Sudory

BIMI - Brand Indicators for Message Identification

Email security stacklevel 5 marked · earlier levels are prerequisites
  1. L0BaselineMX
  2. L1AuthenticationSPFDKIM
  3. L2PolicyDMARC
  4. L3TransportSTARTTLSMTA-STS
  5. L4ObservabilityDMARC ruaTLS-RPT
  6. L5Trust signalsDNSSECDANEBIMIyou are here

BIMI puts a logo next to authenticated messages from your domain in supporting mail clients. Receivers that trust your DMARC (Domain-based Message Authentication, Reporting, and Conformance) render the logo. Spoofed mail that fails DMARC never gets to carry it.

The pieces: a TXT record in DNS, a tightly constrained SVG served over HTTPS, and (for some clients) a paid certificate that vouches for your right to use the logo. The spec is a long-running IETF draft; Gmail, Yahoo, and Apple Mail implement a stable subset.

What it is

BIMI is a branding layer on top of DMARC. DMARC already proves a message really came from your domain. BIMI is the next step: now that the receiver trusts the sender, show them your logo.

The mechanism is deliberately narrow. No logos for domains that cannot authenticate. No logos for messages that fail DMARC alignment. The logo is a trust signal, not a brand placement.

Why bother

Three reasons.

  1. Trust signal for recipients. People recognise a logo faster than a From address. A visible logo is a clearer authenticity cue than the raw domain name.
  2. Forcing function for DMARC. BIMI requires DMARC at quarantine or reject. Marketing wants the logo; that gives security a lever to finish the DMARC rollout.
  3. Small deliverability lift. Inbox-provider anecdote, not a guarantee. Domains with BIMI tend to stay above the spam line for longer.

Prerequisites

What BIMI requiresthree required, one optional
  1. 1DMARC at quarantine or rejectrequired

    Strict policy enforced on the domain. p=none is not enough. Alignment must pass.

  2. 2SVG Tiny PS logorequired

    A very restricted SVG profile: no scripts, no external references, square aspect ratio. Most corporate logos need a redraw.

  3. 3BIMI record in DNSrequired

    TXT record at default._bimi.example.com pointing to the logo URL (and optionally a cert).

  4. 4Verified Mark Certificate (VMC) or Common Mark Certificate (CMC)optional

    Paid attestation of the logo, issued by Entrust or DigiCert. ~$1500/year. Required by Apple Mail and some Gmail views.

The SVG is the step that breaks most deployments. "SVG Tiny PS" is a small subset: no scripts, no external references, no CSS beyond inline presentation attributes, square aspect ratio, centred artwork. Most corporate logos need a redraw before they qualify.

The record

Once the prerequisites are in place, publish a TXT record at default._bimi.example.com:

BIMI TXT recorddefault._bimi.example.com
v=BIMI1;l=https://example.com/logo.svg;a=https://example.com/vmc.pem;
version

identifies the record. Only BIMI1 is defined; every record carries it.

logo URL

where the SVG lives. Must be HTTPS and must serve Content-Type: image/svg+xml.

authority (optional)

URL of your VMC or CMC. Required by Apple Mail and some Gmail clients. Drop this tag entirely if you do not have one.

The default selector is what receivers use when the message does not carry a BIMI-Selector header. If you ship one logo, the default selector is all you need.

Who supports it

ClientRequires certificateNotes
Gmail (web, mobile)Yes (VMC or CMC)Since late 2023 Gmail requires a certificate for the round-avatar slot. Self-asserted records are silently ignored.
Yahoo Mail, AOLNoFirst movers, accept self-asserted logos since 2020.
Apple Mail (iOS 16+, macOS Ventura+)Yes (VMC only)No CMC support, no self-asserted fallback. VMC strictly required.
Fastmail, La Poste, Seznam, Mail.ru, Onet.plNoSelf-asserted renders. Details change often.
GMX, Web.deNoPartial rendering for self-asserted logos.
Microsoft 365 / Outlooknot supportedNo production support as of 2026. Roadmap item since 2022.
ProtonMail, Tutanota, Zoho Mail, iCloud (non-Apple-Mail)not supportedNo BIMI implementation.

Practical path: self-assert first to cover Yahoo, Fastmail, and EU webmails at zero cost. Add a CMC to unlock Gmail, or a VMC to also unlock Apple Mail. See the next section for procurement.

The Apple side door: Branded Mail

Apple Business Connect shipped a parallel mechanism called Branded Mail with iOS 18.2 and macOS Sequoia 15.2 on 11 December 2024. Functionally it is a non-BIMI logo rendering path that Apple controls directly: no VMC, no trademark, just DMARC at quarantine or reject plus an Apple Business Connect verification. For senders whose goal is a verified logo in Apple Mail without the trademark prerequisite, Branded Mail is the cheap way in.

It is parallel to BIMI, not part of it. Domains can run both: BIMI for Gmail / Yahoo / Fastmail rendering, Branded Mail for Apple Mail. The visible result in Apple Mail is similar enough that end users do not distinguish.

What about personal avatars?

BIMI is domain-level: one logo per sending domain. The photo mail clients sometimes show next to individual human senders comes from a different stack entirely (Google Account photos, local Contacts, Gravatar, and others). The active BIMI draft adds an avp= tag with values brand (default) and personal that lets a receiver prefer a personal avatar over the brand logo, but no major mailbox provider honors it in production as of 2026. The separate post Getting your face into people's inboxes covers what does work today.

Buying a certificate

Only two Certificate Authorities are on the BIMI trust list. This is a closed list baked into the spec.

  • DigiCert digicert.com/tls-ssl/verified-mark-certificates
  • Entrust entrust.com/products/digital-certificates/verified-mark-certificates

Both sell VMC and CMC. Pricing varies with resellers and multi-year discounts but typical list prices are roughly:

CertificateAnnual costRights proof requiredRendering coverage
Self-asserted (no cert)$0NoneYahoo, Fastmail, EU webmails
CMC (Common Mark Certificate)~$1,000Logo in public use for 12+ monthsAdds Gmail
VMC (Verified Mark Certificate)~$1,500Registered trademark for the exact logoAdds Apple Mail on top of Gmail

CMC was introduced by DigiCert in 2023 to unlock BIMI for the 80% of brands that never filed a trademark. Same cryptographic flow as VMC, lower bar for logo rights. Gmail accepts both identically.

Lead times differ significantly:

  • CMC: days. The CA verifies the logo is in active use (website, social, product) and that DMARC is at quarantine or reject.
  • VMC: weeks to months. Requires a registered trademark certificate in a major jurisdiction (USPTO, EUIPO, UKIPO, JPO, CIPO, IP Australia, KIPO). If the trademark is not already filed, add 6 to 12 months to register it before even starting the VMC process.

The procurement order that usually makes sense: self-assert today, buy CMC when transactional email volume justifies the $1,000, file a trademark in parallel, upgrade to VMC once the trademark issues.

In the wild

What established deployments look like today. You can verify any of these yourself with dig TXT default._bimi.<domain>.

DomainDMARCHostingSVG location
apple.comp=quarantine; sp=rejectself-hostedwww.apple.com/bimi/v2/apple.svg
cloudflare.comp=rejectself-hostedwww.cloudflare.com/cloudflare_*.svg
cnn.comp=rejectValimail managedamplify.valimail.com/bimi/time-warner/*.svg

Two deployment patterns. Self-host the SVG and PEM on a subpath of your own domain (Apple, Cloudflare), which keeps the assets under your own TLS and revocation control. Or point at a managed provider (CNN via Valimail), which offloads the SVG Tiny PS conversion and certificate renewal.

Apple is worth studying because it proves p=quarantine on the organizational domain is sufficient for BIMI, as long as sp=reject protects subdomains. A hard reject on the apex is not strictly required by the spec, though most BIMI deployments go straight to reject anyway.

One small stylistic detail: Apple and Cloudflare both use versioned paths (/v2/, numeric suffix) on the SVG URL. Versioning the path makes logo rotations painless, since receivers and caches key off the full URL rather than the record.

Common mistakes

BIMI record with DMARC at p=none

Receivers ignore the BIMI record. The logo does not render. DMARC must be at quarantine or reject, and sp= must not weaken the policy on subdomains.

SVG not in Tiny PS profile

The most common blocker. Illustrator and Figma exports almost always fail validation. Use a BIMI-specific converter, then check with a linter like the one at bimigroup.org.

SVG served with the wrong Content-Type

Must be image/svg+xml. Some CDNs default to application/xml or text/plain. Receivers reject.

Expecting Gmail to render a self-asserted logo

Since late 2023 Gmail requires a CMC or VMC. Self-asserted records are silently ignored. If Gmail coverage matters, a CMC (~$1,000/year, no trademark needed) is the cheapest path. For Apple Mail a VMC is still required.

subdomain drift

BIMI published at the apex, marketing sends from news.example.com, and the subdomain's DMARC is weaker. Receivers check the sending subdomain, not the apex. Publish BIMI per-subdomain where needed.

Check whether your DMARC is strict enough to unlock BIMI, and whether your BIMI record resolves to a valid SVG: scan your domain.

Aleksej Dix
Aleksej DixFounder of Sudory

Founder of Sudory. Frontend engineer based in Zurich with 20+ years shipping production web apps; now building continuous compliance scanning and writing about the DNS and email-auth controls behind it. Co-founder of WebZurich.