BIMI Record Guide — Brand Logos in Email Inboxes

BIMI — Brand Indicators for Message Identification — is the protocol that puts your verified brand logo next to your messages in inbox clients that support it. It's a marketing signal that's also a security signal: BIMI only works for domains that have proven they care about email authentication, because the prerequisites are strict.

This guide covers what BIMI does, what it requires, how to format the logo, where the DNS record goes, and how to verify everything end-to-end.

For the broader email-authentication context, see Email security: SPF, DKIM, DMARC. BIMI depends on enforced DMARC, plus working SPF and DKIM.

What BIMI Does

In a supporting mail client, an email from your verified domain shows your brand logo (typically a circular avatar) instead of the default initials-on-a-coloured-background. For brands, this:

• Increases inbox brand recognition and trust signal
• Reduces the visual indistinguishability between your legitimate mail and lookalike phishing
• Provides a tangible payoff for the work of getting DMARC to enforcement

For mailbox providers, BIMI is a way to surface brand-authenticated mail visually, raising the cost of impersonation. They only display the logo for domains that meet the prerequisites, so showing a BIMI logo is itself a credibility signal.

For users, the on-screen difference is small but consistent: real DHL email shows the DHL logo; phishing email pretending to be DHL doesn't.

Prerequisites

BIMI is a layer on top of working email authentication. You need:

1. DMARC at enforcement

Your DMARC record must be at p=quarantine or p=reject with pct=100 (or pct missing, which defaults to 100). The sp= (subdomain policy) tag must also be at quarantine or reject. Domains stuck at p=none will not get BIMI display.

You can verify your DMARC record:

dig TXT _dmarc.yourdomain.example

Expected output:

"v=DMARC1; p=reject; rua=mailto:dmarc-aggregate@yourdomain.example; ruf=mailto:dmarc-failure@yourdomain.example; sp=reject"

If your DMARC is at p=none, BIMI work is premature — focus on getting authentication right first. See DMARC explained for the policy ramp-up path.

2. SVG Tiny PS logo

BIMI requires a specific SVG profile: SVG Tiny Portable/Secure (Tiny PS). Key constraints:

• Square aspect ratio (1:1)
• viewBox attribute set
• baseProfile="tiny-ps" attribute on the root <svg> element
• xmlns="http://www.w3.org/2000/svg" declared
• No external references (no <image> linking to external URLs, no external fonts)
• No JavaScript (no <script>)
• No CSS animations (limited static styling only)
• Limited element set (paths, basic shapes; no filters, no foreign objects)

A minimal compliant SVG Tiny PS:

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg"
     baseProfile="tiny-ps"
     version="1.2"
     viewBox="0 0 64 64">
  <title>Your Brand</title>
  <circle cx="32" cy="32" r="30" fill="#ff0000"/>
  <text x="32" y="40" font-family="sans-serif" font-size="32" fill="white" text-anchor="middle">B</text>
</svg>

Most marketing-team SVG exports won't comply. The BIMI Group SVG converter and BIMI SVG validator are the de-facto tools to check and adjust.

The SVG must be hosted at an HTTPS URL with a stable, publicly fetchable path (e.g., https://yourdomain.example/bimi/logo.svg). HTTP-only or authentication-gated URLs won't work.

3. VMC or CMC certificate

For Gmail and Apple Mail to display your logo, you need a Verified Mark Certificate (VMC) or, for Gmail only, a Common Mark Certificate (CMC):

If your brand has a registered trademark, get a VMC — it's the broadest support. If you don't, a CMC unlocks Gmail but not Apple Mail. Without either, only Yahoo and a few smaller providers will display your logo.

The VMC/CMC is published at an HTTPS URL alongside the SVG. The certificate's CN must match your domain.

The BIMI DNS Record

Once you have the SVG and (optionally) certificate hosted, you publish a TXT record at the BIMI selector. The default selector is simply default:

default._bimi.yourdomain.example.    3600    IN    TXT    "v=BIMI1; l=https://yourdomain.example/bimi/logo.svg; a=https://yourdomain.example/bimi/vmc.pem"

Tags:

To use a non-default selector for a specific mail stream (e.g., transactional vs marketing), add a BIMI-Selector header to those messages and publish the corresponding selector._bimi.yourdomain record:

BIMI-Selector: v=BIMI1; s=marketing

marketing._bimi.yourdomain.example.    3600    IN    TXT    "v=BIMI1; l=https://yourdomain.example/bimi/marketing-logo.svg; a=https://yourdomain.example/bimi/marketing-vmc.pem"

Most deployments use only the default selector.

Step-by-Step Deployment

Step 1 — Verify DMARC enforcement

dig TXT _dmarc.yourdomain.example

Confirm p=quarantine or p=reject, sp= matching, pct=100 or omitted. If not, ramp up DMARC first.

Step 2 — Prepare the SVG Tiny PS logo

Either:

• Convert an existing logo with the BIMI Group SVG converter, or
• Have your designer export a fresh SVG with the constraints above and validate it with the BIMI SVG validator.

Host the file at a public HTTPS URL. Test:

curl -I https://yourdomain.example/bimi/logo.svg
# Should return 200 OK with Content-Type: image/svg+xml

Step 3 — Obtain VMC or CMC (optional but strongly recommended)

Apply through Entrust or DigiCert. Process:

1. Provide registered trademark documentation (for VMC) or brand evidence (for CMC).
2. Submit your finalised SVG.
3. The CA verifies trademark ownership / brand association.
4. Receive PEM-format certificate.

Lead time: typically 2–4 weeks for VMC, 1–2 weeks for CMC, depending on documentation completeness.

Host the PEM file at an HTTPS URL alongside the logo:

curl -I https://yourdomain.example/bimi/vmc.pem
# Should return 200 OK

Step 4 — Publish the BIMI DNS record

Through DNScale dashboard or API:

curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "default._bimi",
    "type": "TXT",
    "content": "v=BIMI1; l=https://yourdomain.example/bimi/logo.svg; a=https://yourdomain.example/bimi/vmc.pem",
    "ttl": 3600
  }'

Or in Terraform:

resource "dnscale_record" "bimi_default" {
  zone_id = dnscale_zone.example.id
  name    = "default._bimi"
  type    = "TXT"
  content = "v=BIMI1; l=https://yourdomain.example/bimi/logo.svg; a=https://yourdomain.example/bimi/vmc.pem"
  ttl     = 3600
}

Step 5 — Verify

dig TXT default._bimi.yourdomain.example

Run the BIMI Inspector at bimigroup.org/bimi-generator/ to validate the full chain (DMARC + SVG + VMC + DNS).

Step 6 — Send a test message

Send mail from your authenticated domain to test addresses at:

• Gmail (verify in the desktop UI; logo appears next to the sender)
• Apple Mail (iOS or macOS Mail app)
• Yahoo Mail
• Fastmail

Allow up to 24 hours for first-time logo cache population at Gmail.

Common Failure Modes

DMARC not at enforcement

Symptom: BIMI Inspector reports DMARC not at quarantine/reject. Logo doesn't display.

Fix: Move DMARC to p=quarantine or p=reject. This is usually a multi-week project of fixing SPF/DKIM alignment first; don't rush it.

SVG not Tiny PS compliant

Symptom: BIMI Inspector reports SVG validation errors. Logo doesn't display in supporting clients even if record is correct.

Fix: Re-export through the BIMI converter or strip non-compliant elements (filters, foreign objects, scripts, animations).

VMC/CMC mismatch with domain

Symptom: Gmail or Apple Mail doesn't display logo despite valid record. Other providers (Yahoo) do.

Fix: Verify the certificate's CN matches the domain in the BIMI record. The certificate must be issued to the same organisation that controls the domain.

Wrong selector

Symptom: BIMI lookup fails entirely.

Fix: For default deployment, the record must be at default._bimi.yourdomain exactly. Watch for double-dotted typos like default..bimi.yourdomain.

HTTPS hosting issues

Symptom: Logo URL returns 200 from your laptop but BIMI verifier reports it can't fetch. Logo doesn't display.

Fix: Ensure the logo URL is publicly accessible without authentication, IP allowlists, or User-Agent blocking. Test with curl -I from a different network than your office IP.

What BIMI Doesn't Do

A common misconception: BIMI does not protect your email security. The security work is upstream:

• SPF authenticates the sending IP — see SPF record explained
• DKIM signs the message — see DKIM explained
• DMARC enforces alignment between SPF/DKIM and the From: domain — see DMARC explained
• MTA-STS / TLS-RPT enforce TLS for inbound mail — see MTA-STS and TLS-RPT

BIMI is a brand-display layer on top of all of those. If you skip the security work, BIMI doesn't compensate.

Mailbox Provider Support Matrix

As of mid-2026:

Coverage continues to expand — re-check vendor announcements before any major BIMI investment decision.

Cost / Benefit

A reasonable budget for a mid-sized brand to deploy BIMI in 2026:

Benefit is qualitative (brand trust signal, phishing visual differentiation) rather than directly measurable. Brands with high phishing volume against their domain see the clearest payoff; B2B-only senders or brands with low brand recognition outside email see less.

Related Reading

• Email security: SPF, DKIM, DMARC pillar
• SPF record explained
• DKIM explained
• DMARC explained
• MTA-STS and TLS-RPT
• TXT records for SPF, DKIM, DMARC, BIMI, and MTA-STS
• DNS TXT record
• DNS MX record

References

• BIMI Group — implementation guidance, validators, SVG converter
• BIMI Working Group at IETF — protocol drafts
• IETF: draft-brand-indicators-for-message-identification (BIMI core specification)
• Authindicators Working Group
• DigiCert and Entrust — VMC/CMC issuance documentation
• RFC 7489 — DMARC (BIMI prerequisite)