---
title: "How to Set Up BIMI (and Why 28% of Records Break)"
description: "BIMI puts your logo in the inbox — but 28% of records break. Here's how to set up BIMI: the DNS TXT record, SVG Tiny PS logo, and VMC vs CMC. Check yours free."
publishedAt: 2026-07-06
lastUpdatedAt: 2026-07-06
tags: ["bimi", "bimi-record", "vmc", "setup", "email-authentication", "dns"]
faq:
  - question: "Is BIMI free?"
    answer: "Publishing the DNS record is free, and a self-asserted record — a logo with no certificate — displays in Yahoo Mail, AOL, and Fastmail at no cost. The expense comes from the certificate Gmail and Apple Mail require: a Verified Mark Certificate lists at $1,416.00 per year from DigiCert."
  - question: "Does Gmail use BIMI?"
    answer: "Yes. Gmail shows BIMI logos in the web client and the mobile apps, but it requires a mark certificate — either a VMC or a CMC. A logo-only self-asserted record is not enough for Gmail. The blue verified checkmark appears only for VMC holders; a CMC shows the logo without the checkmark."
  - question: "Does Apple Mail use BIMI?"
    answer: "Yes, on iOS 16+, iPadOS 16+, macOS Ventura 13+, and iCloud.com — but Apple Mail requires a VMC and does not accept a CMC. A verified logo is labelled digitally certified rather than getting a checkmark. Apple's separate Branded Mail program is not BIMI and needs no certificate."
  - question: "Does Outlook support BIMI?"
    answer: "No. Microsoft — Outlook.com, Hotmail, Exchange Online, and Microsoft 365 — does not display BIMI logos for inbound mail, even with a valid record, enforced DMARC, and a VMC. Microsoft supports BIMI only as a sender and has announced no date for receiver-side display."
  - question: "Why is my BIMI record not showing or not found?"
    answer: "The usual causes are a non-compliant SVG that is not Tiny PS 1.2, DMARC that is not at enforcement, an unreachable logo URL from an HTTP redirect or wrong MIME type, or a syntax slip such as I= instead of l=. Providers also cache logos and may delay display by up to about 48 hours."
  - question: "Do I need a VMC for BIMI?"
    answer: "Only for Gmail's blue checkmark and for Apple Mail display. Yahoo and Fastmail need no certificate, and Gmail also accepts a CMC, which needs no trademark — only 12 months of provable prior logo use. A VMC requires a registered trademark and lists at about $1,416 per year."
---
# How to Set Up a BIMI Record: DNS, Logo, and Certificate

BIMI is the protocol that puts your brand's logo next to your name in the inbox.
Almost nobody runs it, and of the few that do, more than a quarter have it
broken. A BIMI (Brand Indicators for Message Identification) record is a DNS TXT
record, published at `default._bimi.yourdomain.com`, that tells supporting
mailbox providers where to find your logo — and, optionally, the certificate
that proves you own it. This guide on how to set up BIMI is written for the IT
admin or founder-operator who already runs DMARC and wants the logo payoff.

The catch is that a BIMI record is unforgiving of small mistakes, and most
failures are silent: the mail sends fine, the logo just never appears. By the
end you will have the exact DNS record, how to prepare a logo that actually
renders, whether you need a Verified Mark Certificate (VMC) or a Common Mark
Certificate (CMC), and how to fix a record that won't show. BIMI rides on top of
DMARC ([RFC 9989](https://datatracker.ietf.org/doc/html/rfc9989)), so an
enforced DMARC policy is a hard prerequisite — more on that below.

## What a BIMI record actually is (the 60-second version)

A BIMI record is a single DNS TXT record at the host `default._bimi` whose value
names your logo's URL (`l=`) and, optionally, a mark certificate (`a=`). It does
not authenticate mail itself — it rides on top of an enforced DMARC policy, and
receivers only look at it once DMARC passes.

Three core tags do all the work:

- `v=BIMI1` — the version, and it must be the first tag.
- `l=` — the HTTPS URL of your SVG logo.
- `a=` — the HTTPS URL of your VMC or CMC `.pem` file. Leave it empty for a
  self-asserted record (a logo with no certificate).

That is the whole anatomy. BIMI is an _indicator_ layer, not an authentication
layer, which is why the heavy lifting happens in DMARC. For the protocol-level
explainer — how the pieces fit and why the standard works this way — see
[what a BIMI record is](/learn/bimi/). The rest of this guide stays on the
procedural lane: getting a record published that renders, and keeping it from
breaking.

## Which email clients show BIMI logos in 2026?

As of 2026, four major providers render BIMI logos — Gmail, Apple Mail, Yahoo
Mail (and AOL), and Fastmail. Microsoft (Outlook.com and Microsoft 365) does
**not** display BIMI logos for inbound mail and has announced no date to. Where
your logo will actually show determines whether the rest of the project —
especially a four-figure certificate — is worth it, so settle this first.

<DataTable caption="BIMI display and certificate requirements by provider (verified 2026-06-26)">

| Provider                         | Shows BIMI logo? | Certificate required  | Notes                                                                                                             |
| -------------------------------- | ---------------- | --------------------- | ----------------------------------------------------------------------------------------------------------------- |
| Gmail (web + apps)               | Yes              | **VMC or CMC**        | Blue verified checkmark = VMC only; a CMC shows the logo without the checkmark. A logo-only record is not enough. |
| Apple Mail (iOS 16+ / macOS 13+) | Yes              | **VMC only** (no CMC) | No checkmark; a verified logo is labelled "digitally certified." Verified server-side by the provider.            |
| Yahoo Mail / AOL                 | Yes              | **None**              | Renders self-asserted records (valid SVG + DMARC at enforcement + reputation). Bulk mail only, not personal.      |
| Fastmail                         | Yes              | **None**              | Renders authenticated domains with a valid SVG; VMC optional. Caches the logo at its MX servers.                  |
| Microsoft 365 / Outlook.com      | **No**           | n/a                   | Supports BIMI only as a _sender_ (via Dynamics 365), not as a receiver. No rollout date announced.                |

</DataTable>

These rules are sourced, not asserted: Gmail's VMC-or-CMC behaviour is in
[Google Workspace Admin Help](https://support.google.com/a/answer/10911320)
(updated 2026-06-18); Apple's VMC-only rule and the "digitally certified" label
are in [Apple Support article 108340](https://support.apple.com/en-us/108340);
Yahoo's no-certificate, bulk-only display is documented on the
[Yahoo Sender Hub](https://senders.yahooinc.com/bimi/); and Microsoft's
sender-only stance was confirmed on Microsoft Q&A (2025-09-29, reaffirmed
2026-05-21).

<Callout type="info" title="Apple's Branded Mail is not BIMI">

Apple "Branded Mail," which shipped with iOS 18.2 through Apple Business Connect,
lets verified businesses show an uploaded bitmap logo (PNG/JPEG) with DMARC at
enforcement — no VMC, no CMC, and no SVG. It is a separate Apple program, not
BIMI, so don't conflate the two when you scope the project.

</Callout>

## BIMI setup requirements: what you need before you start

Before a BIMI record can render, you need three things: DMARC at enforcement
(`p=quarantine` or `p=reject`), a square SVG Tiny PS logo hosted
over HTTPS, and — for Gmail or Apple Mail — a VMC or CMC certificate. Skip any
one of these and the logo silently fails to appear.

The first requirement is non-negotiable and built into the standard. The BIMI
specification (`draft-brand-indicators-for-message-identification-12`) states in
its DMARC prerequisite that the From domain MUST publish a DMARC policy of
`p=quarantine` or `p=reject`, with at least one of SPF or DKIM passing in
alignment. A domain still at `p=none` is the second-most-common reason a record
never renders, which is why the requirement — not just "add a record" — leads
this guide. A policy at enforcement applies to all of your mail, so there is no
partial rollout to configure. If you are not yet at enforcement, get there
first: DMARC is now governed by DMARCbis
(RFC 9989), and the staged `p=none → quarantine → reject` rollout to
[DMARC at enforcement](/learn/dmarc/) is the prerequisite here, not an
afterthought.

The other two requirements — a compliant SVG and a certificate — are covered in
the steps and the certificate section below.

<KeyStat
  stat="0.4% / 28.2%"
  label="of 5.5M domains publish a BIMI record — and 28.2% of those published records are broken (the logo returns a 404 or fails SVG validation)."
  source="DMARCguard State of Email Authentication 2026 — 5,499,028 Tranco domains scanned 2026-02-27"
  sourceHref="/research/email-authentication/"
/>

That broken rate is the whole reason this guide leans on failure modes as much
as setup steps. Publishing a record is the start; publishing one that renders is
the actual job.

## How to set up a BIMI record, step by step

To set up a BIMI record: (1) get DMARC to enforcement (`p=quarantine` or
`p=reject`); (2) prepare a square SVG Tiny PS logo on HTTPS; (3) decide whether you
need a VMC or CMC; (4) publish a `default._bimi` TXT record with
`v=BIMI1; l=…; a=…`; (5) add a BIMI-Selector header if you use a non-default
selector; (6) verify it. The detail for each step follows.

### Step 1 — Get DMARC to enforcement

Publish a DMARC policy of `p=quarantine` or `p=reject`. Under DMARCbis an
enforcement policy applies to all of your mail by default, so there is nothing
else to set. A record published while the domain is at
`p=none` will not render anywhere — receivers only evaluate BIMI after DMARC
passes at enforcement. If you are still ramping, finish the move to enforcement
before you touch BIMI.

### Step 2 — Prepare a compliant SVG Tiny PS logo (the #1 failure point)

This is the single biggest real-world trap. The logo must conform to the SVG
Tiny PS (Portable/Secure) 1.2 profile, a restricted subset of SVG that exists to
keep scripts and external content out of inboxes. The BIMI specification's logo
requirements are strict: square aspect ratio, served over HTTPS, no larger than
32 KB, and no animation, scripting, external references, or embedded raster
images. A base64-encoded PNG wrapped in an SVG is the most common mistake, and
Illustrator or Figma exports almost always carry forbidden elements and stray
`x=`/`y=` attributes.

<StepList title="Convert a logo to compliant SVG Tiny PS">

1. Start from a vector source and export it as plain SVG with a **square**
   `viewBox` (a 1:1 ratio) and no `x=`/`y=` attributes on the root element.

2. Add `baseProfile="tiny-ps"` to the `<svg>` root — its absence is a hard
   validation failure.

3. Strip every forbidden element: embedded raster/PNG images, `<text>` and font
   references, `<script>`, animation tags, gradients, and external CSS.

4. Minify the file and confirm it is under **32 KB** (32,768 bytes); larger files
   are rejected with an `SVG_FETCH_ERROR`.

5. Host it over HTTPS and confirm the server returns `Content-Type:
image/svg+xml` — a `text/plain` MIME type or an HTTP→HTTPS 301 redirect causes
   a silent rejection.

</StepList>

The BIMI Group's
[Solving SVG Issues](https://bimigroup.org/solving-svg-issues/) guide is the
authoritative reference if a validator rejects your file with "Invalid profile"
or "CSS styles not allowed."

### Step 3 — Decide on a certificate (VMC, CMC, or none)

Your certificate need depends entirely on the provider matrix above: none for
Yahoo and Fastmail, a CMC or VMC for Gmail, and a VMC for Apple Mail. This is the
decision most people get wrong, so it gets its own section below. Pick the path
that matches where your audience reads mail, then come back to publish the
record.

### Step 4 — Create the BIMI DNS TXT record

Add a TXT record with the host set to `default._bimi` — the prefix only, never
the fully-qualified name, because DNS hosts auto-append the zone. The value
depends on whether you bought a certificate.

For a self-asserted record (Yahoo and Fastmail):

<CodeBlock
  lang="dns"
  filename="default._bimi.yourdomain.com (self-asserted)"
  code={bimiSelfAsserted}
/>

For a record with a certificate (Gmail and Apple Mail):

<CodeBlock
  lang="dns"
  filename="default._bimi.yourdomain.com (with certificate)"
  code={bimiWithCert}
/>

The most-missed detail is the logo tag: it is a lowercase **`l=`**, not a capital
**`I`** or the digit **`1`** — Google warns that the three look near-identical in
a record. Missing `v=BIMI1`, missing semicolons, and publishing on the wrong
domain are the other syntax killers. If you would rather not hand-assemble the
string,
[the DMARCguard BIMI record generator](/tools/bimi-generator/) builds a valid
record from your inputs and explains each tag as you go.
([Google Workspace — Add a BIMI TXT record](https://support.google.com/a/answer/10911321)
documents the same Host/Type/Value fields.)

### Step 5 — Publish, and add a BIMI-Selector header if needed

Save the record at your DNS host. The default selector (`default._bimi`) needs no
header. If you use a non-default selector, outbound mail must carry a
`BIMI-Selector: v=BIMI1; s=<selector>` header, and the lookup is performed
against the visible From domain. One subtlety teams miss: subdomains do **not**
inherit the parent domain's record, so publish one per sending domain.

### Step 6 — Verify your BIMI record

Look the record up after DNS propagation to confirm it parses and the logo
fetches over HTTPS without redirects. Then be patient: inbox display can lag by
up to about 48 hours even once the record is valid, because providers cache
results. A BIMI record checker reads the live record, validates the SVG against
the Tiny PS profile, and flags syntax problems before you wait on a logo that was
never going to show.

## Do you need a VMC? VMC vs CMC vs no certificate

Whether you need a certificate depends on where your audience reads mail. Yahoo
and Fastmail need none; Gmail accepts a VMC or a CMC; Apple Mail requires a VMC.
A VMC needs a registered trademark; a CMC accepts a logo you have used publicly
for at least 12 months.

<VerdictTable
  caption="VMC vs CMC vs no certificate — what each path unlocks and costs"
  columns={["Option", "What it unlocks", "What it costs", "Who it's for"]}
  recommendedColumn={1}
  rows={[
    [
      "No certificate (self-asserted)",
      "Yahoo/AOL + Fastmail logos",
      "Free (DNS only)",
      "Start here to capture Yahoo and Fastmail at no cost while you decide.",
    ],
    [
      "CMC (Common Mark Certificate)",
      "Gmail logo (no blue checkmark) + Yahoo/Fastmail",
      "Paid; no trademark — needs ≥12 months provable public logo use",
      "You lack a registered trademark but want the Gmail logo.",
    ],
    [
      "VMC (Verified Mark Certificate)",
      "Gmail logo + blue checkmark + Apple Mail",
      "Paid; requires a registered trademark; DigiCert lists $1,416.00/yr",
      "You hold a registered trademark and want full Gmail and Apple display.",
    ],
  ]}
  verdict="Publish a self-asserted record first to capture Yahoo and Fastmail for free. Add a CMC for the Gmail logo if you have no trademark, or a VMC if you hold one and want Apple Mail plus Gmail's blue checkmark."
/>

A few hard numbers, all verified live on 2026-06-26. DigiCert's VMC lists at
**$1,416.00/yr**, sold as a 12-month auto-renewing subscription with a 397-day
maximum validity (the page notes prices are subject to change). There are only
**three** currently listed Mark Verifying Authorities — DigiCert, GlobalSign, and
SSL.com. Entrust exited VMC issuance on 2025-05-12, so do not start a new VMC
there; Apple also distrusts Entrust-rooted VMCs issued after 2024-11-15. The CMC
path's "Prior Use Mark" eligibility means provable public use of the logo for at
least 12 months — Wayback Machine evidence, for instance — with no trademark
required. DigiCert does not publish a standalone CMC list price, so treat any CMC
figure as a reseller quote rather than a fixed list price.

So, is BIMI free? The record and a self-asserted setup are free; the certificate
that Gmail and Apple Mail require is the cost. The BIMI Group's
[Understanding BIMI Certificate Types](https://bimigroup.org/understanding-bimi-certificate-types/)
is the primary reference for the VMC/CMC distinction.

## Why 28% of BIMI records break (and how to fix yours)

The two dominant reasons a BIMI record breaks are a non-compliant SVG logo and a
DMARC policy that isn't at enforcement. Most failures are silent — the mail sends
fine, the logo just never appears — so you need to know the symptom-to-cause
mapping to diagnose one.

<DataTable caption="BIMI symptom → cause → fix (error-type frequencies: URIports top-1M scan, 2024)">

| Symptom                                | Likely cause                                                                   | Fix                                                                                                   |
| -------------------------------------- | ------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------- |
| Logo never renders; `bimi=pass` absent | Non-compliant SVG, not Tiny PS 1.2 — 28.4% of BIMI-enabled domains             | Re-export as SVG Tiny PS: square viewBox, `baseProfile="tiny-ps"`, no raster/text/scripts/gradients.  |
| Gmail silently ignores the record      | DMARC not at enforcement (`p=none`) — 15.0% of domains                         | Move DMARC to `p=quarantine` or `p=reject`.                                                           |
| "Could not fetch SVG" / unretrievable  | Logo URL unreachable — 10.9% of domains: HTTP→HTTPS 301, wrong MIME, TLS error | Serve over HTTPS, `Content-Type: image/svg+xml`, no redirect, valid chain.                            |
| `SVG_FETCH_ERROR: size exceeds…`       | SVG over 32 KB — 4.8% of domains                                               | Optimize and minify the SVG under 32,768 bytes.                                                       |
| Shows in Yahoo but not Gmail/Apple     | VMC/CMC missing, expired, mismatched, or incomplete PEM chain                  | Verify cert status with the CA; append entity + intermediate + root in order; re-match after renewal. |
| Record-not-found / invalid             | Syntax: `I=` instead of `l=`, missing `v=BIMI1`, wrong domain                  | Re-check the record string and the `default._bimi` host; fix the `l`/`I`/`1` mix-up.                  |
| Root works, subdomain doesn't          | Selector/subdomain mismatch — subdomains don't inherit                         | Publish per sending domain; add a `BIMI-Selector` header for non-default selectors.                   |

</DataTable>

Those per-error-type percentages come from URIports' validator run across the top
1 million domains in 2024. As independent third-party corroboration of how
widespread breakage is, URIports also found that **53.6% of BIMI-serving domains
had at least one error in January 2025** (up from 41.8% a year earlier) — a
separate measurement on a different sample than our first-party 28.2%, so the two
are reported side by side and never averaged.

<Callout type="info" title="A valid record can still skip the logo">

Even a flawless record may not render. Mailbox providers make the final display
decision based on sender reputation, sending volume, and complaint rates, and
they cache results for days. Before you treat a missing logo as a config bug,
rule out a reputation or caching delay — especially in the first 48 hours after
publishing.

</Callout>

## Frequently asked questions

### Is BIMI free?

Publishing the DNS record is free, and a self-asserted record — a logo with no
certificate — displays in Yahoo Mail, AOL, and Fastmail at no cost. The expense
comes from the certificate Gmail and Apple Mail require: a Verified Mark
Certificate lists at $1,416.00 per year from DigiCert.

### Does Gmail use BIMI?

Yes. Gmail shows BIMI logos in the web client and the mobile apps, but it
requires a mark certificate — either a VMC or a CMC. A logo-only self-asserted
record is not enough for Gmail. The blue verified checkmark appears only for VMC
holders; a CMC shows the logo without the checkmark.

### Does Apple Mail use BIMI?

Yes, on iOS 16+, iPadOS 16+, macOS Ventura 13+, and iCloud.com — but Apple Mail
requires a VMC and does not accept a CMC. A verified logo is labelled digitally
certified rather than getting a checkmark. Apple's separate Branded Mail program
is not BIMI and needs no certificate.

### Does Outlook support BIMI?

No. Microsoft — Outlook.com, Hotmail, Exchange Online, and Microsoft 365 — does
not display BIMI logos for inbound mail, even with a valid record, enforced
DMARC, and a VMC. Microsoft supports BIMI only as a sender and has announced no
date for receiver-side display.

### Why is my BIMI record not showing or not found?

The usual causes are a non-compliant SVG that is not Tiny PS 1.2, DMARC that is
not at enforcement, an unreachable logo URL from an HTTP redirect or wrong MIME
type, or a syntax slip such as `I=` instead of `l=`. Providers also cache logos
and may delay display by up to about 48 hours.

### Do I need a VMC for BIMI?

Only for Gmail's blue checkmark and for Apple Mail display. Yahoo and Fastmail
need no certificate, and Gmail also accepts a CMC, which needs no trademark —
only 12 months of provable prior logo use. A VMC requires a registered trademark
and lists at about $1,416 per year.

## The short version

- BIMI rides on an enforced DMARC policy — `p=quarantine` or `p=reject` — so get
  there before anything else.
- The SVG Tiny PS logo is the #1 break point: square, under 32 KB, no raster,
  text, scripts, or animation, served over HTTPS.
- Certificate need depends on the provider — none for Yahoo and Fastmail, a CMC
  or VMC for Gmail, a VMC for Apple Mail.
- Publish at `default._bimi`, mind the `l`/`I`/`1` trap, and remember subdomains
  don't inherit the parent record.
- Verify the record, then expect provider discretion and caching to delay display
  by up to about 48 hours.

Done well, setting up BIMI is a sequence, not a single switch — and the records
are unforgiving of typos. That's also why so many sit broken.

{/* TODO 2026-07-09: link /blog/dkim-setup-guide/ here as the DKIM companion in the auth-fundamentals pair — it publishes AFTER this post (2026-07-06), so do NOT live-link until then. */}

<CTA
  title="Check your BIMI record — free, no signup required."
  description="The DMARCguard BIMI checker reads your live record, validates the SVG against the Tiny PS profile, and tells you exactly what to fix."
  href="/tools/bimi-checker/"
  label="Open the BIMI checker"
/>