BIMI is the email equivalent of a "verified" badge: in supported inboxes, your logo appears next to your messages. It serves as a visual reward for organizations that have achieved strict email authentication, and it signals to humans that the message belongs to the brand they know.
BIMI is only shown by participating mailbox providers such as Gmail and Yahoo/AOL. Treat it as an experience upgrade for the recipients who can see it, not a universal guarantee across every mailbox.
Core Prerequisites
BIMI is picky. Before you publish a record, ensure you have:
- Strict DMARC: Policy must be p=quarantine or p=reject with pct=100.
- Alignment in practice: Your sending streams should pass either SPF or DKIM in alignment with the visible From domain, not just technically have a DMARC record.
- DNS Assertion: A TXT record at default._bimi.yourdomain.
- HTTPS Assets: Logo and certificate files accessible via public HTTPS.
- VMC (Usually): A Verified Mark Certificate is required by Gmail and highly recommended.
1. DMARC Enforcement (The Foundation)
BIMI relies on the trust established by DMARC. It is not enough to simply have a DMARC record; it must be enforced against 100% of your email traffic, and your mail streams need to align with the domain in the From header.
⚠️ Common Pitfall: Partial Enforcement
If you are rolling out DMARC with pct=10 or pct=50, BIMI will not activate. Google explicitly requires p=quarantine or p=reject with pct=100.
2. The DNS Record (The Assertion)
You must publish a TXT record at a specific subdomain to "assert" your BIMI status. This record points inbox providers to your logo and certificate.
Location & Naming
For the default setup, the record must be published at:
If you publish at _bimi.yourdomain.com (missing "default"), receivers will not find it.
Set a reasonable TTL (for example, 1 hour) while you test, then raise it once the record is stable.
🚫 Watch Your DNS Console
Some DNS providers automatically append your domain name to the record name. If you type default._bimi.example.com into such a field, you may accidentally create default._bimi.example.com.example.com. Always check the final result.
Record Format
The record includes the version (v=BIMI1), the logo URL (l=), and the VMC URL (a=).
💡 Quick Start
Generate a syntactically correct BIMI record instantly.
3. Logo Requirements (SVG)
BIMI does not accept standard SVGs. The file must adhere to the SVG Tiny Portable/Secure (P/S) profile. This is one of the most common issues people hit when trying to set up BIMI.
Even if your logo looks perfect in a browser, inbox providers will reject it if it does not meet the Tiny P/S profile, so treat this as a compliance task rather than a design-only exercise.
BIMI Standard Requirements
- Format: SVG Tiny 1.2 P/S (baseProfile="tiny-ps", version="1.2").
- Aspect Ratio: Square (1:1).
- Design: Centered artwork with safe margins. Background should be filled (not transparent) to ensure visibility in both dark and light modes.
- Hosting: Must be served over HTTPS.
- No scripts, animations, or external references (other than specified XML namespaces).
- No x= or y= attributes in the <svg> root element.
- Include a <title> element (recommended: your organization's name).
Need to convert a standard SVG into BIMI-ready Tiny P/S? Use our BIMI SVG to Tiny-PS converter.
Gmail-Specific SVG Requirements
Gmail enforces additional requirements beyond the BIMI standard:
- Minimum size: 96 × 96 pixels minimum height and width.
- Absolute dimensions: Use width="96" height="96" (absolute pixels). Do not use relative dimensions like width="100%".
- File size: 32 KB or smaller. (Strictly enforced because the file is embedded directly into the TLS certificate chain)
- Accessibility: Include a <desc> element (description) for accessibility.
Hosting "Gotchas"
- No Query Strings: URLs like logo.svg?v=1 often fail validation. Use clean URLs.
- Accessibility: Ensure the file is not blocked by geo-fencing, anti-bot challenges, or authentication prompts. It must be publicly fetchable by standard tools.
- Stable hosting: Use a highly available HTTPS endpoint. Providers cache aggressively, but they still need to fetch the file reliably the first time.
4. VMC/CMC Certificates (Required for Gmail)
A Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) is an X.509 digital certificate issued by an authorized Certificate Authority. It cryptographically links your logo to your domain and proves ownership of the mark you are presenting.
Gmail Does Not Support Standalone SVG Files
Gmail requires a PEM file containing your certificate (VMC or CMC). Your SVG logo is embedded inside this PEM file by the Certificate Authority. If you only provide a standalone SVG URL without a certificate in the a= parameter, Gmail will not display your logo.
VMC vs. CMC
- VMC (Verified Mark Certificate): Requires a registered trademark. Gmail displays a blue verified checkmark next to your logo when this certificate validates.
- CMC (Common Mark Certificate): Intended for logos with established use but no registered trademark. Provider support is emerging and policy details can vary, so verify current requirements before purchasing.
PEM File Structure
When your VMC/CMC is issued, you receive a PEM file. You must build the full certificate chain:
- Entity certificate (contains your embedded SVG logo)
- Intermediate CA certificate(s)
- Root CA certificate
Upload this complete PEM file to your public web server and reference it in your BIMI record's a= parameter.
Technical Detail: Why Embed?
The VMC Profile uses the Logotype Extension (RFC 3709) to embed the Base64-encoded SVG data directly into the certificate (LogotypeData), rather than just pointing to a URL. This prevents tampering: even if your server is compromised and the logo file is replaced, the certificate itself still holds the original, verified logo that was signed by the Certificate Authority. This embedding is why the 32 KB limit is so strict, because large files would bloat the SSL handshake.
Provider Support
- Gmail: Requires a VMC today. CMC support is emerging and may be limited while providers finalize policies.
- Yahoo/AOL: May display logos without a certificate, but policies vary. We recommend always getting a certificate for full compatibility.
- Other providers: Support is growing but not universal. Always test the mailbox providers your recipients actually use.
Expectations: Propagation & Discretion
Once you publish your record, patience is required.
- 48-Hour Delay: Google notes it can take up to 48 hours for BIMI changes to propagate and for their systems to fetch and cache your assets.
- Provider Discretion: BIMI is not a guarantee. Even with a perfect setup, a mailbox provider may choose not to display the logo if the sender's reputation is low or if there is a spike in spam complaints.
Advanced: Selectors
Like DKIM, BIMI supports selectors. This allows you to use different logos for different email streams or brands sending from the same domain. You reference them via a BIMI-Selector header in your emails:
The receiver would then query marketing._bimi.yourdomain.com instead of default.
Validation & Troubleshooting
Use these commands to verify your setup before waiting on inbox providers.
1. Check the DNS Record
2. Verify Asset Reachability
Ensure the status is 200 OK and the Content-Type is correct (image/svg+xml).
We encourage you to use our BIMI validator to check your setup.
Sources & Further Reading
- BIMI Group (Official) : authors of the BIMI specification.
- BIMI Certificate Issuers : list of approved VMC/CMC Certificate Authorities.
- Google Workspace: Set up BIMI : Google requirements (including the 48h propagation note).
- Google: Create a BIMI SVG file : detailed SVG requirements specific to Gmail.
- Wikipedia: BIMI : general overview and history.