BIMI record published but the logo does not show

Work through the prerequisites each mailbox provider enforces before it renders a logo: DMARC at enforcement, a valid default._bimi TXT, an SVG P/S image over HTTPS, and a trusted certificate.

Quick answers

Why is my BIMI logo not showing even though the BIMI record is published?
A published BIMI record is one of several requirements. The From domain must enforce DMARC at p=quarantine or p=reject, the message itself must pass DMARC, the SVG must use the SVG Portable/Secure profile served over HTTPS, and Gmail and Apple Mail require a certificate (VMC or CMC). If any one of these is missing, no logo appears.
Does BIMI require DMARC at p=reject?
It requires enforcement, which is either p=quarantine or p=reject. BIMI never works with p=none. Note that DMARCbis (RFC 9989 §7.4) discourages p=reject for general-purpose mailbox domains, so p=quarantine commonly satisfies the BIMI prerequisite. Gmail historically also required full policy coverage (pct=100 under RFC 7489); the pct tag was removed in DMARCbis (RFC 9989 Appendix A.6), but a policy that does not apply to all of your mail still disqualifies the message.
Do I need a VMC for BIMI to work in Gmail?
Gmail does not accept self-asserted BIMI records, so you need a certificate from DigiCert or Entrust. A Verified Mark Certificate shows your logo plus the verified checkmark. Since September 2024 Gmail also accepts a Common Mark Certificate, which shows the logo without the checkmark.
Which mailbox providers show BIMI logos without a certificate?
Yahoo, AOL, and Fastmail display logos from a self-asserted BIMI record with no certificate. Gmail and Apple Mail require a trusted certificate (VMC or CMC).
How long until my BIMI logo appears after I fix the record?
Providers evaluate BIMI when they process the next authenticated message that passes DMARC, and they do not publish a cache refresh interval. Send a fresh authenticated message after the DNS and certificate are valid, then allow time rather than expecting an instant change.

What a working BIMI record needs

A BIMI record is a TXT record at default._bimi.<domain> that points a mailbox provider to your logo and, in most cases, a certificate that vouches for it. Publishing the record is necessary but not sufficient. Gmail, Apple Mail, and other providers each evaluate a chain of prerequisites for every individual message, and they show the logo only when the whole chain holds for that message. The most common reason a logo never appears is that one upstream requirement, usually DMARC enforcement or the certificate, is not met. Work through the checkpoints below in order, because a later step cannot compensate for an earlier failure.

Checkpoint 1: DMARC must be at enforcement

BIMI is gated on DMARC. The From domain's policy must be p=quarantine or p=reject; p=none is never accepted. DMARCbis (RFC 9989 §7.4) discourages p=reject for general-purpose mailbox domains and says Mail Receivers may apply a reject policy as quarantine, so p=quarantine commonly satisfies the BIMI prerequisite. The BIMI Group implementation guide also requires enforcement on the organizational domain and its subdomains, so if you publish a subdomain policy with sp=, that value must also be quarantine or reject, not none (BIMI Group implementation guide). Gmail historically required full coverage via pct=100 (RFC 7489); the pct tag was removed in DMARCbis (RFC 9989 Appendix A.6), but a policy that does not apply to all of your mail still disqualifies the message (Google Workspace: Set up BIMI).

Check the published DMARC policy on the visible From domain: 

dig TXT _dmarc.example.com +short
dig TXT _dmarc.example.com @1.1.1.1 +short

You want a single record whose policy is at enforcement, for example: 

v=DMARC1; p=reject; rua=mailto:[email protected]

Publishing a policy is not the same as the message passing under it. The individual message must authenticate and align under that policy, per RFC 9989 §5.3.5: if one or more of the Authenticated Identifiers align with the Author Domain, the message passes the DMARC mechanism check. BIMI specifically relies on DKIM alignment for that pass, per the BIMI Group implementation guide. If the policy is still p=none, move it to enforcement first; see the related fixes below.

Checkpoint 2: the default._bimi TXT record

Query the BIMI record itself. The label is default._bimi for the default selector: 

dig TXT default._bimi.example.com +short
dig TXT default._bimi.example.com @8.8.8.8 +short

A valid record uses v=BIMI1 first, an l= tag with the HTTPS URL of the SVG, and an a= tag with the HTTPS URL of the certificate PEM: 

default._bimi.example.com IN TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem"

The a= tag is optional in the raw specification but required in practice by Gmail and Apple Mail, because both demand a certificate (BIMI Group implementation guide). An empty l= (written l=;) is a deliberate declination signal, not a typo, so confirm your generator did not emit one. Both URLs must be HTTPS, and the SVG and PEM must actually be reachable at those URLs from the public internet.

Checkpoint 3: the SVG must be SVG Portable/Secure

A logo that opens fine in a browser can still be rejected for BIMI. The image must use the SVG Portable/Secure profile (SVG P/S), a tightened subset of SVG Tiny 1.2. The requirements from the BIMI Group and Google are specific (BIMI Group: Creating BIMI SVG logo files, Google Workspace: Set up BIMI):

  • The root element must carry baseProfile="tiny-ps" and version="1.2".
  • It must include a <title> element with the company name; <desc> is recommended.
  • Scripts, animation, interactivity, and external references are prohibited. The x= and y= attributes on the root <svg> are prohibited.
  • The artwork must be square, centered, and on a solid (non-transparent) background. Transparent backgrounds may render incorrectly.
  • The file must be 32 KB or smaller.
  • Gmail requires a minimum height and width of 96 px expressed in absolute pixels, for example width="96" height="96".

A correct root element looks like this: 

<svg xmlns="http://www.w3.org/2000/svg" version="1.2" baseProfile="tiny-ps" viewBox="0 0 96 96" width="96" height="96">
  <title>Example Inc</title>
  ...
</svg>

No common export tool produces compliant SVG P/S directly. Adobe Illustrator's "SVG Tiny 1.2" export is closest but still leaves root x/y attributes you must strip by hand. The DMARCTrust BIMI Tiny P/S converter takes an existing SVG and produces a conformant SVG P/S file, and the BIMI record generator builds the matching default._bimi TXT value.

Checkpoint 4: the certificate (VMC or CMC)

Gmail and Apple Mail do not show a logo from a self-asserted record. The a= URL must serve a trusted BIMI Evidence Document, which is one of two certificate types from one of two authorized issuers (BIMI Group: VMC and BIMI, DigiCert: Verified Mark Certificates):

  • A Verified Mark Certificate (VMC) requires a logo registered as a trademark with a recognized intellectual property office (or a government mark or seal). In Gmail it yields the logo plus the verified checkmark.
  • A Common Mark Certificate (CMC) covers logos not registered as trademarks, accepting Prior Use Marks and Modified Registered Marks. It shows the logo but not the checkmark. Gmail began accepting CMC in September 2024 (Google Workspace Updates, September 2024).

The only two authorized certificate authorities are DigiCert and Entrust; both issue VMC and CMC. Apple Mail requires a trusted Evidence Document (VMC or CMC) and shows a "digitally certified" label in the message details (Apple: About BIMI support in Apple Mail). Confirm the PEM is served over HTTPS and matches the logo in the l= URL: 

curl -sI https://example.com/vmc.pem
curl -s https://example.com/vmc.pem | head -1

The first line of a PEM certificate is -----BEGIN CERTIFICATE-----. If the URL returns HTML or a 404, the a= tag is broken and Gmail and Apple Mail will not render the logo.

Checkpoint 5: provider support and timing

Support and strictness differ by mailbox provider, so test where your recipients actually are:

  • Gmail is the strictest: DMARC enforcement, full policy coverage (historically pct=100 under RFC 7489, a tag removed in DMARCbis), SVG P/S, a certificate, and sufficient sending reputation. Google does not publish a numeric reputation threshold; monitor it in Google Postmaster Tools (Google Workspace: Set up BIMI).
  • Apple Mail supports BIMI on iOS 16, iPadOS 16, macOS Ventura 13 or later, and iCloud.com. It requires DMARC plus a trusted Evidence Document (Apple: About BIMI support in Apple Mail).
  • Yahoo, AOL, and Fastmail display self-asserted logos with no certificate (BIMI Group: Understanding BIMI certificate types).

Providers evaluate BIMI server-side when they process the next authenticated message that passes DMARC. None of them publishes a cache refresh interval, so after a DNS or certificate change, send a fresh authenticated message and allow time rather than expecting the logo to update on an already-delivered message.

Validate the whole chain

Run the checks together so you can see which link is broken: 

dig TXT _dmarc.example.com @1.1.1.1 +short
dig TXT default._bimi.example.com @1.1.1.1 +short
curl -sI https://example.com/logo.svg
curl -sI https://example.com/vmc.pem

You want an enforced DMARC policy, exactly one v=BIMI1 record, and HTTPS 200 responses for both the SVG and the PEM. Use the DMARCTrust DMARC checker to confirm the live DMARC posture, then send a new test message from your real sending path and check that it passes DMARC in the recipient inbox. BIMI is evaluated at delivery time against the records and message that exist for that attempt, so reusing an old message will not reflect a fix.

Was this page helpful? Send us feedback

Last updated: May 2026

← All guides Start now

Need expert help with email deliverability?

Hire an email deliverability consultant who has shipped billions of emails. Free assessment, hands-on engagement, written quote before any work starts.

Talk to a consultant