will not produce a logo anywhere.
Where the logo appears
Support has grown steadily, but it is not universal, and each provider treats BIMI slightly differently. As a general picture, BIMI logos are shown by mailboxes including Gmail, Apple Mail (on recent iOS and macOS releases), Yahoo Mail, AOL, Fastmail and La Poste, among others. Treatment varies: some providers require a VMC and display a verification tick alongside the logo; others accept a CMC or show the logo without a tick; and a few display a logo from the record without demanding a certificate at all. Because the rules change as the standard matures, it is worth confirming the current requirements of the specific inboxes your audience uses rather than assuming one behaviour everywhere.
It also follows that you cannot fully control where or how your logo renders. BIMI gives receivers the ingredients; each decides how to use them. What you can control is publishing a clean record, a valid logo and — where needed — a current certificate, on top of solid authentication.
What BIMI is not
A logo is a trust signal, not a deliverability lever. BIMI does not, on its own, improve whether your mail reaches the inbox or the spam folder — that is decided by your sending reputation and authentication. What BIMI does is make already-authenticated mail more recognisable, and it gives you one more reason to get DMARC to enforcement, which genuinely does protect your domain from being spoofed. Think of the logo as the visible reward for work that is worth doing regardless.
Nor is BIMI a guarantee that a message is safe. It confirms the mail is authenticated for the domain that sent it; it does not vouch for the contents. It is a strong signal of origin, used alongside the recipient's own judgement — not a replacement for it.
Check your configuration
The quickest way to see where you stand is to run your domain through the BIMI checker. It reports whether a BIMI record exists, whether your DMARC policy is at enforcement, whether the SVG logo validates, and whether the referenced certificate is trusted — then previews how the logo would appear. If any prerequisite is missing, the result tells you which one, so you know exactly what to fix next.
Related guides
- BIMI and DMARC — the enforcement prerequisite, and the safe path to it.
- BIMI SVG logo requirements — the SVG Tiny PS rules in full.
- VMC and CMC certificates — who issues them, and which you need.
- DKIM Studio — check the email signing keys BIMI relies on.
- DNS Studio email validator — check MX, SPF and DMARC records.