Brand Indicators for Message Identification (BIMI) lets a sending domain publish, in DNS, a logo that mailbox providers can consider displaying next to authenticated, DMARC-aligned mail. Many providers also require a Certificate (VMC/CMC) proving logo rights.

Publish a BIMI TXT record with v=bimi1; l= ; and optionally a= . When messages authenticate and align with DMARC, supporting providers may fetch and display the logo based on their policies.

SPF is a DNS list of authorized sending hosts. Receivers compare the SMTP client IP against it. SPF helps reduce spoofing but doesn’t ensure message integrity or DMARC alignment by itself.

DKIM adds a cryptographic signature that receivers verify using a public key in DNS. When the DKIM d= domain aligns with the visible From domain, it can satisfy DMARC alignment.

DMARC tells receivers how to handle messages failing SPF/DKIM alignment (none, quarantine, reject) and enables reporting. BIMI typically requires DMARC enforcement.

FAQs For Marketers and ESPs

Q: What does BIMI have to do with anti-abuse?

BIMI builds on DMARC alignment and creates a visible signal for authenticated mail, which discourages spoofing and rewards good authentication practices.

Q: What does DMARC enforcement mean?

A DMARC policy of p=quarantine or p=reject on the sending domain (not p=none). Most BIMI-supporting providers require enforcement before showing a logo.

Note: Each participating mailbox provider has their own criteria for determining when a domain’s BIMI logo may be displayed.

What is BIMI?

Brand Indicators for Message Identification (BIMI) is a standard that lets a sending domain publish, in DNS, a logo that mailbox providers can consider displaying beside authenticated emails. BIMI does not change message delivery; it is a display signal on top of strong authentication.

At a minimum, BIMI requires DMARC alignment, and many providers also require a valid Certificate (VMC or CMC) proving rights to the logo.

How does BIMI work?

You publish a BIMI TXT record at default._bimi.yourdomain that points to your SVG logo, and optionally to a Mark Certificate. When your email authenticates and aligns with DMARC, supporting providers may fetch and display that logo next to the message in the inbox UI.

Publish: TXT record with v=bimi1; l= (logo URL), optional a= (Certificate URL), and optional avp= (brand/personal) tag.
Authenticate: SPF/DKIM aligned to the visible From: domain, with DMARC at quarantine/reject.
Display: Provider-specific policies determine if and when the logo shows.

What does BIMI have to do with anti-abuse?

BIMI builds on DMARC, encouraging proper alignment and visible branding for authenticated mail. Because logos only appear when the message authenticates (and, at some providers, when a Certificate validates), it makes visual spoofing harder and raises the bar for impersonators.

What is SPF?

SPF (Sender Policy Framework) is a DNS list of IPs/hosts authorized to send for your domain. Receivers compare the SMTP client IP against this list. SPF helps reduce spoofing but does not ensure message integrity or, by itself, DMARC alignment.

What is DKIM?

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to each email. Receivers verify it with your public key in DNS. When the d= domain aligns with the visible From domain, DKIM can satisfy DMARC alignment.

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance (DMARC) tells receivers how to handle messages that fail SPF/DKIM alignment and enables reporting. Policies are none, quarantine, or reject.

What does DMARC enforcement mean?

Enforcement means your DMARC policy is p=quarantine or p=reject (not p=none or pct<100 ). Most BIMI-supporting providers require enforcement before considering your logo for display.

What do I need to do to operationalize BIMI on my end?

Move DMARC to enforcement on the Organizational (Apex) domain (and any subdomains used).
Ensure DKIM aligns (preferred) and/or SPF aligns with the visible From domain.
Prepare a compliant SVG Tiny-PS logo.
Host the SVG at a stable HTTPS URL with the correct image/svg+xml MIME type.
Publish the BIMI TXT record with v=bimi1; l= logo URL; add a= if you have a Certificate.
Test retrieval and alignment; monitor performance and reputation.

Does BIMI replace the user profile image?

No. Providers decide when to show a personal avatar vs a brand logo. Some support an Avatar Preference policy (e.g., personal over brand or vice-versa), but this is provider-specific. BIMI standardizes the brand logo signal; it doesn’t eliminate profile images.

Does BIMI allow me to support multiple domains and logos?

Yes. You can publish BIMI per domain and subdomain. If you need different logos for different streams, use selectors and reference them in a custom email header (BIMI-Selector: v=BIMI1; s=newsletter) along with matching DNS records for that selector. Support may vary between different email platforms related to ‘Selector’ support.

Should I publish BIMI on my organizational domain or each subdomain?

A default BIMI record should be published at the Organizational Domain, allowing it to be inherited by all subdomains. The domain administrator may publish a BIMI record on a subdomain. If a BIMI record is found at that subdomain, the mailbox provider can use it (even if it differs from the BIMI record published at the Organizational Domain).

Does BIMI use any technical means to validate the published logo?

BIMI itself doesn’t validate copyright. That’s the job of Certificates (VMC/CMC) where required: they cryptographically assert you have rights to the logo referenced by your record. Providers decide whether a Certificate is needed for display.

How do I publish a BIMI record?

Host:  default._bimi.example.comType:  TXTValue: v=bimi1; l=https://example.com/path/logo.svg; a=https://example.com/path/cert.pem

Required: v=bimi1, l= logo URL. Optional: a= Certificate URL (often required for display by some providers).

What is a Verified Mark Certificate / CMC?

Certificates used with BIMI come in two forms: a VMC (Verified Mark Certificate) or a CMC (Common Mark Certificate). Both assert that an independent Mark Verifying Authority has confirmed your rights to the mark used in your BIMI logo. Providers choose which certificate types they accept.

Where can I get a Certificate?

Purchase from an approved Mark Verifying Authority (MVA). They will validate your organization and your rights to the logo/mark, then issue a Certificate you host and reference in your BIMI record’s a= attribute.

What file format should I use for my logo?

Use a clean, square SVG Tiny-ps file (no external resources, no scripts, no embedded rasters). Keep paths simple, flatten groups, and ensure the server sends Content-Type: image/svg+xml.

ViewBox: square (e.g., 0 0 256 256).
Background: If you need one, bake it into the SVG (many UIs render a circle/squircle mask). We also suggest a solid color to ensure your logo displays in light and dark display modes.

What does a BIMI logo look like?

It’s your brand mark, optimized for small sizes, square viewBox, high contrast, minimal detail, and no thin hairlines. Avoid text-heavy marks; favour bold, simple shapes that remain recognizable at 20–24 px.

Does the display of a logo promote user trust?

Logos can improve recognition, reduce hesitation, and may boost engagement. They aren’t a guarantee of trust; they’re a signal layered on top of authentication and good sending practices.

Does BIMI use my DKIM (d=; i=) or my SPF domain?

BIMI ties to the visible From domain via DMARC alignment. That alignment can be satisfied by DKIM (d=) and/or SPF (Mail FROM/HELO), but display decisions are based on the domain in the header From.

What are the different attributes of a BIMI record?

v= – Version (must be bimi1).
l= – Logo URL (HTTPS SVG).
a= – Certificate URL (VMC/CMC), when applicable.
apv= – Avatar Preference, options include brand/personal.
Optional future params – Ignore unknowns; receivers must not fail on extensions.

Each attribute is separated by a semicolon (;) and the final record will look similar to this:
default._bimi.example.com in txt “v=BIMI1; l=https://www.example.com/path/to/logo/example.svg; a=https://www.example.com/path/to/vmc/VMC.pem; apv=brand;”

BIMI – is there a certain recommended logo size?

There’s no pixel size in SVG; instead, use a square viewBox and ensure paths render clearly at small sizes (think favicon-like). Test at 20–40 px to confirm recognizability.

Who is currently displaying BIMI records in their UI?

Support varies by provider and can change. Generally, large consumer mailbox providers consider BIMI for display when authentication, enforcement, reputation, and (where required) a Certificate are in place. We do our best to keep this infographic updated.

What marks are supported for Certificates and where can I get one?

Acceptable marks and validation evidence are set by the Mark Verifying Authority (MVA). Typically, registered trademarks are accepted; some MVAs may accept other legally protected marks depending on policy. Contact your chosen MVA for current criteria.

We have a trademark (or protected governmental mark). How do we get a Certificate?

Work with an MVA. You’ll provide organization identity documents and proof of rights to the mark (e.g., trademark registration, statutory protection). The MVA will verify and issue a Certificate you reference via a= in your BIMI record.

What is the cost of a VMC/CMC?

Pricing varies by MVA and factors such as validation effort and term. Expect an annual fee; additional verification (e.g., multiple marks, jurisdictions) may affect cost. Check current pricing with your selected MVA.

My BIMI record is on my domain but the image is hosted on another domain. Is that a problem?

Cross-hosted SVGs are fine if they’re publicly accessible over HTTPS with correct content type and caching. Avoid blockers: robots rules, geo-fences, IP allowlists, or CDN rules that deny provider fetches.

Where should I publish the BIMI record?

Under <selector>._bimi.<domain>, usually default._bimi.example.com. Use additional selectors for different logos/streams as needed.

I want to exclude a specific subdomain.

Don’t publish a BIMI record for that subdomain, or publish a “no-image” selector you reference on that stream (e.g., l= pointing to a transparent/blank SVG that meets constraints). Remember: providers still decide display.

We published our BIMI record; how do we verify it’s working?

Confirm DNS: correct host, semicolons, and attributes.
Fetch your SVG/Certificate URL with curl -I to check 200 and image/svg+xml/application/pem-certificate-chain (or similar) content types.
Send aligned mail to test inboxes and check provider-side display (note: caching and reputation can delay/limit display).

I’m not seeing my logos.

Some mailbox providers accept a self-asserted BIMI record. That means that some mailbox providers (e.g. Yahoo) may begin to display your logo without a VMC. If the logo isn’t displayed at Yahoo, you may want to check their BIMI information page. Other mailbox providers (e.g. Gmail, Apple) require that BIMI logos be verified with a Verified Mark Certificate.

DMARC not enforced or alignment broken on the message.
SVG/Certificate not retrievable (HTTP, blocked, wrong MIME, auth needed).
Provider reputation thresholds not met; or provider doesn’t show logos for this mailbox/view.
Certificate missing/invalid where required.
UI caching; wait and re-check with fresh mail.

Why is a mailbox provider or testing tool reporting issues retrieving my SVG/VMC file?

There are several possiblities including but not limited to:

HTTP instead of HTTPS, or TLS misconfiguration.
Blocked user agents, geo/IP restrictions, or hotlink protection.
Incorrect Content-Type or forced download headers.
Redirect chains ending on the wrong file/host.
Certificate chain not publicly accessible (for a= URLs).

My ESP can’t set a custom Mail FROM/Return-Path. Is that a problem for BIMI?

Not necessarily. BIMI depends on DMARC alignment with the visible From domain, which can be satisfied by aligned DKIM without aligned SPF. Ensure your ESP signs with a DKIM domain that aligns to your From domain.

Why is another sender’s brand logo showing even without a BIMI record?

Some providers display proprietary “brand badges” or profile images outside BIMI. BIMI standardizes logo discovery and proof; provider-specific badges can still appear for trusted senders. If you see the wrong logos we recomend you publish a BIMI logo for your brand to address the problem, you can also try to contact the mailbox providers official support teams for help.

How is Yahoo different from other BIMI implementations?

Yahoo will display your BIMI logo if:

A BIMI record exists which points to a valid logo in SVG format
A DMARC policy of quarantine or reject is in place
The mailing is sent to a large number of recipients (bulk mail), BIMI will not be displayed on personal mail
Where Yahoo sees sufficient reputation and engagement for the email address

If you think all of those requirements are met but still no logo is displayed, please read the Yahoo Sender Support details for BIMI help.

How do I get support at a mailbox provider?

For specific troubleshooting questions related to a specific mailbox provider’s BIMI implementation, it’s recommended that you review each of their support pages:

Note: this list may not be complete or include all Mailbox providers displaying BIMI logos.