BIMI Setup Guide: How Email Logo Authentication Fits Into the Full Stack

BIMI is the last piece of an email authentication stack most organisations haven't finished building

Brand Indicators for Message Identification — BIMI — lets your logo appear next to emails in supported inboxes. Gmail, Apple Mail, Yahoo Mail, and others display a verified brand logo in the sender field for emails that pass the full authentication chain. It sounds like a cosmetic feature. In practice it's a trust signal that distinguishes authenticated brand email from lookalike phishing attempts.

But BIMI is the capstone, not the foundation. Getting it working requires the three layers beneath it to be correctly configured first.

The email authentication stack

BIMI sits at the top of a four-layer authentication hierarchy:

Layer 4: BIMI    — displays your logo in the inbox
Layer 3: DMARC   — policy enforcement, requires SPF or DKIM alignment
Layer 2: DKIM    — cryptographically signs each outgoing message
Layer 1: SPF     — authorises which servers can send from your domain

Each layer depends on the ones below it. BIMI won't function without DMARC at p=quarantine or p=reject. DMARC can't enforce alignment without at least one of SPF or DKIM passing and aligning. All of it is configured through DNS records.

What BIMI actually does

When an email arrives in a supported inbox:

1. The receiving mail server checks that the email passes DMARC (either SPF or DKIM alignment must pass)
2. If DMARC passes at the appropriate policy level, the server looks for a BIMI record in DNS for the sending domain
3. The BIMI record points to a logo file (SVG format) hosted publicly
4. The inbox client fetches and displays the logo

The BIMI DNS record lives at default._bimi.<domain> and has this format:

default._bimi.example.com.  IN  TXT  "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem"

The l= field is the logo URL. The a= field (optional for some providers, required for Gmail's verified checkmark) is the Verified Mark Certificate (VMC).

Verified Mark Certificates (VMC): the Gmail requirement

Most email clients will display a BIMI logo from any domain that passes DMARC at p=quarantine or p=reject. Gmail goes further — it only shows the verified blue checkmark (rather than just any logo) for senders who have a Verified Mark Certificate.

A VMC is a digital certificate, issued by a Certificate Authority (DigiCert or Entrust currently issue VMCs), that cryptographically verifies that the logo belongs to the organisation. It requires the logo to be a registered trademark.

VMC requirements:

• Active trademark registration in a major jurisdiction (US USPTO, UK IPO, EU EUIPO, etc.)
• Logo in SVG Tiny PS format (a specific SVG subset with precise requirements)
• Certificate issued by an approved CA (currently DigiCert or Entrust)
• Annual cost: roughly $1,000–$1,500/year from DigiCert or similar

For large organisations with registered trademarks, the VMC enables the verified checkmark that carries the strongest trust signal. For smaller organisations or those without registered trademarks, BIMI without VMC still displays the logo in Yahoo Mail, Apple Mail, and other clients — just not the Gmail verified checkmark.

Prerequisites checklist before BIMI setup

Before touching a BIMI record, verify each prerequisite:

1. SPF record present and valid

example.com.  IN  TXT  "v=spf1 include:_spf.google.com ~all"

Check with a DNS lookup tool. The record must be syntactically valid and should end with -all (hard fail) or ~all (soft fail) rather than +all.

2. DKIM configured for all sending sources

Every service sending email on behalf of your domain — your primary ESP, CRM, marketing platform, transactional email service — needs DKIM selectors published in DNS. Verify each with a DKIM checker tool (enter the selector and domain).

3. DMARC at p=quarantine or p=reject

This is the hard requirement. BIMI won't function with DMARC at p=none:

_dmarc.example.com.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

If you're not yet at p=reject, read DMARC reports for 4–6 weeks at p=none, identify all legitimate sending sources, ensure they all have DKIM configured and SPF aligned, then move through p=quarantine to p=reject.

4. Logo as SVG Tiny PS

Regular SVG doesn't meet the BIMI specification. The SVG Tiny PS (Portable/Secure) subset restricts scripting, external references, and certain features. The logo must:

• Be 1:1 (square) aspect ratio
• Have a solid, non-transparent background
• Be a properly formatted SVG Tiny PS file
• Be hosted via HTTPS at a stable URL

Several free converters and validators exist to check SVG BIMI compliance.

BIMI lookup: what the tool checks

The BIMI Lookup tool on sadiqbd.com queries:

1. The BIMI DNS record — default._bimi.<domain> — showing the raw TXT record
2. Logo reachability — whether the URL in l= returns a valid SVG
3. VMC presence — whether a= is populated and reachable
4. Underlying DMARC status — the policy that BIMI depends on

Running the lookup shows you which parts of the chain are configured and which are missing or misconfigured.

Common BIMI configuration mistakes

Trying to configure BIMI before DMARC is at p=quarantine or p=reject. The record will be ignored. DMARC enforcement is mandatory.

Using a non-compliant SVG. Regular SVG files don't meet BIMI specification. Validate the SVG Tiny PS compliance before publishing the record.

Wrong logo URL in the BIMI record. The URL must be HTTPS and must return exactly the SVG file (not a redirect, not a web page containing the SVG). Test the URL directly.

Hosting the logo on a CDN without CORS headers. Some inbox clients need appropriate CORS or HTTP response headers to fetch the logo. Verify the logo URL returns the file directly.

Selector mismatch — publishing BIMI but having missing DKIM records for some sending sources means those sources fail DMARC alignment, and their emails don't qualify for BIMI display even though the record exists.

Which inboxes support BIMI?

Full VMC + logo display (verified checkmark where VMC present):

• Gmail (requires VMC for the verified mark)
• Yahoo Mail
• Apple Mail (iOS and macOS)
• Fastmail

Logo display without verified checkmark (no VMC required beyond DMARC p=quarantine):

• Yahoo Mail
• Various regional providers

Not yet supported:

• Outlook/Microsoft 365 (Microsoft has announced BIMI support but implementation is ongoing)

Coverage is expanding. Even without Outlook support, BIMI covers a large share of consumer and business inboxes.

Frequently Asked Questions

Does BIMI improve email deliverability? Not directly — BIMI itself isn't a deliverability signal. But the prerequisites (DMARC at p=reject, DKIM on all sources, SPF valid) are deliverability improvements. BIMI motivates completing the authentication stack, which does improve deliverability and domain reputation.

Is a VMC required for BIMI? Only for Gmail's verified checkmark. The base BIMI logo display in Yahoo Mail and Apple Mail works without a VMC — you just need DMARC at p=quarantine or p=reject and a valid BIMI record.

How long does it take BIMI to appear after configuration? DNS propagation is the main delay — typically 24–48 hours for changes to propagate. After propagation, inbox clients begin pulling the logo. Full rollout can take a few days.

Is the BIMI Lookup tool free? Yes — completely free, no sign-up required.

BIMI is worth implementing once the underlying authentication stack is solid — both for the inbox visibility benefit and because the prerequisites are independently valuable for email deliverability and anti-spoofing protection.

Try the BIMI Lookup tool free at sadiqbd.com — check any domain's BIMI record, logo URL, and VMC configuration instantly.