1. Library
  2. Email Protocols
  3. Authentication

BIMI (Brand Indicators for Message Identification)

Updated 10 hours ago

BIMI (Brand Indicators for Message Identification) displays your company logo next to emails in supporting clients—but only when those messages pass strict authentication. The logo isn't decoration. It's proof.

The security insight is simple: the absence of a logo IS the security feature. When recipients learn to expect your logo, a spoofed email announces itself through its blankness.

How BIMI Works

BIMI inverts the usual security paradigm. Most email protections work invisibly—SPF checks happen, DKIM validates, DMARC enforces—but users never see any of it. They have no way to distinguish a verified message from a spoofed one.

BIMI makes authentication visible. When a message arrives:

  1. The receiving mail server checks DMARC (which requires SPF or DKIM alignment)
  2. If DMARC passes with an enforcement policy, the server looks up your BIMI record
  3. The BIMI record points to your logo (and optionally, a certificate proving trademark ownership)
  4. The logo appears in the recipient's inbox

No DMARC enforcement, no logo. Failed authentication, no logo. The visual presence of your brand becomes a trust signal that can't be forged.

The Requirements Stack

BIMI sits atop the entire email authentication pyramid. You can't skip steps.

DMARC enforcement is non-negotiable. Your domain needs p=quarantine or p=reject—not p=none. And your messages must actually pass DMARC consistently, not just have the policy published.

v=DMARC1; p=reject; rua=mailto:dmarc@example.com

A compliant SVG logo: square aspect ratio, under 32KB, in the SVG Tiny Portable/Secure format. The logo must be publicly accessible over HTTPS.

A BIMI DNS record pointing to your logo:

default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/logo.svg"

For Gmail specifically: a Verified Mark Certificate (VMC) proving you own the trademark for that logo. Yahoo and some others display logos without VMCs, but Gmail—where most of your recipients probably are—requires one.

Verified Mark Certificates

VMCs exist because anyone could host any logo. Without verification, BIMI would be meaningless—attackers would simply host logos of banks and tech companies.

A VMC proves to the email client that:

  • You own the trademark for this logo
  • A Certificate Authority verified that ownership with government trademark registries
  • The certificate cryptographically binds the logo to your domain

Only DigiCert and Entrust currently issue VMCs. The cost runs $1,000–$1,500 annually. The verification process takes weeks, not days—CAs check your trademark registration against official records.

To include a VMC, add the certificate URL to your BIMI record:

v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/certificate.pem

The Logo Itself

BIMI logos have specific requirements because they render at tiny sizes across diverse interfaces:

Format: SVG Tiny Portable/Secure (SVG-P/S), a restricted subset of SVG designed for security

Dimensions: Exactly square (1:1 aspect ratio)

File size: Under 32KB

Design: Simple shapes, clear at small sizes, works on white backgrounds

A basic example:

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
  <circle cx="50" cy="50" r="45" fill="#0066cc"/>
</svg>

Complex logos with gradients, fine details, or text often fail or render poorly. The companies with the best BIMI implementations have simple, iconic logos.

Email Client Support

BIMI support remains limited but growing:

Gmail: Full support, requires VMC

Yahoo Mail: Displays logos for DMARC-enforcing domains, VMC optional

Fastmail: Full support

Apple Mail: Experimental support

Microsoft Outlook: Still evaluating; not yet supported

The practical reality: if Gmail requires VMCs and that's where most recipients are, you effectively need a VMC for BIMI to matter.

Implementation Path

First: Achieve genuine DMARC enforcement. This isn't just publishing p=reject—it's getting your DMARC pass rate above 95%. Check your aggregate reports. If legitimate mail is failing, fix that first. BIMI on a domain with DMARC problems just means your logo won't appear.

Second: Create or adapt your logo to SVG-P/S format. If your logo isn't already trademarked, that's a prerequisite for VMCs—and trademark registration takes months.

Third: Host the logo at a stable HTTPS URL that won't change. BIMI records cache; changing URLs causes display delays.

Fourth: If targeting Gmail, begin the VMC process with DigiCert or Entrust. Budget several weeks.

Fifth: Publish your BIMI record and test. Send emails to Gmail, Yahoo, and Fastmail accounts. Verify the logo appears.

dig default._bimi.example.com TXT

When BIMI Makes Sense

BIMI rewards organizations that have already done the hard work of email authentication. If you have:

  • Strong DMARC enforcement with high pass rates
  • A trademarked logo
  • Significant email volume to recipients on Gmail/Yahoo
  • Budget for annual VMC renewal

Then BIMI provides real value: your brand becomes visually present in inboxes, and spoofed messages become visually absent.

If you're still struggling with DMARC compliance, BIMI is premature. The authentication foundation must come first.

Frequently Asked Questions About BIMI

Was this page helpful?

😔
🤨
😃