← Blog
BIMI Explained: Show Your Logo in Email Inboxes

By DMARCdrift Team

BIMI Explained: Show Your Logo in Email Inboxes

6 min readbimiemail-authentication

BIMI (Brand Indicators for Message Identification) is a DNS-based standard that lets a domain owner publish a logo, which participating mail clients then display next to your emails. It is the small brand logo you sometimes see beside the sender's name in mail from a bank or a well-known SaaS company.

The promise is reasonable: a visible logo increases trust signals and makes your emails easier to identify at a glance. The catch is that getting there involves one of the more expensive optional certificates in email infrastructure, and the client support is uneven enough that the value proposition differs significantly depending on your audience.

Here's what BIMI actually involves.

How it works

BIMI is a DNS TXT record published at default._bimi.<yourdomain.com>. A minimal record looks like this:

v=BIMI1; l=https://example.com/logo.svg

The l= tag points to your logo, which must be a publicly accessible SVG file over HTTPS. The a= tag, when present, points to a Verified Mark Certificate (VMC), which is what tells Gmail and Apple Mail that you're authorized to use the logo. More on that shortly.

Mail clients that support BIMI fetch the record, validate the prerequisites, and if everything checks out, display the logo in the sender avatar position.

Which clients actually show it

This is where the support matrix matters, because it's not uniform:

Without a VMC (free): Yahoo Mail and Fastmail will display your logo if your BIMI record is valid and your DMARC policy is enforced.

With a VMC: Gmail, Apple Mail, Yahoo Mail, and Fastmail will display your logo. The certificate is what enables the two high-volume clients.

If your audience is primarily on Gmail, you need the VMC. If your audience is primarily on corporate Microsoft 365 accounts, neither tier helps you today: Outlook does not currently support BIMI display.

The DMARC prerequisite

BIMI has a hard prerequisite: your DMARC policy must be at p=quarantine or p=reject, with pct=100. A policy of p=none will not qualify, regardless of how correct your BIMI record is.

This is intentional. The underlying logic is that a logo is a trust signal. Mail clients don't want to show a trusted brand logo next to a message that might be spoofed. DMARC at full enforcement is the proof that the domain owner actually controls the outgoing mail stream.

In practice this means BIMI is not the starting point. It's the reward for having done the authentication work correctly first. If your DMARC is at p=none or partial enforcement, BIMI preparation is mostly useful as a forcing function: you need to get your alignment rate stable and your policy enforced before any of the BIMI steps matter.

The SVG logo requirements

The logo can't be any SVG file. BIMI requires SVG Tiny P/S format (Portable/Secure), which is a restricted subset of SVG 1.2 Tiny. The restrictions exist for security: no scripts, no external references, no animations, limited element types.

Most logos exported from design tools as standard SVG won't qualify directly. You need a converter or a designer who knows the profile. The BIMI Working Group publishes a validator. Common rejection causes include embedded raster images, unsupported filter elements, and missing required namespace declarations.

The logo also needs to be square, and most guidance recommends a clean mark rather than a full wordmark, since the display size in email clients is small.

The Verified Mark Certificate

The VMC is the expensive part. As of 2026, VMCs are issued by DigiCert and Entrust, and cost roughly $1,200 to $1,500 per year. The certificate proves that your organization has a registered trademark associated with the logo you're publishing.

That last part is significant: a VMC requires a registered trademark. You can't get one for a logo that isn't trademarked. If your domain or brand name isn't registered with a trademark office, the VMC path is blocked until it is.

The VMC also binds to a specific logo file. If you update your logo, you need a new certificate.

Who should actually do this

It's worth pursuing if:

You're sending significant email volume to consumers (not B2B), the majority of your recipients use Gmail or Apple Mail, you already have DMARC enforced at pct=100, and your brand has a registered trademark. The deliverability lift from increased open rates and trust signals can justify the certificate cost if you have the volume.

The free tier is worth setting up if:

Your DMARC policy is already at full enforcement and you have a clean SVG logo. The basic l=-only BIMI record costs nothing and takes about 20 minutes. You won't get Gmail support, but Yahoo Mail and Fastmail will show your logo, and you'll be ready to add a VMC later if you choose.

It's not worth the effort yet if:

Your DMARC is still at p=none or partial enforcement. Fix that first. The BIMI setup work done on top of unenforced DMARC is wasted because no client will show the logo regardless.

Setting up basic BIMI

Assuming your DMARC is enforced:

  1. Prepare your logo in SVG Tiny P/S format and host it at a public HTTPS URL. It should stay at that URL permanently; any client that has cached the record will try to fetch it.

  2. Add a TXT record:

Name: default._bimi
Value: v=BIMI1; l=https://yourdomain.com/logo.svg
TTL: 3600
  1. Verify the record is resolving and the logo URL is reachable. The BIMI checker below will walk through both, along with your DMARC prerequisites.

If you later obtain a VMC, add the a= tag pointing to the certificate URL, which DigiCert or Entrust provides after issuance.

The actual sequence

BIMI is one of the last things to add to an email authentication setup, not one of the first. The sensible order is: DMARC at p=none and collecting reports, align all your senders, move to p=quarantine; pct=100, sustain 98%+ alignment for a month or two, move to p=reject, then consider BIMI once you're confident the policy is stable.

Trying to layer BIMI on top of a fragile DMARC setup doesn't work. The prerequisite enforcement exists for good reason, and it's also the prerequisite that matters for your deliverability regardless of whether you ever add a logo.