BIMI Records Explained: How Verified Logos Appear in Email Inboxes

The Simple Answer: What is BIMI?

BIMI (Brand Indicators for Message Identification) is the digital verification badge for your email inbox. Just as a verified checkmark on social media tells you an account is official, a BIMI logo tells a recipient that an email is authentically from your brand. When you send an email, participating mailbox providers check your DNS records, verify your authentication (DMARC), and if everything is correct, they pull your official logo and display it right next to your subject line. This increases open rates, builds immediate visual trust, and separates your legitimate corporate communications from the sea of anonymous spam.

Think of it as a corporate ID badge at a high-security building. To get the badge (the BIMI logo), you first have to prove who you are (SPF and DKIM) and have the building's security staff vouch for you (DMARC). If your 'ID' is valid, you get to stand out from anonymous senders and enter with your brand's colors proudly displayed. Proper sender identity and IP reputation are the foundation that the world's leading mailbox providers look for when deciding whether to render your logo.

TL;DR: Quick Summary

• The Goal: To display a verified, high-resolution brand logo in the recipient's inbox to increase opening trust.
• The Prerequisite: You MUST have DMARC enforced at p=quarantine or p=reject. A policy of p=none will not work.
• The Certificate: Many major providers (like Google) require a Verified Mark Certificate (VMC) to prove you own the trademark for the logo.
• The Format: The logo must be an SVG Tiny PS (Portable/Secure) file, which is a specific, hardened version of SVG.
• The DNS Record: BIMI is published as a TXT record, usually at default._bimi.yourdomain.com.
• The Result: Improved brand recognition and a significant boost in email engagement metrics.

How BIMI Works: The Technical Engine

BIMI does not exist in a vacuum; it is the final layer of a 'stack' of email authentication protocols. When an email enters a mailbox provider like Gmail or Yahoo, a specific sequence of logic occurs before that logo is ever rendered. First, the provider checks SPF (Sender Policy Framework) to see if the sending IP is authorized. Next, it checks DKIM (DomainKeys Identified Mail) to ensure the message wasn't tampered with in transit. Finally, it checks DMARC (Domain-based Message Authentication, Reporting, and Conformance) to see how it should handle the mail if SPF or DKIM fail.

If the DMARC check passes and the policy is enforced (meaning the domain is protected), the mailbox provider looks for a BIMI DNS record. This record provides a URL to the brand's logo. The provider fetches the logo, validates that it meets the SVG Tiny PS security standards, and—if a VMC is required—validates the certificate. Only after this series of security checks is the logo displayed. This complexity exists for a reason; it ensures that logos are only displayed for domains that have undergone rigorous identity verification. Auditing your authentication stack is the first step in ensuring your domain is BIMI-ready.

BIMI DNS Record Format

A BIMI record is a standard DNS TXT record. It is typically published under a selector, with default being the most common. The record follows a specific syntax that tells the mailbox provider where the assets live. BIMI selectors work similarly to DKIM selectors, allowing you to use different logos for different email streams within the same domain.

Example BIMI Record

default._bimi.example.com IN TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem"

In some cases, if a brand does not use a Verified Mark Certificate (VMC)—which is common for implementations targeting providers like Yahoo—the authority tag can be left blank:

default._bimi.example.com IN TXT "v=BIMI1; l=https://example.com/logo.svg; a="

Let's break down the tags used in these records:

• v=BIMI1: This is the version tag. It must be present and set to BIMI1 for the record to be valid. Much like other DNS-based protocols, the receiving mail system parses this tag to identify the record as a BIMI instruction.
• l= (Location): This tag provides the absolute URL to your brand's SVG logo. This file must be hosted on a secure (HTTPS) server to prevent man-in-the-middle attacks.
• a= (Authority): This tag points to the Verified Mark Certificate (VMC) destination. This PEM file is a base64-encoded certificate file containing the proof of your trademark ownership and the public key of the Certificate Authority.

The DMARC Requirement: The Foundation of Trust

BIMI is built on top of DMARC enforcement. You cannot have a BIMI logo if your domain is vulnerable to spoofing. Mailbox providers will only display a logo if the domain owner has explicitly stated that unauthenticated mail should be Quarantined or Rejected. This ensures that an attacker cannot spoof your domain and exploit your brand's visual identity.

A properly enforced DMARC setup is non-negotiable. If your policy is set to p=none, providers will ignore your BIMI record entirely. To qualify, you must move to p=quarantine or p=reject. Most mailbox providers expect the policy to apply to 100% of mail. This transition requires careful monitoring of your mail streams to ensure that legitimate third-party senders (like your CRM or billing platform) are correctly authenticated with SPF and DKIM alignment. While DMARC supports relaxed alignment, achieving strict alignment (aspf=s and adkim=s) is a best practice for brands with high-security requirements.

SPF and DKIM Alignment

For DMARC to pass, and thus for BIMI to work, you must have alignment. This means the domain used in the SPF check or the DKIM signature must match the domain found in the 'From' header of the email. If you send mail from marketing.example.com but your BIMI record is only on example.com, the logo may not appear unless you have properly configured your organizational domain settings. Subdomain inheritance for BIMI is complex, and many experts recommend publishing a specific BIMI record for each major sending subdomain to ensure consistent logo rendering across different mailbox environments.

What is a VMC (Verified Mark Certificate)?

A Verified Mark Certificate (VMC) is a digital certificate issued by a trusted Certificate Authority (such as DigiCert or Entrust). It serves as cryptographic proof that your brand owns the trademark for the logo you are using. While Yahoo and some smaller providers may display logos without a VMC for high-reputation senders, Google (Gmail) requires a VMC for the logo to appear. To obtain a VMC, your logo must be a registered trademark in an approved national or regional intellectual property office.

Why is a VMC required? It prevents brand impersonation. Without a VMC, anyone could implement DMARC and then claim the 'Nike' logo in their DNS record. The VMC ensures that only the legal owners of the trademark can use the visual representation of that brand in the inbox. Depending on mailbox provider requirements, this can be the most expensive and time-consuming part of the BIMI implementation process. The issuance process involves verifying the trademark status, domain ownership, and identity of the requesting organization.

SVG Logo Requirements: The 'Tiny PS' Standard

You cannot simply use any SVG file for BIMI. The standard requires the SVG Tiny Portable/Secure (SVG Tiny PS) specification. This is a subset of SVG that removes potentially dangerous elements like JavaScript, external references, and animations. If your SVG file contains even a single prohibited tag, the mailbox provider will reject it as a security risk.

Key SVG Tiny PS Rules:

• The SVG Tiny PS file should generally remain below 32KB for broad compatibility and fast loading.
• The logo should be centered and square-proportioned for the best fit in round or square inbox avatars.
• The background should be a solid color, as many inboxes use Dark Mode which can make transparent backgrounds look poor.
• The file must be validated using a BIMI-specific SVG conversion tool to ensure all non-compliant code is stripped away.

Comparison Table: BIMI Requirements

Supported Mailbox Providers

Adoption of BIMI is a moving target. As of 2026, the landscape of supported mailbox providers is broad but has distinct rules. It helps recognizable brands present a more trustworthy appearance in the inbox across a variety of platforms:

• Google (Gmail): Full support, generally requires a VMC. Eligible senders may also receive a blue verified checkmark.
• Yahoo: Full support, often does not require VMC for very high-reputation senders, but it is recommended.
• Apple (iCloud Mail): Supports BIMI in the Mail app on iOS 16+ and macOS Ventura+, requiring VMC for display.
• Fastmail: Early adopter with full support.
• Microsoft (Outlook): Currently does not natively support the BIMI standard for external senders, though they have their own internal 'Business Profile' system.

Common BIMI Setup Mistakes

Even with the right intentions, technical errors can prevent your logo from showing up. Here are the most frequent hurdles encountered by IT teams:

• Incorrect DMARC Percentage: A policy like `p=quarantine; pct=50` will disqualify you. Most mailbox providers expect the policy to apply to 100% of mail.
• Missing 'v=BIMI1' Tag: Like SPF, if the version tag is missing or mistyped, the entire record is ignored.
• Unsecured Logo URL: Using an HTTP link instead of HTTPS will trigger a security rejection.
• Caching Issues: Mailbox providers cache BIMI records aggressively. If you update your logo, it might take weeks to refresh unless you change the Selector in your DNS.
• Self-Signed VMC: You cannot generate your own VMC; it must be purchased from an authorized issuer.

BIMI Troubleshooting Guide

If your logo is not appearing, follow this diagnostic checklist:

1. Check DMARC alignment: Verify that your SPF and DKIM domains are exactly matching the header domain.
2. Validate the SVG: Run your logo through an SVG Tiny PS validator to check for hidden paths or scripts.
3. Verify DNS Selector: Ensure you are using the 'default' selector unless you have specifically configured your mail headers to use a custom one.
4. Check Reputation: If you are on a blacklist or have a high spam complaint rate, providers may temporarily disable your logo display even if your technical setup is perfect. Regularly auditing sender reputation is part of a healthy mail flow.
5. Monitor the VMC: Check the expiration date and ensure the PEM file is publicly accessible from mailbox provider infrastructure.

Final Thoughts on Visual Trust

BIMI is the natural evolution of email security. It moves authentication out of the backend (where only IT people see it) and into the frontend (where customers see it). By implementing BIMI, you aren't just checking a compliance box; you are actively defending your brand's reputation and honoring your customers' need for security. While the technical requirements—especially the VMC and DMARC enforcement—are high, the reward is a more recognizable, trusted, and professional presence in today's crowded inboxes. It helps recognizable brands present a more trustworthy appearance in the inbox and sets the stage for a safer, verified internet.