What Is BIMI and Why It Matters

What Is BIMI and Why It Matters

Brand Indicators for Message Identification (BIMI) is a email authentication standard that lets sending domains publish a logo in DNS, which supporting mailbox providers then display next to authenticated emails in the inbox. It's a display signal layered on top of existing authentication - it does not change whether a message is delivered, only how it looks.

The practical benefit: a recognizable logo gives recipients a visual cue that the email is more likely to be legitimate, before they even read the subject line. BIMI only appears when the sending domain has strong email authentication in place, so the logo itself becomes a trust signal derived from authentication passing.

BIMI has been in active deployment since 2022. As of May 2025, BIMI is supported by Gmail, Apple Mail (iCloud, macOS), Yahoo, Fastmail, La Poste, Onet, and several other providers. Microsoft 365 and Outlook.com do not yet support display, though they may be considering it.

Sources: BIMI Group Senders FAQ | BIMI Group Implementation Guide | BIMI Support Infographic (May 2025)

How BIMI Validation Works / The Three-Part Chain

BIMI fails in a predictable sequence. If any one link breaks, the whole chain fails. The order matters for diagnosis.

The three links in order:

1. DMARC passes - Your domain must authenticate with DKIM or SPF (or both), and alignment must match the visible From domain.
2. You have a valid VMC or CMC - A Mark Certificate, issued by a Certificate Authority approved by the AuthIndicators Working Group, proving you have rights to the logo.
3. Your logo DNS record resolves - A BIMI TXT record pointing to an HTTPS URL where your logo file is hosted.

The critical point most tutorials skip: VMC/CMC is required by Gmail, Apple Mail, and most enterprise clients. Yahoo currently accepts self-asserted BIMI records (no certificate) under some conditions, but this is the exception, not the rule.

Source: BIMI Group Implementation Guide, Step 3

Step 1 - Get Your DMARC Policy Right First

BIMI requires DMARC at enforcement.p=nonedoes not break BIMI validation, but it also provides no actual protection and most serious BIMI implementations requirep=quarantineorp=reject.

The DMARC policy must cover the organizational domain (apex), not just a subdomain. Selectors are supported if you need different records for different sending streams.

Minimum for BIMI display at most supporting providers:

•p=quarantineorp=rejecton the apex domain
• DKIM aligned to the From domain (preferred) or SPF aligned to the From domain
•pct=100recommended (some providers don't accept percentage-based policies for BIMI)

If DMARC is not passing, BIMI will not work. Fix DMARC first.

Source: BIMI Group Implementation Guide, Step 1

Step 2 - Acquire a Mark Certificate (VMC or CMC)

A Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) is what proves to the mailbox provider that you have rights to display the logo. It is not a self-signed certificate. It is issued by an approved Mark Verifying Authority (MVA) after validating your organization and your rights to the mark.

VMC vs CMC:

• VMC - Requires a registered trademark. More rigorous validation. Accepted by all supporting providers.
Dmarcflow Curator:
• CMC - For organizations without a registered trademark. Allows more flexibility (e.g., seasonal color variations, stacked wordmarks). Acceptance varies by provider.

Key VMC facts:

• Maximum validity: 398 days (roughly one year), per AuthIndicators Working Group Mark Certificate Requirements v1.7 (January 22, 2025)
• Cannot be shortened by TLS certificate policy changes - BIMI Mark Certificates are governed under a separate PKI from web TLS certificates

• Must be issued to the exact domain that will send the email (not a parent domain, not a subdomain)
• DigiCert and Entrust are among the approved issuers

Common VMC problems:

• Expired VMC - Certificates last about one year. If lapsed, logo display fails silently at most providers. This is the most common cause of BIMI failure at large organizations.
• Wrong domain - The certificate must match the From domain exactly.
• Untrusted CA - Not all Certificate Authorities are approved. Use an MVA from the approved list.

Source: AuthIndicators Working Group Mark Certificate Requirements (2025) | BIMI Group VMC Issuers

Step 3 - Create a BIMI-Ready Logo

File Format

SVG is the preferred format. The current BIMI specification (v1) supports both SVG and PNG, but SVG is recommended because it scales cleanly at all sizes. The old "PNG only" rule applied to early BIMI drafts, not the current specification.

If you use PNG:

• Format must be PNG (not JPEG, WebP, or GIF)
• Maximum file size: 32KB
• Color space: sRGB
• Transparency: not supported in PNG
• Recommended square dimensions: 64×64, 96×96, or 128×128 pixels

If you use SVG (preferred):

• Must be valid SVG 1.1 or newer
• No scripts, external resources, or animations
• ViewBox must be square (e.g.,0 0 256 256)
• No embedded rasters
• Server must serve withContent-Type: image/svg+xml
• Simple paths, no complex filters

Logo design guidelines:

• Square format, high contrast, minimal detail
• Bold simple shapes that remain recognizable at 20–24px (think favicon-like)
• Avoid text-heavy marks - they don't render well at small sizes
• Many providers render a circle or squircle mask around the logo - design for that
• If you need a background color, bake it into the SVG (don't rely on transparency working across all clients)

Tools: DMARCFlow offers a BIMI Generator that helps set eveything up
Source: BIMI Group Senders FAQ — What file format should I use?

Step 4 - Publish Your BIMI DNS Record

The BIMI TXT record is published atdefault._bimi.yourdomain.com(or a custom selector if you need different logos for different streams).

Format:

default._bimi.example.com IN TXT "v=BIMI1; l=https://example.com/path/logo.svg; a=https://example.com/path/vmc.pem"

Attributes:

•v=BIMI1— Required. Version identifier.
•l=— Required. HTTPS URL to your logo file.
•a=— Optional but strongly recommended. HTTPS URL to your VMC/CMC PEM file.
•apv=— Optional. Avatar preference (brandorpersonal).

Common DNS mistakes:

• Wrong subdomain - must bedefault._bimi.yourdomain.com, notbimi.yourdomain.comormail._bimi.yourdomain.com
• Typo in the logo URL - thel=value must exactly match the URL where the logo is hosted
• Redirects in the logo URL - some validators reject logos behind 301/302 redirects
• HTTP instead of HTTPS - all major validators require HTTPS
• Logo URL returns wrong MIME type - must beimage/svg+xmlfor SVG

Test the logo URL independently before publishing. Copy the URL from your BIMI record and paste it into a browser. Does it load? Does it show the image directly, not a download?

Source: BIMI Group Implementation Guide, Step 4

How to Test Each Step in Isolation

When BIMI fails, check in this order - each step depends on the previous:

Test 1: DMARC

Run a full DMARC check. Verify:

• A valid DMARC record exists at_dmarc.yourdomain.com
• Policy isp=quarantineorp=reject
• DKIM or SPF alignment passes for your test message

If DMARC fails, BIMI won't work - no exceptions.

Test 2: VMC Certificate

If DMARC passes, check the certificate:

• Does the certificate exist at the URL in youra=attribute?
• Is it a valid PEM file? (Check withcurl -Ifor correct MIME type)
• Has it expired?
• Is the domain in the certificate exactly your From domain?

If you don't have direct access to the VMC details, contact the issuer.

Test 3: Logo File

Can you load the logo URL in a browser directly? Does it:

• Load without redirects?
• Returnimage/svg+xmlcontent type?
• Meet the file format requirements?
• Stay under 32KB (for PNG)?

Test 4: BIMI DNS Record

Use a DNS lookup to confirm:

• The TXT record exists atdefault._bimi.yourdomain.com
• The semicolons and attributes are correct
• The logo and certificate URLs are spelled exactly right

Verification command:

dig TXT default._bimi.yourdomain.com +short

Or use DMARCFlow's BIMI Checker to run the full chain in one view.

BIMI Troubleshooting FAQ

What's the minimum DMARC policy for BIMI?
p=quarantineorp=reject.p=nonedoesn't technically break validation but means your domain isn't protected against spoofing, which defeats the purpose of BIMI. Most mailbox providers require enforcement.

Can I use a self-signed certificate for BIMI?
No. BIMI requires a VMC or CMC from an approved Mark Verifying Authority. Self-signed certificates are not accepted by any major email provider that supports BIMI.

Does BIMI work without a VMC?
Partially. Some early adopter clients (Yahoo, some Fastmail and Nokia clients) have shown BIMI logos without a VMC. But Gmail, Apple Mail, and most enterprise clients require the VMC. If you want reliable display across major providers, you need a VMC.

My logo shows in some clients but not others - why?
BIMI support varies by email client. Clients that support BIMI show the logo if the chain passes. Clients that don't support BIMI simply ignore it. If it's showing in some but not all, check which clients you're testing - different clients have different implementation levels. See the full BIMI support infographic for per-provider status.

Why did my logo stop showing?
If BIMI was working and stopped, the most common causes are:

1. VMC expired (check expiration date - they last about one year)
2. Logo URL became unreachable (server downtime, CDN change, MIME type changed)
3. DMARC policy or alignment changed
4. Provider updated their display requirements

BIMI shows my logo but I don't have a VMC - why?
Yahoo and a few other providers accept self-asserted BIMI (no certificate). This is provider-specific and not the general case. Gmail and Apple Mail require a VMC.

Does the TLS 47-day certificate lifetime apply to BIMI certificates?
No. The move toward shorter TLS certificate lifetimes applies to web PKI certificates in browsers. BIMI Mark Certificates are governed under a separate PKI and are not subject to CA/Browser Forum TLS Baseline Requirements. VMC/CMC validity remains at a maximum of 398 days.

Can I host my logo on a different domain?
Yes, cross-hosted SVGs are fine as long as the URL is publicly accessible over HTTPS with the correct MIME type, no geo-fencing, no IP allowlisting, and proper caching headers. The logo domain does not need to match the sending domain.

Can I exclude a subdomain from BIMI?
Yes. Don't publish a BIMI record for that subdomain, or publish a "no-image" record pointing to a blank/transparent SVG that still meets format requirements. Note: providers still make final display decisions.

Source: BIMI Group Senders FAQ | BIMI Group Implementation Guide

Why VMC Expiry Is the Most Common Failure Point at Large Organizations

A pattern seen repeatedly: large organizations with expired VMC certificates (Bank of America being one visible example). The reason is almost always organizational, not technical.

DNS team owns DNS. Brand team owns the logo. Marketing owns the email program. Nobody owns the certificate renewal calendar. The VMC lives in a shared inbox or a ticketing system that nobody checks. By the time anyone notices the logo has disappeared from Gmail, the certificate expired months ago.

The fix is operational: put VMC expiry in a calendar reminder 60 days before renewal. Most MVAs send expiry notifications, but they go to whoever originally purchased - which may be a former employee. DMARCFlow's BIMI monitoring can surface configuration gaps, but the certificate renewal itself is a CA relationship and calendar management problem.

Sources

• BIMI Group — Senders FAQ
• BIMI Group — Implementation Guide
• BIMI Group — BIMI Support Infographic (May 2025)
• AuthIndicators Working Group — Mark Certificate Requirements v1.7 (January 2025)
• BIMI Group — VMC/CMC Issuers