DMARCGuardian Practical help for DMARC, SPF, DKIM, and BIMI.

Blog · Bimi

Why Your BIMI Record Fails Validation (And How to Fix It)

By Dmarcguardian Editorial Team ·

Your DMARC record looks correct. Your logo is uploaded. But your BIMI record still isn't passing validation and no tool is telling you exactly why.

BIMI failure is a chain with three links.

How BIMI Validation Works - The Three-Part Chain

BIMI depends on three things passing in sequence:

  1. DMARC passes - Your domain must authenticate with DKIM or SPF (or both), and the alignment must match.
  2. You have a valid VMC - A Verified Mark Certificate, issued by a Certificate Authority approved by the BIMI working group.
  3. Your logo DNS record resolves - A BIMI DNS record that points to where your logo file lives.

Most tutorials skip the VMC entirely. That's where a lot of failures come from.

Common Reason #1 - Logo File Format Issues

BIMI logos are picky. If your logo was exported from Figma, Illustrator, or a design tool, re-export it with these constraints in mind. Design tools often output 24-bit PNG with alpha transparency by default - neither of which BIMI accepts.

A common mistake: using a logo file that looks fine in a browser but fails because it was saved with color profile metadata that parsers reject.

How to test: Download the logo, open it in a basic image viewer, and check the file size and format properties directly. If you're unsure, re-export.

Common Reason #2 - VMC Certificate Problems

A Verified Mark Certificate is what proves you own the logo. It's not a self-signed certificate, it has to be issued by a supported Certificate Authority.

The most common VMC problems:

  • Expired VMC. Certificates expire. Most last one year. If yours has lapsed, BIMI validation fails.
  • Wrong domain in the VMC. The certificate must be issued to exactly the domain sending the email, not a parent domain, not a subdomain.
  • Untrusted CA. Not all CAs are approved. The BIMI spec maintains a list of supported issuers.

VMCs are not free, they cost money and require validation. If you're testing BIMI without a VMC, you won't get full validation in most clients. Some early adopter clients show logos without a VMC, but most major email providers require it.

How to test: Check the certificate's expiration date and domain binding. If you don't have access to the VMC details, contact whoever issued it.

Common Reason #3 - DNS Configuration Errors

Common mistakes:

  • Wrong subdomain. The BIMI record must be on default._bimi.yourdomain.com, not bimi.yourdomain.com or mail._bimi.yourdomain.com.
  • Typo in the URL. The l= value must point to the exact logo URL - no redirects, no 404s.
  • HTTPS-only URL. Some validators require the logo URL to use HTTPS. If your server doesn't support TLS, the logo won't load.
  • Logo URL not reachable. Test this separately. Copy the URL from your BIMI record and paste it into a browser. Does it load?

How to test: Use a DNS lookup tool to confirm the BIMI record exists and resolves. Then test the logo URL independently.

How to Test Each Step in Isolation

When BIMI fails, check in this order:

  1. Test DMARC first. If DMARC fails, BIMI won't work - no exceptions. Run a full DMARC check before touching anything else.
  2. Check your VMC. Expiration date, domain match, issuing CA.
  3. Check your BIMI DNS record. TXT record present and pointing to the right URL.

This order matters. If you fix the logo but DMARC is still failing, BIMI still won't work.

How DMARCFlow Catches BIMI Failures

BIMI troubleshooting often involves checking several systems independently: SPF, DKIM, DMARC alignment, DNS records, certificate validity, and logo hosting.
DMARCFlow runs authentication checks across DKIM, SPF, and DMARC, then highlights BIMI-related issues in the reports. That makes it easier to identify whether the problem is related to alignment, DNS configuration, certificate validation, or logo hosting.
They also offer free 15 minute consultation calls, including for non-customers who are troubleshooting BIMI setup or validation problems.

If you're troubleshooting a BIMI failure, start there.

BIMI Troubleshooting FAQ

What's the minimum DMARC policy for BIMI? p=quarantine or p=reject. p=none doesn't break BIMI (validation still passes), but it also means you're not actually protected against spoofing. BIMI doesn't require a strict policy but if you're using it, you probably care about authentication.

Can I use a self-signed certificate for BIMI? No. BIMI requires a VMC from a supported Certificate Authority. Self-signed certificates are not accepted by any major email provider that supports BIMI.

Does BIMI work without a VMC? Partially. Some early adopter clients (like some Nokia and Fastmail clients) have shown BIMI logos without a VMC. But Gmail, Apple Mail, and most enterprise clients require the VMC. If you want real display rates, you need a VMC.

My logo shows in some clients but not others - why? BIMI support varies by email client. Clients that support BIMI will show the logo if the chain passes. Clients that don't support BIMI simply ignore it. If it's showing in some but not all, check which clients you're testing, different clients have different implementation levels.

How long does it take for BIMI changes to propagate? DNS changes for BIMI typically take effect within few hours, but some email providers cache records longer. If you've fixed an issue, wait 24 to 48 hours before retesting.