BIMI Record Setup & Validation [2026]

What Is BIMI (Brand Indicators for Message Identification)?

BIMI (Brand Indicators for Message Identification) is an email protocol that lets you display your brand’s logo next to your emails in the recipient’s inbox. Instead of seeing a generic avatar, initials, or blank space, recipients see your verified brand logo.

BIMI email builds trust and brand recognition. When a recipient sees your logo consistently appear in their inbox, they can quickly identify legitimate emails from your organization and differentiate them from phishing attempts.

BIMI works by publishing a DNS record that points email providers to your logo. When a supporting email client receives mail from your domain, it checks your BIMI record, retrieves the logo, and displays it alongside the email.

The protocol is standardized and maintained by the AuthIndicators Working Group, an industry coalition of email providers, certificate authorities, and email security vendors.

What Is a BIMI Record?

A BIMI record is a DNS TXT record published at default._bimi.yourdomain.com that tells email providers where to find your brand logo and optional Verified Mark Certificate.

The record contains three key tags:

• v=BIMI1 — the version tag (currently BIMI1)
• l= — the URL where your logo is hosted (must be HTTPS)
• a= — the URL to your Verified Mark Certificate (optional but required by Gmail)

Unlike SPF or DKIM records, the BIMI record does not perform authentication. It is purely informational. Email providers only display your logo if your domain passes DMARC authentication first.

How BIMI Works in Email

BIMI follows a strict prerequisite chain. Here is how the process works step by step:

1. Your domain must pass DMARC authentication with p=quarantine or p=reject (not p=none)
2. The receiving email provider checks your BIMI DNS record at default._bimi.yourdomain.com
3. If found, the provider retrieves the logo file from the URL in the l= tag
4. The provider validates the logo format (must be SVG Tiny 1.2 Portable/Secure profile)
5. If a VMC is required, the provider validates the certificate from the a= tag
6. If all checks pass, the email client displays your logo in the inbox

If any step fails, the logo will not display. The email still delivers normally; BIMI only affects visual presentation.

BIMI does not work without DMARC enforcement. You cannot skip to p=quarantine or p=reject just for BIMI. Your domain must genuinely enforce DMARC policies to protect recipients from spoofing.

What Is a Verified Mark Certificate (VMC)?

A Verified Mark Certificate (VMC) is a digital certificate that proves you own the trademark for your logo. It is issued by certificate authorities — currently DigiCert and Entrust are the only two CAs offering VMCs.

VMCs cost between $1,000 and $1,500 per year. They require:

• A registered trademark for your logo (filed with a national trademark office)
• Proof of domain control
• DMARC enforcement at p=quarantine or p=reject
• A valid SVG logo that meets BIMI specifications

While the BIMI specification makes VMCs optional, major email providers like Gmail and Apple Mail require them. Without a VMC, these providers will not display your logo even if your BIMI record is perfectly configured.

Yahoo Mail and Fastmail support BIMI without requiring a VMC. If your primary recipients use these providers, you can display your logo without purchasing a certificate.

For most organizations, especially those with many Gmail or Apple Mail users, a VMC is effectively mandatory for BIMI to function.

BIMI DNS Record Format

A BIMI DNS record follows this format:

v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem

The record is published as a TXT record at default._bimi.yourdomain.com. The subdomain selector default is the standard, though the BIMI spec technically allows custom selectors.

Tag Breakdown

DNS Record Details

• Record type: TXT
• Hostname: default._bimi.yourdomain.com
• TTL: 3600 (1 hour) is standard, though you can use shorter TTLs during testing
• Value: The full BIMI record string

If you send email from subdomains (e.g., news.yourdomain.com), you need separate BIMI records for each subdomain. BIMI does not inherit from the organizational domain like DMARC does.

How to Set Up BIMI

Setting up BIMI requires completing prerequisites before publishing your DNS record.

Step 1: Enforce DMARC

You must have DMARC configured at p=quarantine or p=reject. BIMI will not work with p=none.

This means your domain must also have working SPF and DKIM records, since DMARC relies on both.

If you are currently at p=none, you need to monitor your DMARC reports, identify legitimate sending sources, and ensure they pass SPF or DKIM alignment before moving to enforcement.

Step 2: Prepare Your Logo

Your logo must be in SVG Tiny 1.2 Portable/Secure (PS) profile format. This is not standard SVG. Most logo files need to be converted and simplified.

Requirements:

• Format: SVG Tiny 1.2 PS (not SVG 1.1 or SVG 2.0)
• Aspect ratio: Square (1:1)
• Background: Solid color (transparency is not allowed)
• File size: Under 32 KB recommended
• No embedded images, JavaScript, or external references

The SVG Tiny PS profile is highly restrictive. It disallows filters, gradients, animations, and many advanced SVG features. Most logos require significant rework to meet the spec.

Step 3: Obtain a Verified Mark Certificate (if needed)

If your recipients primarily use Gmail or Apple Mail, you need a VMC.

The VMC application process:

1. Register your logo as a trademark (US, EU, or other recognized jurisdiction)
2. Contact DigiCert or Entrust to start the VMC application
3. Provide proof of trademark registration and domain ownership
4. Submit your SVG logo for validation
5. Wait for certificate issuance (typically 2-4 weeks)
6. Download the PEM-encoded certificate file

VMCs are valid for one year. You must renew annually and maintain your trademark registration.

Step 4: Host Your Logo and VMC

Upload your SVG logo and VMC certificate to a publicly accessible HTTPS URL. The server must:

• Support HTTPS (TLS 1.2 or higher)
• Respond with correct MIME types (image/svg+xml for logo, application/x-pem-file for VMC)
• Allow access from email provider IP ranges (do not block user agents)

Common hosting locations:

• https://yourdomain.com/bimi/logo.svg
• https://yourdomain.com/bimi/vmc.pem

Some organizations use CDNs for logo hosting. Ensure the CDN does not add caching headers that interfere with email provider retrieval.

Step 5: Publish Your BIMI DNS Record

Add a TXT record at default._bimi.yourdomain.com with your BIMI record:

v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/vmc.pem

Wait for DNS propagation (typically 15 minutes to 1 hour depending on your TTL).

Step 6: Test and Validate

Send test emails to Gmail, Apple Mail, Yahoo, and other supporting providers. Check if your logo appears.

Use a BIMI checker to verify your record for syntax errors, logo format issues, and VMC problems.

Note that it can take 24-48 hours for email providers to cache your logo after first publication. Be patient during initial testing.

How to Generate a BIMI Record

A BIMI record generator tool simplifies the process of creating a correctly formatted DNS record.

To generate your record:

1. Enter your domain name
2. Provide the HTTPS URL to your SVG logo
3. Optionally provide the HTTPS URL to your VMC (if you have one)
4. The tool outputs a formatted BIMI DNS record

Use the BIMI record generator to create a correctly formatted record for your domain.

Generators validate the format but cannot check if your logo meets SVG Tiny PS requirements or if your VMC is valid. You still need to test those separately.

BIMI Record Examples

Here are real-world BIMI record examples for different configurations.

Example 1: BIMI with VMC (Gmail-compatible)

default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/bimi/logo.svg; a=https://example.com/bimi/vmc.pem"

This record points to both a logo and a Verified Mark Certificate. It will work with Gmail, Apple Mail, Yahoo, and Fastmail.

Example 2: BIMI without VMC (Yahoo/Fastmail only)

default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/bimi/logo.svg"

This record omits the a= tag. It will work with Yahoo and Fastmail but not Gmail or Apple Mail.

Example 3: BIMI for subdomain

default._bimi.news.example.com. IN TXT "v=BIMI1; l=https://news.example.com/bimi/logo.svg; a=https://news.example.com/bimi/vmc.pem"

Subdomains need separate BIMI records. BIMI does not inherit from parent domains.

Example 4: Using a CDN for logo hosting

default._bimi.example.com. IN TXT "v=BIMI1; l=https://cdn.example.com/assets/bimi-logo.svg; a=https://cdn.example.com/assets/vmc.pem"

You can host your logo on a CDN as long as the URL is HTTPS and publicly accessible.

BIMI and DMARC

BIMI only works if your domain passes DMARC authentication at enforcement policy. This is the most common reason BIMI fails.

DMARC Prerequisites

Your DMARC record must specify:

v=DMARC1; p=quarantine; rua=mailto:[email protected]

or

v=DMARC1; p=reject; rua=mailto:[email protected]

The policy (p=) must be quarantine or reject. BIMI will not work with p=none, even if your BIMI record is perfect.

Why This Requirement Exists

BIMI is designed to reward domains that enforce strong email authentication. Email providers do not want to display logos for domains that allow spoofing.

If your domain is at p=none, you need to:

1. Review your DMARC aggregate reports to identify all legitimate email sources
2. Ensure those sources pass SPF or DKIM alignment
3. Move to p=quarantine for a monitoring period (30-90 days)
4. Finally move to p=reject once you are confident in your configuration

Only after reaching enforcement can you implement BIMI. There is no shortcut.

Which Email Clients Support BIMI?

BIMI adoption is growing but not universal. Here is the current support matrix.

Gmail BIMI Support

Gmail is the largest email provider supporting BIMI. It displays logos for both personal Gmail accounts and Google Workspace users.

Gmail requires a VMC and DMARC enforcement. Logo display typically takes 24-48 hours after initial BIMI record publication while Gmail caches your logo.

Apple Mail BIMI Support

Apple Mail added BIMI support in iOS 16 and macOS Ventura. Like Gmail, it requires a VMC and DMARC enforcement.

Logo display appears in the Mail app on iPhone, iPad, and Mac. It does not currently appear in iCloud Mail web interface.

Yahoo and AOL BIMI Support

Yahoo Mail (including Yahoo-hosted domains) and AOL Mail support BIMI without requiring a VMC. This makes them the easiest platforms for BIMI testing.

If you have not yet obtained a VMC, you can still display your logo to Yahoo and AOL users by publishing a BIMI record with just the l= tag.

Microsoft Outlook and Exchange Online

Microsoft ran a limited BIMI pilot but has not announced broad support. As of 2026, BIMI does not work in Outlook.com, Outlook desktop clients, or Microsoft 365 mailboxes.

BIMI Logo Requirements

BIMI logos have strict technical requirements. Most standard logos do not meet the spec and need conversion.

Format: SVG Tiny 1.2 Portable/Secure Profile

Your logo must be SVG Tiny 1.2 PS (Portable/Secure) profile. This is a restrictive subset of SVG designed for email security.

Allowed elements:

• Basic shapes: <rect>, <circle>, <ellipse>, <line>, <polyline>, <polygon>, <path>
• Text: <text>, <tspan>
• Grouping: <g>, <defs>, <use>
• Basic styling: fill, stroke, stroke-width, opacity

Disallowed elements:

• Embedded images (<image>)
• External references (linked CSS, fonts, images)
• Animations (<animate>, <animateTransform>)
• Filters, gradients (limited support)
• JavaScript or event handlers
• Foreign objects

Most logo files need significant simplification to meet this spec. Hire a designer familiar with SVG Tiny PS or use conversion tools that understand the profile restrictions.

Aspect Ratio: Square

Your logo must be square (1:1 aspect ratio). Non-square logos will be rejected or cropped by email providers.

The viewBox attribute should be something like viewBox="0 0 100 100" with equal width and height.

If your logo is naturally rectangular, you need to add padding or redesign it to fit a square canvas.

Background: Solid Color

BIMI logos cannot have transparent backgrounds. You must fill the background with a solid color.

Most brands choose white or their primary brand color. The background color should ensure good contrast with the logo foreground.

File Size

While there is no hard file size limit in the spec, email providers may reject large files. Keep your SVG under 32 KB.

SVG Tiny PS files are typically small since they exclude complex features. If your file exceeds 32 KB, simplify paths or reduce the number of elements.

Validation

Use SVG Tiny PS validators to check your logo before publishing. Common validators include:

• BIMI Group’s official validator
• DigiCert’s BIMI logo inspector
• Third-party BIMI validation tools

These tools catch common issues like embedded images, external references, non-square aspect ratios, and transparency.

How Much Does BIMI Cost?

BIMI itself is free. Publishing a BIMI DNS record costs nothing beyond your standard DNS hosting.

However, Verified Mark Certificates (VMCs) are not free.

VMC Costs

VMCs cost $1,000 to $1,500 per year depending on the certificate authority.

• DigiCert VMC: ~$1,500/year
• Entrust VMC: ~$1,200/year

These are the only two CAs currently issuing VMCs. Pricing may change as more CAs enter the market.

VMCs are valid for one year. You must renew annually to continue displaying your logo in Gmail and Apple Mail.

Trademark Costs

To obtain a VMC, you need a registered trademark for your logo.

Trademark filing fees vary by jurisdiction:

• US trademark (USPTO): $250-$350 per class
• EU trademark (EUIPO): €850 per trademark
• UK trademark (UKIPO): £170 per class

Trademark registration typically takes 6-12 months. Budget for legal fees if you use a trademark attorney to file.

Logo Design and Conversion

If your existing logo does not meet SVG Tiny PS requirements, you may need to hire a designer to create a BIMI-compliant version.

Expect to pay $500-$2,000 for professional logo conversion depending on complexity.

Total First-Year Cost

For a typical organization deploying BIMI with a VMC:

• Trademark filing: $250-$850
• VMC certificate: $1,200-$1,500
• Logo design/conversion: $500-$2,000

Total: $2,000-$4,500 in the first year. Subsequent years cost $1,200-$1,500 for VMC renewal only.

Free BIMI (Without VMC)

If your recipients primarily use Yahoo or Fastmail, you can implement BIMI without a VMC at zero cost. This option works for organizations that do not need Gmail or Apple Mail logo display.

Troubleshooting: BIMI Record Not Found

If your BIMI logo is not displaying, the most common issue is a missing or incorrectly formatted DNS record.

Check DNS Propagation

Use a DNS lookup tool to query default._bimi.yourdomain.com TXT record. Verify the record exists and matches your intended format.

Common DNS issues:

• Record published at wrong subdomain (e.g., _bimi.yourdomain.com instead of default._bimi.yourdomain.com)
• Typo in record value (missing semicolon, incorrect tag name)
• DNS not propagated yet (wait 1 hour after publication)

Verify DMARC Enforcement

BIMI requires DMARC p=quarantine or p=reject. Check your DMARC record at _dmarc.yourdomain.com and confirm the policy is not p=none.

If your DMARC record shows p=none, BIMI will not work even if everything else is correct.

Validate Logo Format

Use a BIMI validator to check your SVG logo. Common logo issues:

• Not SVG Tiny 1.2 PS profile
• Non-square aspect ratio
• Transparent background (must be solid color)
• Embedded images or external references
• File size exceeds email provider limits

Check VMC Certificate

If you have a VMC, verify the PEM file is accessible at the URL in your a= tag. The certificate must:

• Be issued by DigiCert or Entrust
• Match the logo in the l= tag
• Not be expired
• Be served over HTTPS with correct MIME type

Wait for Cache

Email providers cache BIMI logos. After making changes, it can take 24-48 hours for updates to appear in recipient inboxes.

During testing, send emails to multiple accounts and check each provider separately. Gmail, Apple Mail, Yahoo, and Fastmail may have different cache timings.

Common Error: “BIMI record not found or configured without default selector”

This error means the email provider found a BIMI record at a non-default selector or could not find a record at the default selector.

Fix: Ensure your record is published at default._bimi.yourdomain.com, not at _bimi.yourdomain.com or a custom selector.

Frequently Asked Questions

What is a BIMI record?

A BIMI record is a DNS TXT record at default._bimi.yourdomain.com that tells email providers where to find your brand logo. It contains version (v=BIMI1), logo URL (l=), and optionally a Verified Mark Certificate URL (a=).

How do I generate a BIMI record?

Generate a BIMI record by creating a DNS TXT record with the format v=BIMI1; l=https://yourdomain.com/logo.svg. Your logo must be SVG Tiny 1.2 Portable/Secure profile. Use a BIMI record generator tool to validate the format before publishing.

What does a BIMI record look like?

A BIMI record looks like: v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem. The v= tag specifies version, l= points to your logo, and a= points to your Verified Mark Certificate (optional but required for Gmail).

Does Gmail use BIMI?

Yes, Gmail supports BIMI but requires a Verified Mark Certificate (VMC) to display logos. You must also have DMARC enforcement at p=quarantine or p=reject. Without a VMC, Gmail will not show your logo even if your BIMI record is correct.

Is BIMI free?

BIMI itself is free to implement. You can publish a BIMI record at no cost. However, Verified Mark Certificates (VMCs) cost $1,000-$1,500 per year and are required by Gmail and Apple Mail to display logos.

Does Apple Mail use BIMI?

Yes, Apple Mail supports BIMI and requires a Verified Mark Certificate (VMC) to display logos. Like Gmail, you must have DMARC enforcement (p=quarantine or p=reject) as a prerequisite.

What is a Verified Mark Certificate (VMC)?

A VMC is a digital certificate that proves you own the trademark for your logo. It is issued by certificate authorities like DigiCert and Entrust. Gmail and Apple Mail require VMCs to display BIMI logos; Yahoo and Fastmail do not.

Related Protocols

• DMARC — BIMI requires DMARC enforcement at p=quarantine or p=reject as a mandatory prerequisite
• SPF — Must pass for DMARC alignment, which BIMI depends on
• DKIM — Must pass for DMARC alignment, which BIMI depends on