BIMI: Brand Indicators for Message Identification

BIMI is the newest piece of the email authentication stack. It lets you display your organization's logo next to your emails in supporting mail clients — Gmail, Apple Mail, Yahoo Mail, Fastmail. The logo appears where the generic avatar or initial usually shows.

The appeal is obvious from a brand standpoint. The requirements are real, and one of them costs money.

What BIMI Actually Is

BIMI works by adding a DNS TXT record that points to your SVG logo file. Supporting mail clients that see a message from your domain will fetch the logo and display it next to your message — but only after verifying your authentication setup is actually in order.

This is not decorative. BIMI was designed to be a visible signal of email authentication posture. A logo in the inbox implicitly says: this sender has proper DMARC enforcement, and their identity has been verified.

The Requirements

You need all of these:

1. DMARC at p=quarantine or p=reject

BIMI requires DMARC enforcement. p=none doesn't qualify. Gmail specifically requires p=reject. This is the gating requirement — if you haven't completed the DMARC deployment path, stop here and finish that first.

2. A Verified Mark Certificate (VMC)

This is where it gets expensive. A VMC is a certificate issued by a Certificate Authority (currently Entrust or DigiCert) that cryptographically ties your logo to your registered trademark. You need a registered trademark. The certificate costs roughly $1,000-$1,500/year.

Without a VMC, some providers (notably Yahoo and Fastmail) will display your logo based on the DNS record alone. Gmail requires the VMC. Apple Mail has been rolling out support with VMC requirement.

3. An SVG Logo in the Specific BIMI Format

Not just any SVG. BIMI requires SVG Tiny PS (Portable/Secure) format — a specific subset of SVG 1.2 designed to be safe for display in mail clients. The spec restricts what SVG features are allowed. Most SVG files generated by design tools like Illustrator or Figma need conversion.

Requirements:

Square aspect ratio
No external references
No scripts
No animations
Specific <svg> header attributes

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
     version="1.2" baseProfile="tiny-ps"
     width="100%" height="100%"
     viewBox="0 0 100 100">
  <!-- your logo content -->
</svg>

Host the SVG at a stable HTTPS URL on your domain.

4. The DNS TXT Record

default._bimi.example.com.   IN   TXT   "v=BIMI1; l=https://brand.example.com/logo.svg; a=https://brand.example.com/vmc.pem"

v=BIMI1 — version
l= — URL to your SVG logo (must be HTTPS)
a= — URL to your VMC certificate in PEM format (required for Gmail)

The record goes at default._bimi.<yourdomain>. The default selector is the standard one; you can use custom selectors for different brands or sub-brands.

Verifying Your Setup

# Check the BIMI record
dig TXT default._bimi.example.com +short

# Verify the SVG is reachable
curl -I https://brand.example.com/logo.svg

# Check DMARC first (BIMI won't work without it)
dig TXT _dmarc.example.com +short

Test your full BIMI setup at bimigroup.org/bimi-generator/ — it checks the DNS record, fetches the SVG, validates the format, and checks your VMC if you have one.

Where It Works Today

Provider	VMC Required	Status
Gmail	Yes	Production
Yahoo Mail	No (logo shows without VMC)	Production
Apple Mail	Yes (in progress)	Rolling out
Fastmail	No	Production
Outlook.com	Not yet	In development

The conspicuous absence: Microsoft. Outlook.com and Microsoft 365 consumer mail don't support BIMI yet. If most of your audience is on Outlook, the logo won't show for them regardless of your setup.

Is It Worth It?

Honest assessment:

For large brands: Yes. The VMC cost is trivial relative to the brand surface area. Every email to a Gmail user that shows your logo is brand reinforcement. B2C companies sending high volume newsletters benefit most.

For mid-size companies: Depends on the trademark situation. If you have a registered trademark in the relevant jurisdictions, the VMC process is straightforward. If you don't, getting a trademark just for BIMI is probably not the right priority.

For small businesses and startups: Probably not yet. The $1,000+/year VMC cost and trademark requirement put it out of reach for most. Finish your DMARC deployment, get to p=reject, then revisit.

For anyone not at p=reject: Not yet. Get the foundation right first. BIMI without DMARC enforcement is like painting the fence before fixing the gate.

The sequence matters: MX → SPF → DKIM → DMARC p=none → DMARC p=reject → BIMI. Don't skip ahead.

Key Takeaways

BIMI displays your logo in supporting email clients: Gmail, Yahoo Mail, Apple Mail, Fastmail.
Requires DMARC at p=quarantine or p=reject (Gmail requires p=reject).
A Verified Mark Certificate (VMC) from Entrust or DigiCert is required for Gmail. Costs ~$1,000-1,500/year. Requires a registered trademark.
The SVG logo must be in BIMI SVG Tiny PS format.
DNS record goes at default._bimi.<yourdomain>.
Microsoft Outlook does not support BIMI yet.
For most organizations: finish DMARC first, then evaluate BIMI.

Module 5 Complete

You've now covered the full email authentication stack from first principles:

MX records — routing mail to the right server
DANE / MTA-STS — securing the transport layer
SPF — authorizing sending IPs
DKIM — cryptographic signatures that survive forwarding
DMARC — policy enforcement and aggregate reporting
BIMI — logo display once the foundation is in order

The path to a properly authenticated email setup isn't complicated. It's a sequence. Do it in order, monitor at each step before enforcing, and you'll get there.