The Architecture of BIMI: Verified Visual Identity
BIMI is more than just a "profile picture" for your emails; it is a standardized, DNS-based protocol (RFC 9091) that links your verified brand logo to your sending domain. In an era of rampant phishing and domain spoofing, BIMI serves as a highly visible Trust Signal. When a user sees your official, high-resolution logo next to your name in their Gmail or Apple Mail inbox, they are receiving implicit confirmation that the email has been authenticated and verified by the receiving mail provider.
The technical workflow behind the logo display is a multi-step verification process. When an email arrives, the receiving mail server first checks your SPF, DKIM, and DMARC status. If your DMARC policy is at an enforcement level (reject or quarantine), the server then queries your DNS for a specific BIMI record located at default._bimi.yourdomain.com. This record contains a URL pointing to your logo file and, in many cases, a URL pointing to a "Verified Mark Certificate" (VMC) that proves you actually own the trademark for that logo.
| Support Status | Mail Client / Provider | VMC Required? | Impact on Brand |
|---|---|---|---|
| Full Support | Google Gmail | Yes | High - Verified Blue Checkmark |
| Full Support | Apple Mail (iOS/macOS) | No (Optional) | High - Integrated Inbox Logo |
| Partial Support | Yahoo Mail | No (Optional) | Medium - Growing Integration |
| No Support | Microsoft Outlook | Not Applicable | None - Uses Internal Profiles |
As indicated in the table, the level of verification required varies significantly by provider. Google Gmail is currently the most stringent, requiring a Verified Mark Certificate (VMC) for any logo display. Conversely, Apple Mail and Yahoo allow for "Self-Asserted" BIMI, where the logo is displayed based purely on the DNS record without a $1,000+ per year certificate. This divide makes BIMI a "Tiered" implementation: every brand can start with basic BIMI for Apple users, while larger enterprises invest in VMCs to capture the massive Gmail audience with a "Verified" blue checkmark.
Beyond the marketing benefits, BIMI is a powerful driver of email security adoption. Because BIMI requires DMARC enforcement, it incentivizes brands to lock down their domains against spoofing. You cannot get the "cool logo" until your house is technically in order. This synergy has turned BIMI into a key component of modern email deliverability strategies, providing a tangible, visual reward for the hard work of securing your organization's DNS infrastructure.
Prerequisites for Implementation: Setting the Foundation
You cannot simply create a BIMI record and expect a logo to appear tomorrow. BIMI has the strictest prerequisites of any email standard. If even one of these pillars is weak, the receiving mail server will silently ignore your BIMI record. The goal of these requirements is to ensure that only "good" senders—those who have proven their identity via robust technical signatures—can use the visual logo feature. This prevents bad actors from spoofing a bank's logo and appearing legitimate in the inbox.
The primary hurdle is DMARC Enforcement. Your DMARC policy must be set to either p=quarantine or p=reject. A policy of p=none (which is what most companies start with for monitoring) is explicitly excluded from the BIMI standard. Furthermore, many providers require your "Percentage" tag (pct) to be 100. If you are only quarantining 50% of unauthorized mail, you aren't considered secure enough to warrant a verified logo display.
- SPF & DKIM Maturity: Your domain must have functional SPF and DKIM records. DKIM signatures must use at least 1024-bit keys (2048-bit is the industry recommendation).
- Identifier Alignment: Your
From:header domain must match the domain used in your SPF and DKIM signatures. This "alignment" is what allows DMARC to pass successfully. - HTTPS Availability: Your logo file must be hosted on a secure
https://server with a valid SSL certificate. Plainhttp://URLs will be rejected. - Reputation Health: Some providers (like Google) also perform an internal reputation check. Even if your settings are perfect, if your domain has a "Bad" reputation due to high spam complaints, they may temporarily suppress your BIMI logo.
Authentication alignment is often the "hidden" failure point. Many companies use external services like SendGrid or Mailchimp but forget to set up "Branded Links" or "Custom Return Paths." In these cases, the ESP signs the mail with their domain, but your email says it's from your domain. This results in a DMARC pass but an Alignment Fail, which is fatal for BIMI. You must ensure that every single mail flow originating from your domain is fully aligned and authenticated before attempting to publish your BIMI record.
If you are unsure about your current posture, use our DMARC Checker to verify your policy level and alignment. Once you have confirmed that you are at p=quarantine or p=reject with 100% enforcement, you have cleared the most difficult barrier to BIMI implementation and can move on to the technical logo and DNS work. For more on reaching this state, see our DMARC Policy Enforcement Guide.
VMC vs. Self-Asserted BIMI: Choosing Your Verification Level
One of the most frequent questions from brands is whether they need to buy a Verified Mark Certificate (VMC). The answer depends entirely on your target audience. A VMC is a digital "Proof of Ownership" for your logo, issued by an authorized Certificate Authority like DigiCert or Entrust. It proves to the mail world that you hold a registered trademark for the logo you are trying to display. Without this certificate, you are performing what is known as "Self-Asserted" BIMI.
With Self-Asserted BIMI, you simply tell the world: "This is my logo." You publish the logo's URL in your DNS, and providers like Apple Mail or Yahoo will (at their discretion) display it. This costs $0 beyond your normal hosting fees and is an excellent starting point for any brand. However, Google Gmail will not show your logo without a VMC. Because Gmail represents a massive portion of most inbox traffic, many companies find the VMC to be a necessary, albeit expensive, cost of doing business.
| Feature Type | Self-Asserted BIMI | VMC-Verified BIMI |
|---|---|---|
| Cost | $0 / Free | ~$1,200 - $1,500 per year |
| Requirements | DNS Record + SVG Logo | Trademark + DNS + SVG + VMC |
| Wait Time | Immediate | 1 - 4 Weeks (Verification) |
| Verified Mark | No | YES (Gmail Verified Checkmark) |
As shown in the table, the jump from self-asserted to VMC is a significant leap in both cost and administrative effort. To get a VMC, your logo must be a registered trademark in one of the approved global offices (like the USPTO in the US or EUIPO in Europe). If your logo is not yet a registered trademark, you are ineligible for a VMC. In this scenario, your best path is to implement self-asserted BIMI today and wait for your trademark registration to complete before upgrading to a full VMC deployment.
For most small to medium businesses, we recommend starting with Self-Asserted BIMI. It allows you to get your SVG Logo and DNS Records set up and tested. You'll see your logo appearing in various mobile apps and client sidebars immediately. Once you see the value in that visual identity and have the budget and trademark in place, adding a VMC to your existing BIMI record is a simple change to a single DNS tag (a=).
The SVG Tiny P/S Standard: Technical Logo Guidelines
One of the "Gotchas" of BIMI is the logo file format. You cannot use a .png, .jpg, or even a standard .svg file. BIMI requires a very specific, secure subset of the SVG format called SVG Tiny Portable/Secure (Tiny P/S). Standard SVGs often contain "scripts," "external links," or "rasterized data" that could pose a security risk if rendered inside a mail client. The Tiny P/S profile strips away all these dangerous elements, ensuring the logo only contains simple vector math.
Exporting an SVG from Adobe Illustrator or Figma and simply changing the file extension will not work. You must use a specialized "BIMI SVG Converter" tool to sanitize the file. The converter will remove external font references (converting them to "paths" instead), strip out any animation code, and add the required metadata headers to the XML structure of the file. If these technical bits aren't perfect, the mail server's automated validator will reject the file and nothing will display.
- Square Aspect Ratio: Your logo should be perfectly square (1:1). Most mail clients display the logo in a circle, so ensure your branding is centered and won't be "clipped" at the corners.
- Solid Background: Avoid transparency if your logo relies on specific colors. A white logo on a transparent background will vanish if the user is in "Dark Mode" and the client provides a black container.
- No Animations: BIMI does not support GIF-like animations in the logo. It must be a static vector.
- File Size: Keep it lean. Most providers recommend a file size under 32KB. Larger files may fail to load in mobile environments with slow data connections.
The goal of the SVG Tiny P/S standard is rendering reliability. Because your logo might be displayed on a tiny Apple Watch screen, a legacy browser, or a 4K desktop monitor, vector math is the only way to ensure it stays sharp at every resolution. By following these strict guidelines, you ensure that your brand always looks premium and professional, regardless of the device your customer is using to read their mail.
If you need help converting your logo, many of the VMC issuers (like DigiCert) provide free web-based converters. Once your SVG is ready, you can host it anywhere on your primary web server. Just ensure that the server is configured to return the correct "MIME Type" (image/svg+xml) in the HTTP headers, or the BIMI lookup will fail. This is a common technical oversight that can be easily diagnosed using our BIMI Lookup Tool.
DNS Configuration and Record Syntax
BIMI is published as a DNS TXT record. This makes it easy to update without needing to redeploy server code. The record is always placed at a specific "Selector" location: default._bimi.yourdomain.com. While the standard allows for multiple selectors (similar to DKIM Selectors), almost everyone sticks with the "default" label as it is the only one universally supported by receivers today.
The syntax of the record follows the standard "Key-Value" pair format found in SPF and DMARC. There are two primary tags you need to worry about: l= (Location of the logo) and a= (Authority, or the location of the VMC certificate). The record must begin with the version tag v=BIMI1. If you are using a self-asserted setup, you simply omit the a= tag or leave it empty, although most experts recommend leaving it out entirely to avoid any validation confusion.
; Example Self-Asserted BIMI Record:
v=BIMI1; l=https://cdn.example.com/branding/logo.svg
; Example VMC-Verified BIMI Record:
v=BIMI1; l=https://cdn.example.com/logo.svg; a=https://cdn.example.com/branding/vmc.pem
- TTL (Time to Live): Set your TTL to something reasonable, like 3600 (1 hour). This allows you to fix mistakes quickly if your logo URL changes.
- Selectors: If you want to use different logos for different departments, you would use
marketing._bimi.domain.comand then specify that selector in your mail headers. However, this is advanced territory and generally not recommended for a "First Implementation." - Multiple Domains: If you have multiple brands (
brandA.comandbrandB.com), you must publish a separate BIMI record for each. There is no "Global" BIMI record that covers all subdomains unless the parent domain has a specific configuration, and even then, most clients prefer the explicit record.
When you publish this record, you are essentially "Inviting" the mail server to brand your emails. It is a passive signal. You don't "push" the logo to the receiver; they "pull" it from your DNS only when they trust your authentication. This architecture ensures that the receiver maintains full control over their UI while giving you the tools to provide the necessary assets for a beautiful inbox experience.
Always double-check your syntax. A missing semicolon or a typo in the URL will break the entire lookup. After publishing, use a dig or nslookup command to verify that the record is visible to the public internet. If your DNS provider supports it, use their "Preview" tool to ensure the TXT value hasn't been accidentally "Wrapped" in extra quotes, which is a common error in some older management interfaces.
Deployment and Troubleshooting Common Failures
Deploying BIMI is a "Fire and Forget" process, but the "Fire" part often requires multiple attempts. Because of the many moving parts (DNS, SVG, DMARC, SSL), there are several common failure points that can prevent your logo from appearing. If you find that your logo is missing after 48 hours of propagation, the first place to look is your DMARC Posture. It is the most frequent cause of BIMI "Silent Failures"—where the server checks for BIMI, sees a p=none policy, and ignores everything else.
The second area to troubleshoot is the SSL/Security on your Logo URL. Mail servers are exceptionally picky about the safety of the assets they download. If your logo is hosted on a domain with a "Self-Signed" SSL certificate, or if your server doesn't support modern TLS protocols, the mail client's internal proxy will refuse to fetch the SVG. Always ensure your logo URL is accessible to the "General Public" and isn't hidden behind a corporate VPN or a firewall that blocks bot-like traffic from mail provider proxies.
- Check Headers: Look at a test email's headers for a field called
BIMI-LocationorAuthentication-Results. If you seebimi=failorbimi=skipped, the header will often provide a reason (e.g.,no-vmc,policy-not-at-enforcement). - SVG Validity Check: Re-run your SVG through an online validator. Even a small XML error, like a single missing bracket in the Tiny P/S metadata, will cause a rendering failure.
- MIME Type Validation: Ensure your server sends
image/svg+xml. If your server sendstext/plainorapplication/octet-stream, the client will ignore the image for security reasons. - Cache Delays: Remember that BIMI results are heavily cached. If you make a mistake and fix it, it might take 24 to 72 hours for the "Old" bad result to expire from the cache of providers like Gmail or Yahoo.
Another "Invisible" barrier is Volume Thresholds. Some providers, particularly Gmail, only display BIMI logos for domains that reach a certain "Minimum Volume" or "Trust Level." If you only send 5 emails a month from your domain, Google may decide that your domain hasn't established enough "Sender Longevity" to warrant a verified logo display. In these cases, the solution is simply time and consistent, high-volume, clean sending behavior.
If all else fails, use our BIMI Lookup Tool to regenerate your record and verify your existing one. It performs a comprehensive "Health Check" that simulates the exact process a mail server follows, highlighting the specific line of code or DNS record that is causing the breakdown. BIMI implementation is a "Right of Passage" for professional senders—once you clear it, you join the elite tier of brands that are both technically secure and visually distinct in the global inbox.
Frequently Asked Questions
Q: Does BIMI work in Outlook?
No. As of 2025, Microsoft Outlook (including Office 365) does not support the BIMI standard. Microsoft currently uses its own internal system for logo display, often pulling from your Microsoft 365 profile or LinkedIn. However, because Gmail and Apple represent over 70% of the mobile market, BIMI is still considered a "Mandatory" upgrade for serious brands.
Q: Can I use a regular SVG if I'm not using a VMC?
No. Even for "Self-Asserted" BIMI (without a VMC), the logo file must still adhere to the SVG Tiny P/S standard. This is required for security and compatibility reasons across different mail clients. A "regular" SVG will likely be blocked by the receiver's security filters, regardless of your VMC status.
Q: If I have multiple subdomains, do I need multiple BIMI records?
Usually, yes. BIMI is a per-domain check. If you send from marketing.example.com and support.example.com, you should ideally place a BIMI record at the "default" selector for each of those subdomains. Some providers will "Fall Back" to the organizational domain (example.com), but explicit records at the subdomain level are the most reliable path to consistent display.
Q: How do I know if I'm eligible for a VMC?
The most important requirement is a Registered Trademark. You must have an active registration number from a supported intellectual property office (USPTO, UK IPO, EUIPO, etc.). If your logo is just "trademark pending" or if you only have common-law rights, you cannot purchase a VMC yet. You should implement self-asserted BIMI in the meantime.
Q: Why do I see a blue checkmark on some emails but not others?
The blue "Verified" checkmark (specifically in Gmail) is only granted to senders who have a Valid VMC. If a brand has BIMI set up but doesn't have a VMC, you might see their logo across the board, but you won't see that specific "Verified" badge. The checkmark is the reward for the extra layer of third-party trademark verification.
Q: Does BIMI improve my deliverability?
Not directly. A mail server doesn't say "Oh, they have a logo, let's put them in the inbox." However, because BIMI requires you to have perfect SPF, DKIM, and DMARC settings, the act of qualifying for BIMI will significantly improve your overall deliverability and sender reputation.
Next Steps
Validate your current BIMI status and prerequisite posture using our BIMI Lookup Tool. This tool will check your DNS records, verify your DMARC enforcement level, and test your SVG URL for accessibility in one single report.
If you haven't yet reached the mandatory p=quarantine or p=reject DMARC policy, follow our DMARC Policy Enforcement guide to get there safely. For help with the initial logo conversion, see our Guide to Creating a BIMI-Compliant SVG.
Browse all Email Guides on DNSnexus for advanced strategies on BIMI selectors, VMC procurement, and provider-specific logo rendering optimizations.
Related Guides
- DMARC Policy Enforcement: Moving Safely from Monitoring to Reject
- DKIM Explained: How It Works and How to Verify It
- SPF Record Explained: Setup, Syntax, and the 10-Lookup Limit
- Google & Yahoo Bulk Sender Requirements: The 2025 Compliance Checklist
- DNS TXT Records Explained: Why Every Email Standard Uses Them