BIMI is the email equivalent of a "verified" badge: in supported inboxes, your logo appears next to your messages. It serves as a visual reward for organizations that have achieved strict email authentication, and it signals to humans that the message belongs to the brand they know.
BIMI is only shown by participating mailbox providers such as Gmail and Yahoo/AOL. Treat it as an experience upgrade for the recipients who can see it, not a universal guarantee across every mailbox.
What You Will Learn
Core Prerequisites
BIMI is picky. Before you publish a record, ensure you have:
- Strict DMARC: Policy must be p=quarantine or p=reject with pct=100.
- Alignment in practice: Your sending streams should pass either SPF or DKIM in alignment with the visible From domain, not just technically have a DMARC record.
- DNS Assertion: A TXT record at default._bimi.yourdomain.
- HTTPS Assets: Logo and certificate files accessible via public HTTPS.
- VMC (Usually): A Verified Mark Certificate is required by Gmail and highly recommended.
1. DMARC Enforcement (The Foundation)
BIMI relies on the trust established by DMARC. It is not enough to simply have a DMARC record; it must be enforced against 100% of your email traffic, and your mail streams need to align with the domain in the From header.
Common Pitfall: Partial Enforcement
If you are rolling out DMARC with pct=10 or pct=50, BIMI will not activate. Google explicitly requires p=quarantine or p=reject with pct=100.
2. The DNS Record (The Assertion)
You must publish a TXT record at a specific subdomain to "assert" your BIMI status. This record points inbox providers to your logo and certificate.
Location & Naming
For the default setup, the record must be published at:
If you publish at _bimi.yourdomain.com (missing "default"), receivers will not find it.
Set a reasonable TTL (for example, 1 hour) while you test, then raise it once the record is stable.
Watch Your DNS Console
Some DNS providers automatically append your domain name to the record name. If you type default._bimi.example.com into such a field, you may accidentally create default._bimi.example.com.example.com. Always check the final result.
Record Format
The record includes the version (v=BIMI1), the logo URL (l=), and the VMC URL (a=).
Quick Start
Generate a syntactically correct BIMI record instantly.
3. Logo Requirements (SVG)
BIMI does not accept standard SVGs. The file must adhere to the SVG Tiny Portable/Secure (P/S) profile. This is one of the most common issues people hit when trying to set up BIMI.
Even if your logo looks perfect in a browser, inbox providers will reject it if it does not meet the Tiny P/S profile, so treat this as a compliance task rather than a design-only exercise.
BIMI Standard Requirements
- Format: SVG Tiny 1.2 P/S (baseProfile="tiny-ps", version="1.2").
- Aspect Ratio: Square (1:1).
- Design: Centered artwork with safe margins. Background should be filled (not transparent) to ensure visibility in both dark and light modes.
- Hosting: Must be served over HTTPS.
- No scripts, animations, or external references (other than specified XML namespaces).
- No x= or y= attributes in the <svg> root element.
- Include a <title> element (recommended: your organization's name).
Need to convert a standard SVG into BIMI-ready Tiny P/S? Use our BIMI SVG to Tiny-PS converter.
Gmail-Specific SVG Requirements
Gmail enforces additional requirements beyond the BIMI standard:
- Minimum size: 96 x 96 pixels minimum height and width.
- Absolute dimensions: Use width="96" height="96" (absolute pixels). Do not use relative dimensions like width="100%".
- File size: 32 KB or smaller. (Strictly enforced because the file is embedded directly into the TLS certificate chain)
- Accessibility: Include a <desc> element (description) for accessibility.
Hosting "Gotchas"
- No Query Strings: URLs like logo.svg?v=1 often fail validation. Use clean URLs.
- Accessibility: Ensure the file is not blocked by geo-fencing, anti-bot challenges, or authentication prompts. It must be publicly fetchable by standard tools.
- Stable hosting: Use a highly available HTTPS endpoint. Providers cache aggressively, but they still need to fetch the file reliably the first time.
4. VMC/CMC Certificates (Required for Gmail)
A Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) is an X.509 digital certificate issued by an authorized Certificate Authority. It cryptographically links your logo to your domain and proves ownership of the mark you are presenting.
Gmail Does Not Support Standalone SVG Files
Gmail requires a PEM file containing your certificate (VMC or CMC). Your SVG logo is embedded inside this PEM file by the Certificate Authority. If you only provide a standalone SVG URL without a certificate in the a= parameter, Gmail will not display your logo.
VMC vs. CMC: Which Certificate Do You Need?
Both VMC (Verified Mark Certificate) and CMC (Common Mark Certificate) are digital certificates used within the BIMI standard. They allow your brand logo to appear next to the sender name in email inboxes (such as Gmail, Yahoo, or Apple Mail), reinforcing trust and combating phishing. These certificates are issued by authorized Certificate Authorities and require prior email domain configuration (SPF, DKIM, and DMARC enforcement).
| Criterion | VMC (Verified Mark Certificate) | CMC (Common Mark Certificate) |
|---|---|---|
| Primary Purpose | Logo display + blue verification checkmark in Gmail and some other mail clients | Logo display only (no verification checkmark) |
| Logo/Mark Requirement | Logo must be protected by a registered trademark (with an office such as USPTO, EUIPO, etc.) or be an official government seal | No trademark registration required, but the logo must have established prior use (documented usage for at least 1 year) |
| Technical Prerequisites |
|
Same as VMC |
| Identity Validation | Extended validation (similar to EV SSL): organization verification, domain verification, and in-person or video meeting to confirm the applicant's identity | Similar validation process but simplified (no trademark verification required) |
| Timeline & Complexity | Longer process (trademark verification can take several months) | Faster and more accessible (no trademark registration needed) |
| Additional Benefits | Maximum trust level with visible blue checkmark (enhances credibility) | More affordable and faster to obtain, sufficient for logo display |
| Post-Issuance Obligations |
|
Same as VMC |
| Eligibility | Organizations with an active registered trademark | Organizations without a registered trademark or with established prior use |
CMC Logo Prerequisites: Proving Prior Use
To obtain a Common Mark Certificate (CMC), you must demonstrate prior use of your logo without needing a registered trademark (unlike VMC). According to the BIMI Group's "Minimum Security Requirements for Issuance of Mark Certificates" and practices from Certificate Authorities like DigiCert or Entrust, the following types of evidence are accepted:
| Type of Evidence | Detailed Description | Verification Methods |
|---|---|---|
| Continuous public use on a controlled website | Evidence that the logo has been publicly and continuously displayed on a website you control for at least 12 consecutive months before the application. |
|
| Proof of established commercial use | Demonstration of legitimate and historical use of the logo in commercial activities (advertising, products, etc.) without trademark registration. |
|
| Additional verification by the Certificate Authority | The CA may independently verify the absence of conflicting trademarks and confirm usage through trademark databases. |
|
Important Notes on CMC Eligibility
- The minimum duration is generally 12 months (1 year) of continuous and verifiable use.
- The logo must be associated with your organization and a domain you control.
- Evidence is submitted during the application process to an authorized CA (DigiCert, Entrust, etc.), which performs extended validation similar to an EV SSL certificate.
- If the logo is a modified variant of an existing registered trademark, additional evidence of similarity may be accepted.
PEM File Structure
When your VMC/CMC is issued, you receive a PEM file. You must build the full certificate chain:
- Entity certificate (contains your embedded SVG logo)
- Intermediate CA certificate(s)
- Root CA certificate
Upload this complete PEM file to your public web server and reference it in your BIMI record's a= parameter.
Technical Detail: Why Embed?
The VMC Profile uses the Logotype Extension (RFC 3709) to embed the Base64-encoded SVG data directly into the certificate (LogotypeData), rather than just pointing to a URL. This prevents tampering: even if your server is compromised and the logo file is replaced, the certificate itself still holds the original, verified logo that was signed by the Certificate Authority. This embedding is why the 32 KB limit is so strict, because large files would bloat the SSL handshake.
Provider Support
- Gmail: Requires a VMC today. CMC support is emerging and may be limited while providers finalize policies.
- Yahoo/AOL: May display logos without a certificate, but policies vary. We recommend always getting a certificate for full compatibility.
- Other providers: Support is growing but not universal. Always test the mailbox providers your recipients actually use.
Get Your Certificate Through DMARCTrust
As an authorized Sectigo reseller, we handle the entire process: DMARC enforcement, logo preparation with our SVG Tiny P/S converter, compliance verification, and certificate issuance. One team, no back-and-forth with outsourced support.
DMARCTrust subscribers save 10% or more on Sectigo VMC and CMC certificates. View pricing.
Expectations: Propagation & Discretion
Once you publish your record, patience is required.
- 48-Hour Delay: Google notes it can take up to 48 hours for BIMI changes to propagate and for their systems to fetch and cache your assets.
- Provider Discretion: BIMI is not a guarantee. Even with a perfect setup, a mailbox provider may choose not to display the logo if the sender's reputation is low or if there is a spike in spam complaints.
Advanced: Selectors
Like DKIM, BIMI supports selectors. This allows you to use different logos for different email streams or brands sending from the same domain. You reference them via a BIMI-Selector header in your emails:
The receiver would then query marketing._bimi.yourdomain.com instead of default.
Validation & Troubleshooting
Use these commands to verify your setup before waiting on inbox providers.
1. Check the DNS Record
2. Verify Asset Reachability
Ensure the status is 200 OK and the Content-Type is correct (image/svg+xml).
We encourage you to use our BIMI validator to check your setup.
Sources & Further Reading
- BIMI Group (Official) : authors of the BIMI specification.
- BIMI Certificate Issuers : list of approved VMC/CMC Certificate Authorities.
- Google Workspace: Set up BIMI : Google requirements (including the 48h propagation note).
- Google: Create a BIMI SVG file : detailed SVG requirements specific to Gmail.
- Wikipedia: BIMI : general overview and history.