Skip to main content
(Updated July 6, 2026 ) by Meysam Azad
16 min read

How to Set Up a BIMI Record: DNS, Logo, and Certificate

BIMI is the protocol that puts your brand’s logo next to your name in the inbox. Almost nobody runs it, and of the few that do, more than a quarter have it broken. A BIMI (Brand Indicators for Message Identification) record is a DNS TXT record, published at default._bimi.yourdomain.com, that tells supporting mailbox providers where to find your logo — and, optionally, the certificate that proves you own it. This guide on how to set up BIMI is written for the IT admin or founder-operator who already runs DMARC and wants the logo payoff.

The catch is that a BIMI record is unforgiving of small mistakes, and most failures are silent: the mail sends fine, the logo just never appears. By the end you will have the exact DNS record, how to prepare a logo that actually renders, whether you need a Verified Mark Certificate (VMC) or a Common Mark Certificate (CMC), and how to fix a record that won’t show. BIMI rides on top of DMARC (RFC 9989), so an enforced DMARC policy is a hard prerequisite — more on that below.

What a BIMI record actually is (the 60-second version)

A BIMI record is a single DNS TXT record at the host default._bimi whose value names your logo’s URL (l=) and, optionally, a mark certificate (a=). It does not authenticate mail itself — it rides on top of an enforced DMARC policy, and receivers only look at it once DMARC passes.

Three core tags do all the work:

  • v=BIMI1 — the version, and it must be the first tag.
  • l= — the HTTPS URL of your SVG logo.
  • a= — the HTTPS URL of your VMC or CMC .pem file. Leave it empty for a self-asserted record (a logo with no certificate).

That is the whole anatomy. BIMI is an indicator layer, not an authentication layer, which is why the heavy lifting happens in DMARC. For the protocol-level explainer — how the pieces fit and why the standard works this way — see what a BIMI record is. The rest of this guide stays on the procedural lane: getting a record published that renders, and keeping it from breaking.

Which email clients show BIMI logos in 2026?

As of 2026, four major providers render BIMI logos — Gmail, Apple Mail, Yahoo Mail (and AOL), and Fastmail. Microsoft (Outlook.com and Microsoft 365) does not display BIMI logos for inbound mail and has announced no date to. Where your logo will actually show determines whether the rest of the project — especially a four-figure certificate — is worth it, so settle this first.

ProviderShows BIMI logo?Certificate requiredNotes
Gmail (web + apps)YesVMC or CMCBlue verified checkmark = VMC only; a CMC shows the logo without the checkmark. A logo-only record is not enough.
Apple Mail (iOS 16+ / macOS 13+)YesVMC only (no CMC)No checkmark; a verified logo is labelled “digitally certified.” Verified server-side by the provider.
Yahoo Mail / AOLYesNoneRenders self-asserted records (valid SVG + DMARC at enforcement + reputation). Bulk mail only, not personal.
FastmailYesNoneRenders authenticated domains with a valid SVG; VMC optional. Caches the logo at its MX servers.
Microsoft 365 / Outlook.comNon/aSupports BIMI only as a sender (via Dynamics 365), not as a receiver. No rollout date announced.
BIMI display and certificate requirements by provider (verified 2026-06-26)

These rules are sourced, not asserted: Gmail’s VMC-or-CMC behaviour is in Google Workspace Admin Help (updated 2026-06-18); Apple’s VMC-only rule and the “digitally certified” label are in Apple Support article 108340; Yahoo’s no-certificate, bulk-only display is documented on the Yahoo Sender Hub; and Microsoft’s sender-only stance was confirmed on Microsoft Q&A (2025-09-29, reaffirmed 2026-05-21).

BIMI setup requirements: what you need before you start

Before a BIMI record can render, you need three things: DMARC at enforcement (p=quarantine or p=reject), a square SVG Tiny PS logo hosted over HTTPS, and — for Gmail or Apple Mail — a VMC or CMC certificate. Skip any one of these and the logo silently fails to appear.

The first requirement is non-negotiable and built into the standard. The BIMI specification (draft-brand-indicators-for-message-identification-12) states in its DMARC prerequisite that the From domain MUST publish a DMARC policy of p=quarantine or p=reject, with at least one of SPF or DKIM passing in alignment. A domain still at p=none is the second-most-common reason a record never renders, which is why the requirement — not just “add a record” — leads this guide. A policy at enforcement applies to all of your mail, so there is no partial rollout to configure. If you are not yet at enforcement, get there first: DMARC is now governed by DMARCbis (RFC 9989), and the staged p=none → quarantine → reject rollout to DMARC at enforcement is the prerequisite here, not an afterthought.

The other two requirements — a compliant SVG and a certificate — are covered in the steps and the certificate section below.

Key finding

0.4% / 28.2% of 5.5M domains publish a BIMI record — and 28.2% of those published records are broken (the logo returns a 404 or fails SVG validation).

Source: DMARCguard State of Email Authentication 2026 — 5,499,028 Tranco domains scanned 2026-02-27

That broken rate is the whole reason this guide leans on failure modes as much as setup steps. Publishing a record is the start; publishing one that renders is the actual job.

How to set up a BIMI record, step by step

To set up a BIMI record: (1) get DMARC to enforcement (p=quarantine or p=reject); (2) prepare a square SVG Tiny PS logo on HTTPS; (3) decide whether you need a VMC or CMC; (4) publish a default._bimi TXT record with v=BIMI1; l=…; a=…; (5) add a BIMI-Selector header if you use a non-default selector; (6) verify it. The detail for each step follows.

Step 1 — Get DMARC to enforcement

Publish a DMARC policy of p=quarantine or p=reject. Under DMARCbis an enforcement policy applies to all of your mail by default, so there is nothing else to set. A record published while the domain is at p=none will not render anywhere — receivers only evaluate BIMI after DMARC passes at enforcement. If you are still ramping, finish the move to enforcement before you touch BIMI.

Step 2 — Prepare a compliant SVG Tiny PS logo (the #1 failure point)

This is the single biggest real-world trap. The logo must conform to the SVG Tiny PS (Portable/Secure) 1.2 profile, a restricted subset of SVG that exists to keep scripts and external content out of inboxes. The BIMI specification’s logo requirements are strict: square aspect ratio, served over HTTPS, no larger than 32 KB, and no animation, scripting, external references, or embedded raster images. A base64-encoded PNG wrapped in an SVG is the most common mistake, and Illustrator or Figma exports almost always carry forbidden elements and stray x=/y= attributes.

Convert a logo to compliant SVG Tiny PS

  1. Start from a vector source and export it as plain SVG with a square viewBox (a 1:1 ratio) and no x=/y= attributes on the root element.

  2. Add baseProfile="tiny-ps" to the <svg> root — its absence is a hard validation failure.

  3. Strip every forbidden element: embedded raster/PNG images, <text> and font references, <script>, animation tags, gradients, and external CSS.

  4. Minify the file and confirm it is under 32 KB (32,768 bytes); larger files are rejected with an SVG_FETCH_ERROR.

  5. Host it over HTTPS and confirm the server returns Content-Type: image/svg+xml — a text/plain MIME type or an HTTP→HTTPS 301 redirect causes a silent rejection.

The BIMI Group’s Solving SVG Issues guide is the authoritative reference if a validator rejects your file with “Invalid profile” or “CSS styles not allowed.”

Step 3 — Decide on a certificate (VMC, CMC, or none)

Your certificate need depends entirely on the provider matrix above: none for Yahoo and Fastmail, a CMC or VMC for Gmail, and a VMC for Apple Mail. This is the decision most people get wrong, so it gets its own section below. Pick the path that matches where your audience reads mail, then come back to publish the record.

Step 4 — Create the BIMI DNS TXT record

Add a TXT record with the host set to default._bimi — the prefix only, never the fully-qualified name, because DNS hosts auto-append the zone. The value depends on whether you bought a certificate.

For a self-asserted record (Yahoo and Fastmail):

default._bimi.yourdomain.com (self-asserted) dns
v=BIMI1; l=https://yourdomain.com/bimi/logo.svg;

For a record with a certificate (Gmail and Apple Mail):

default._bimi.yourdomain.com (with certificate) dns
v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/vmc.pem;

The most-missed detail is the logo tag: it is a lowercase l=, not a capital I or the digit 1 — Google warns that the three look near-identical in a record. Missing v=BIMI1, missing semicolons, and publishing on the wrong domain are the other syntax killers. If you would rather not hand-assemble the string, the DMARCguard BIMI record generator builds a valid record from your inputs and explains each tag as you go. (Google Workspace — Add a BIMI TXT record documents the same Host/Type/Value fields.)

Step 5 — Publish, and add a BIMI-Selector header if needed

Save the record at your DNS host. The default selector (default._bimi) needs no header. If you use a non-default selector, outbound mail must carry a BIMI-Selector: v=BIMI1; s=<selector> header, and the lookup is performed against the visible From domain. One subtlety teams miss: subdomains do not inherit the parent domain’s record, so publish one per sending domain.

Step 6 — Verify your BIMI record

Look the record up after DNS propagation to confirm it parses and the logo fetches over HTTPS without redirects. Then be patient: inbox display can lag by up to about 48 hours even once the record is valid, because providers cache results. A BIMI record checker reads the live record, validates the SVG against the Tiny PS profile, and flags syntax problems before you wait on a logo that was never going to show.

Do you need a VMC? VMC vs CMC vs no certificate

Whether you need a certificate depends on where your audience reads mail. Yahoo and Fastmail need none; Gmail accepts a VMC or a CMC; Apple Mail requires a VMC. A VMC needs a registered trademark; a CMC accepts a logo you have used publicly for at least 12 months.

Verdict
VMC vs CMC vs no certificate — what each path unlocks and costs
Option What it unlocks What it costs Who it's for
No certificate (self-asserted) Yahoo/AOL + Fastmail logos Free (DNS only) Start here to capture Yahoo and Fastmail at no cost while you decide.
CMC (Common Mark Certificate) Gmail logo (no blue checkmark) + Yahoo/Fastmail Paid; no trademark — needs ≥12 months provable public logo use You lack a registered trademark but want the Gmail logo.
VMC (Verified Mark Certificate) Gmail logo + blue checkmark + Apple Mail Paid; requires a registered trademark; DigiCert lists $1,416.00/yr You hold a registered trademark and want full Gmail and Apple display.
Verdict Publish a self-asserted record first to capture Yahoo and Fastmail for free. Add a CMC for the Gmail logo if you have no trademark, or a VMC if you hold one and want Apple Mail plus Gmail's blue checkmark.

A few hard numbers, all verified live on 2026-06-26. DigiCert’s VMC lists at $1,416.00/yr, sold as a 12-month auto-renewing subscription with a 397-day maximum validity (the page notes prices are subject to change). There are only three currently listed Mark Verifying Authorities — DigiCert, GlobalSign, and SSL.com. Entrust exited VMC issuance on 2025-05-12, so do not start a new VMC there; Apple also distrusts Entrust-rooted VMCs issued after 2024-11-15. The CMC path’s “Prior Use Mark” eligibility means provable public use of the logo for at least 12 months — Wayback Machine evidence, for instance — with no trademark required. DigiCert does not publish a standalone CMC list price, so treat any CMC figure as a reseller quote rather than a fixed list price.

So, is BIMI free? The record and a self-asserted setup are free; the certificate that Gmail and Apple Mail require is the cost. The BIMI Group’s Understanding BIMI Certificate Types is the primary reference for the VMC/CMC distinction.

Why 28% of BIMI records break (and how to fix yours)

The two dominant reasons a BIMI record breaks are a non-compliant SVG logo and a DMARC policy that isn’t at enforcement. Most failures are silent — the mail sends fine, the logo just never appears — so you need to know the symptom-to-cause mapping to diagnose one.

SymptomLikely causeFix
Logo never renders; bimi=pass absentNon-compliant SVG, not Tiny PS 1.2 — 28.4% of BIMI-enabled domainsRe-export as SVG Tiny PS: square viewBox, baseProfile="tiny-ps", no raster/text/scripts/gradients.
Gmail silently ignores the recordDMARC not at enforcement (p=none) — 15.0% of domainsMove DMARC to p=quarantine or p=reject.
”Could not fetch SVG” / unretrievableLogo URL unreachable — 10.9% of domains: HTTP→HTTPS 301, wrong MIME, TLS errorServe over HTTPS, Content-Type: image/svg+xml, no redirect, valid chain.
SVG_FETCH_ERROR: size exceeds…SVG over 32 KB — 4.8% of domainsOptimize and minify the SVG under 32,768 bytes.
Shows in Yahoo but not Gmail/AppleVMC/CMC missing, expired, mismatched, or incomplete PEM chainVerify cert status with the CA; append entity + intermediate + root in order; re-match after renewal.
Record-not-found / invalidSyntax: I= instead of l=, missing v=BIMI1, wrong domainRe-check the record string and the default._bimi host; fix the l/I/1 mix-up.
Root works, subdomain doesn’tSelector/subdomain mismatch — subdomains don’t inheritPublish per sending domain; add a BIMI-Selector header for non-default selectors.
BIMI symptom → cause → fix (error-type frequencies: URIports top-1M scan, 2024)

Those per-error-type percentages come from URIports’ validator run across the top 1 million domains in 2024. As independent third-party corroboration of how widespread breakage is, URIports also found that 53.6% of BIMI-serving domains had at least one error in January 2025 (up from 41.8% a year earlier) — a separate measurement on a different sample than our first-party 28.2%, so the two are reported side by side and never averaged.

Frequently asked questions

Is BIMI free?

Publishing the DNS record is free, and a self-asserted record — a logo with no certificate — displays in Yahoo Mail, AOL, and Fastmail at no cost. The expense comes from the certificate Gmail and Apple Mail require: a Verified Mark Certificate lists at $1,416.00 per year from DigiCert.

Does Gmail use BIMI?

Yes. Gmail shows BIMI logos in the web client and the mobile apps, but it requires a mark certificate — either a VMC or a CMC. A logo-only self-asserted record is not enough for Gmail. The blue verified checkmark appears only for VMC holders; a CMC shows the logo without the checkmark.

Does Apple Mail use BIMI?

Yes, on iOS 16+, iPadOS 16+, macOS Ventura 13+, and iCloud.com — but Apple Mail requires a VMC and does not accept a CMC. A verified logo is labelled digitally certified rather than getting a checkmark. Apple’s separate Branded Mail program is not BIMI and needs no certificate.

Does Outlook support BIMI?

No. Microsoft — Outlook.com, Hotmail, Exchange Online, and Microsoft 365 — does not display BIMI logos for inbound mail, even with a valid record, enforced DMARC, and a VMC. Microsoft supports BIMI only as a sender and has announced no date for receiver-side display.

Why is my BIMI record not showing or not found?

The usual causes are a non-compliant SVG that is not Tiny PS 1.2, DMARC that is not at enforcement, an unreachable logo URL from an HTTP redirect or wrong MIME type, or a syntax slip such as I= instead of l=. Providers also cache logos and may delay display by up to about 48 hours.

Do I need a VMC for BIMI?

Only for Gmail’s blue checkmark and for Apple Mail display. Yahoo and Fastmail need no certificate, and Gmail also accepts a CMC, which needs no trademark — only 12 months of provable prior logo use. A VMC requires a registered trademark and lists at about $1,416 per year.

The short version

  • BIMI rides on an enforced DMARC policy — p=quarantine or p=reject — so get there before anything else.
  • The SVG Tiny PS logo is the #1 break point: square, under 32 KB, no raster, text, scripts, or animation, served over HTTPS.
  • Certificate need depends on the provider — none for Yahoo and Fastmail, a CMC or VMC for Gmail, a VMC for Apple Mail.
  • Publish at default._bimi, mind the l/I/1 trap, and remember subdomains don’t inherit the parent record.
  • Verify the record, then expect provider discretion and caching to delay display by up to about 48 hours.

Done well, setting up BIMI is a sequence, not a single switch — and the records are unforgiving of typos. That’s also why so many sit broken.