Understand BIMI: Brand Indicators for Message Identification

BIMI is the email equivalent of a "verified" badge: in supported inboxes, your logo appears next to your messages. It serves as a visual reward for organizations that have achieved strict email authentication.

Core Prerequisites

BIMI is picky. Before you publish a record, ensure you have:

Strict DMARC: Policy must be p=quarantine or p=reject with pct=100.
DNS Assertion: A TXT record at default._bimi.yourdomain.
HTTPS Assets: Logo and certificate files accessible via public HTTPS.
VMC (Usually): A Verified Mark Certificate is required by Gmail and highly recommended.

1. DMARC Enforcement (The Foundation)

BIMI relies on the trust established by DMARC. It is not enough to simply have a DMARC record; it must be enforced against 100% of your email traffic.

⚠️ Common Pitfall: Partial Enforcement

If you are rolling out DMARC with pct=10 or pct=50, BIMI will not activate. Google explicitly requires p=quarantine or p=reject with pct=100.

2. The DNS Record (The Assertion)

You must publish a TXT record at a specific subdomain to "assert" your BIMI status.

Location & Naming

For the default setup, the record must be published at:

default._bimi.yourdomain.com

If you publish at _bimi.yourdomain.com (missing "default"), receivers will not find it.

🚫 Watch Your DNS Console

Some DNS providers automatically append your domain name to the record name. If you type default._bimi.example.com into such a field, you may accidentally create default._bimi.example.com.example.com. Always check the final result.

Record Format

The record includes the version (v=BIMI1), the logo URL (l=), and the VMC URL (a=).

default._bimi.example.com. 3600 IN TXT "v=BIMI1; l=https://brand.example.com/bimi/logo.svg; a=https://brand.example.com/bimi/cert.pem"

💡 Quick Start

Generate a syntactically correct BIMI record instantly.

Free BIMI Record Generator

3. Logo Requirements (SVG)

BIMI does not accept standard SVGs. The file must adhere to the SVG Tiny Portable/Secure (P/S) profile. This is one of the most common issues people hit when trying to set up BIMI.

BIMI Standard Requirements

Format: SVG Tiny 1.2 P/S (baseProfile="tiny-ps", version="1.2").
Aspect Ratio: Square (1:1).
Design: Centered artwork with safe margins. Background should be filled (not transparent) to ensure visibility in both dark and light modes.
Hosting: Must be served over HTTPS.
No scripts, animations, or external references (other than specified XML namespaces).
No x= or y= attributes in the <svg> root element.
Include a <title> element (recommended: your organization's name).

Need to convert a standard SVG into BIMI-ready Tiny P/S? Use our BIMI SVG to Tiny-PS converter.

Gmail-Specific SVG Requirements

Gmail enforces additional requirements beyond the BIMI standard:

Minimum size: 96 × 96 pixels minimum height and width.
Absolute dimensions: Use width="96" height="96" (absolute pixels). Do not use relative dimensions like width="100%".
File size: 32 KB or smaller. (Strictly enforced because the file is embedded directly into the TLS certificate chain)
Accessibility: Include a <desc> element (description) for accessibility.

Hosting "Gotchas"

No Query Strings: URLs like logo.svg?v=1 often fail validation. Use clean URLs.
Accessibility: Ensure the file is not blocked by geo-fencing, anti-bot challenges, or authentication prompts. It must be publicly fetchable by standard tools.

4. VMC/CMC Certificates (Required for Gmail)

A Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) is an X.509 digital certificate issued by an authorized Certificate Authority. It cryptographically links your logo to your domain.

Gmail Does Not Support Standalone SVG Files

Gmail requires a PEM file containing your certificate (VMC or CMC). Your SVG logo is embedded inside this PEM file by the Certificate Authority. If you only provide a standalone SVG URL without a certificate in the a= parameter, Gmail will not display your logo.

VMC vs. CMC

VMC (Verified Mark Certificate): Requires a registered trademark. Gmail displays a blue verified checkmark next to your logo.
CMC (Common Mark Certificate): For logos with established use but no registered trademark. Gmail displays your logo without the verified checkmark. (Supported since late 2024)

Authorized Certificate Issuers

Only certificates from these BIMI-approved Certificate Authorities are accepted:

DigiCert — The most established VMC issuer, widely trusted.
GlobalSign — Offers VMC as part of their PKI solutions.
Sectigo — Offers both VMC and CMC certificates.
SSL.com — Recently added to the approved issuer list.

Entrust No Longer Supported

Entrust was removed from the approved issuer list in late 2024 following Google's decision to distrust their certificates. If you have an Entrust VMC, you should migrate to another issuer.

PEM File Structure

When your VMC/CMC is issued, you receive a PEM file. You must build the full certificate chain:

Entity certificate (contains your embedded SVG logo)
Intermediate CA certificate(s)
Root CA certificate

Upload this complete PEM file to your public web server and reference it in your BIMI record's a= parameter.

Technical Detail: Why Embed?

The VMC Profile uses the Logotype Extension (RFC 3709) to embedding the Base64-encoded SVG data directly into the certificate (LogotypeData), rather than just pointing to a URL. This prevents tampering: even if your server is compromised and the logo file is replaced, the certificate itself still holds the original, verified logo that was signed by the Certificate Authority. This embedding is why the 32 KB limit is so strict—large files would bloat the SSL handshake.

Provider Support

Gmail: Requires VMC or CMC. Will not display logos without a valid certificate.
Yahoo/AOL: May display logos without a certificate, but policies vary. We recommend always getting a certificate for full compatibility.

Expectations: Propagation & Discretion

Once you publish your record, patience is required.

48-Hour Delay: Google notes it can take up to 48 hours for BIMI changes to propagate and for their systems to fetch and cache your assets.
Provider Discretion: BIMI is not a guarantee. Even with a perfect setup, a mailbox provider may choose not to display the logo if the sender's reputation is low or if there is a spike in spam complaints.

Advanced: Selectors

Like DKIM, BIMI supports selectors. This allows you to use different logos for different email streams or brands sending from the same domain. You reference them via a BIMI-Selector header in your emails:

BIMI-Selector: v=BIMI1; s=marketing;

The receiver would then query marketing._bimi.yourdomain.com instead of default.

Validation & Troubleshooting

Use these commands to verify your setup before waiting on inbox providers.

1. Check the DNS Record

dig TXT default._bimi.yourdomain.com +short

2. Verify Asset Reachability

curl -I https://brand.example.com/bimi/logo.svg

Ensure the status is 200 OK and the Content-Type is correct (image/svg+xml).

We encourage you to use our BIMI validator to check your setup.

Sources & Further Reading

BIMI Group (Official) — The authors of the BIMI specification.
BIMI Certificate Issuers — Official list of approved VMC/CMC Certificate Authorities.
Google Workspace: Set up BIMI — Official Google requirements (including the 48h propagation note).
Google: Create a BIMI SVG file — Detailed SVG requirements specific to Gmail.
Wikipedia: BIMI — General overview and history.

Understand BIMI (Brand Indicators for Message Identification)