What is BIMI? Brand Indicators for Message Identification Explained

What BIMI actually does

Brand Indicators for Message Identification (BIMI) is a standard that lets mailbox providers display your verified company logo next to emails you send. When a recipient opens their inbox and sees a message from your domain, the avatar next to the sender name is your official logo instead of a placeholder initial or a generic icon. It is a small visual change, but it has an outsized effect on trust, open rates, and brand recall.

BIMI was published as a working draft by the AuthIndicators Working Group in 2019 and is now supported by Gmail, Apple Mail (iOS 16 and macOS Ventura onwards), Yahoo Mail, Fastmail, and La Poste. Outlook and Microsoft 365 do not yet display BIMI logos, though Microsoft has indicated that support is on the roadmap.

Critically, BIMI is not a new authentication protocol. It is a publishing and display layer that sits on top of DMARC. Without enforced DMARC, BIMI will not work at all.

The three prerequisites

Before you can publish a BIMI record, three things must be true about your domain:

1. DMARC at enforcement. Your DMARC policy must be p=quarantine or p=reject, and the percentage tag must be 100 (or omitted, which defaults to 100). A policy of p=none or a reduced pct= value will cause Gmail to silently skip your logo.
2. An SVG Tiny PS logo. BIMI requires a very specific SVG profile called SVG Portable/Secure (SVG Tiny 1.2 PS). This is a stripped down subset of SVG with no scripts, no external references, and no animation. Most existing SVG logos will fail validation and need to be reworked.
3. A Verified Mark Certificate (VMC). Gmail, Apple Mail, and Yahoo all require a VMC before they will display your logo. A VMC is a specialised certificate issued only after a certificate authority has verified that your organisation legally owns the trademark for the logo you are publishing.

If your domain is not yet at DMARC enforcement, that is the first thing to fix. Our guide on SPF and DMARC policies and the path to a strong Security Grade both walk through the enforcement journey in detail.

How much does a VMC cost?

This is the question that stops most BIMI projects in their tracks. A VMC is not a free certificate like a Let's Encrypt SSL cert. Only two certificate authorities currently issue VMCs: DigiCert and Entrust. Pricing varies but is typically in the range of £800 to £1,200 per year, with some resellers offering multi-year discounts.

The reason is that VMC issuance is not a domain validation check. The CA has to confirm that the logo in your SVG matches a trademark you legally own, which means your logo must be registered with a recognised trademark office such as the UK Intellectual Property Office, the USPTO, or the EUIPO. If your logo is not trademarked, you cannot get a VMC, and BIMI will not work with Gmail.

There is also a cheaper alternative called a Common Mark Certificate (CMC), which accepts logos that have been in continuous public use for at least twelve months even without a registered trademark. Support for CMCs is still rolling out and not all mailbox providers honour them yet.

Preparing your SVG Tiny PS logo

The logo file is where most teams get stuck. SVG Tiny PS is a conservative profile designed to be safe, small, and renderable without any scripting engine. The rules are strict:

• The root element must declare baseProfile="tiny-ps" and version="1.2".
• A <title> element is required and must contain the brand name.
• The viewBox must be square, for example 0 0 100 100. Rectangular logos will be rejected or cropped into a circle on display.
• No <script>, <foreignObject>, raster images, external fonts, or animation elements.
• Total file size should be under 32 KB. Smaller is better.

A minimal compliant file looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg"
     version="1.2"
     baseProfile="tiny-ps"
     viewBox="0 0 100 100">
  <title>Your Brand Name</title>
  <rect width="100" height="100" fill="#0a2540"/>
  <path d="M20 50 L50 20 L80 50 L50 80 Z" fill="#ffffff"/>
</svg>

The BIMI group maintains a free validator at bimigroup.org/bimi-generator that will flag violations and help you get a clean file.

Publishing the BIMI DNS record

Once you have a clean SVG and a VMC, the BIMI DNS record itself is straightforward. It is a TXT record at a predictable subdomain, pointing at the publicly hosted logo and certificate:

default._bimi.yourdomain.com. IN TXT "v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/vmc.pem"

The three tags are:

• v=BIMI1 declares this as a BIMI version 1 record and must come first.
• l= is the HTTPS URL where your SVG logo is hosted. It must be publicly reachable without redirects.
• a= is the HTTPS URL of your VMC in PEM format. This is the tag that Gmail, Apple Mail, and Yahoo actually read before displaying your logo.

The default selector works for most organisations. You can publish multiple selectors and reference them from DKIM headers, but this adds complexity and is rarely useful outside of large brands with distinct sub-brands.

Common BIMI mistakes

• Publishing BIMI while still at p=none. Gmail will simply ignore your record. No error, no warning, no logo. Reach enforcement first, then publish BIMI.
• Using an SVG that is not Tiny PS. Exporting from Illustrator or Figma produces standard SVG 1.1 by default, which BIMI will reject. The file must be hand edited or passed through a Tiny PS converter.
• Serving the logo from a subdomain with a weak certificate. The HTTPS connection that fetches your SVG and VMC must present a valid, publicly trusted certificate. Self signed or expired certs will break BIMI.
• Publishing without a VMC. Technically BIMI works without a VMC on a small number of providers, but the major inboxes (Gmail, Apple, Yahoo) all require one. Without it, you will invest in setup and see no logos.
• Forgetting sub domains. BIMI is published per organisational domain, but if you send marketing mail from mail.yourdomain.com, you may need a separate BIMI record at default._bimi.mail.yourdomain.com depending on how DMARC alignment resolves.

Is BIMI worth it?

BIMI is a marketing win rather than a security win. The underlying security benefit comes from being at DMARC enforcement, which you should be doing regardless. BIMI just rewards that work with a visible badge in the inbox.

For B2C brands with heavy transactional or marketing email volume, BIMI tends to produce a measurable lift in open rates and a reduction in phishing complaints that reference your brand. Valimail, Red Sift and others have published case studies showing open rate improvements of 10 to 20 percent after BIMI adoption.

For smaller organisations, internal B2B senders, or public sector bodies, the £800 to £1,200 per year VMC cost is harder to justify. The good news is that DMARC enforcement, not BIMI, is what actually protects your users from impersonation. You get 95 percent of the value without paying a cent for a certificate.

Where BIMI fits in your email security stack

Think of BIMI as the capstone on a complete email authentication deployment. The full stack looks like this:

• SPF authorises sending IPs.
• DKIM cryptographically signs outbound messages.
• DMARC aligns SPF and DKIM with your organisational domain and enforces policy.
• MTA-STS and TLS-RPT protect the message in transit.
• BIMI displays your verified logo to end users once all of the above are in place.

You can check exactly where your domain sits across these layers with a free Security Grade check. The scan covers DMARC, SPF, DKIM, MTA-STS, TLS-RPT, DNSSEC, CAA and more, and tells you exactly what needs to change before BIMI will work.

Next steps

• Confirm DMARC enforcement with our DMARC Checker. If you are still on p=none, start there.
• Read our guide on understanding DMARC reports to learn how to read the data you will need before moving to enforcement.
• Trademark your logo with your national IP office if you have not already. This is the gating item for a VMC.
• Convert your logo to SVG Tiny PS and validate it at bimigroup.org.
• Purchase a VMC from DigiCert or Entrust and publish the DNS record.