BIMI — How to Display Your Brand Logo in Emails
What is BIMI
BIMI (Brand Indicators for Message Identification) is an email standard that lets you display your brand logo directly in recipients' email clients — right next to the sender name. Instead of a generic icon or initial, recipients see your company logo before they even open the message.
BIMI builds on existing email authentication. It works as a visual layer on top of SPF, DKIM, and DMARC — if these protocols are properly configured and your DMARC policy is strict enough, you can add a BIMI record to your DNS with a link to your logo and certificate.
The standard is defined in an IETF draft and maintained by the BIMI Group.
How BIMI works
- You send an email from your domain (e.g.,
example.com). - The receiving server verifies the email via SPF, DKIM, and DMARC — all checks must pass.
- The server confirms that the domain has a DMARC policy of
quarantineorrejectwithpct=100. - The server queries DNS for the BIMI record:
default._bimi.example.com. - From the BIMI record, it retrieves the logo URL (SVG file) and optionally the certificate URL (VMC or CMC).
- The email client displays the logo next to the sender name.
The entire process is automatic. Recipients don't need to install or configure anything — the logo appears in supported email clients.
Prerequisites for BIMI
Before adding a BIMI record, you need these in place:
- Working SPF and DKIM — emails from your domain must pass both checks.
- DMARC with quarantine or reject policy —
p=noneis not sufficient. Thepctparameter must be100(the default if omitted). - Logo in SVG Tiny PS format — a security-focused variant of SVG that prevents script execution in images. A standard SVG file won't work; it must meet BIMI format requirements.
- VMC or CMC certificate (required by Gmail and Apple Mail) — verifies that the logo belongs to your organization.
BIMI DNS record
The BIMI record is a TXT record in DNS at the default._bimi subdomain. A complete record looks like this:
default._bimi.example.com IN TXT "v=BIMI1; l=https://example.com/.well-known/bimi/logo.svg; a=https://example.com/.well-known/bimi/vmc.pem;"
| Parameter | Meaning |
|---|---|
v=BIMI1 |
Protocol version (required) |
l= |
Logo URL in SVG Tiny PS format (required, HTTPS) |
a= |
VMC/CMC certificate URL in PEM format (optional, but required by Gmail and Apple Mail) |
The logo and certificate must be accessible via HTTPS at a publicly reachable URL. The recommended location is the /.well-known/bimi/ directory on your domain.
Selectors
The default selector is default, but BIMI supports custom selectors for different parts of an organization or different brands. Each selector has its own DNS record:
marketing._bimi.example.com IN TXT "v=BIMI1; l=https://example.com/.well-known/bimi/marketing-logo.svg; a=...;"
For most organizations, the default default selector is sufficient.
VMC and CMC certificates
Email clients like Gmail and Apple Mail require a verified certificate to display your logo. There are two types:
VMC (Verified Mark Certificate)
A VMC verifies that your logo is a registered trademark of your organization. The process involves:
- Your logo must be a registered trademark with a recognized office (USPTO, EUIPO, and others).
- Organization identity verification — notarized documents and a video call with the certificate authority.
- Certificate issuance by an authorized CA: DigiCert, Sectigo, GlobalSign, or SSL.com.
A VMC in Gmail displays a blue verification checkmark next to the logo.
CMC (Common Mark Certificate)
Since September 2024, Google supports CMC as an alternative to VMC. A CMC does not require a registered trademark — you only need to demonstrate that you've been using the logo for at least one year. CMC is more affordable and the process is simpler.
A CMC in Gmail displays the logo but without the blue verification checkmark.
Without a certificate
Yahoo Mail displays BIMI logos even without a VMC/CMC certificate — a valid BIMI DNS record with the logo URL is enough. Gmail and Apple Mail will not display a logo without a certificate.
Logo requirements
Your BIMI logo must meet strict technical requirements:
- Format: SVG Tiny 1.2 Portable/Secure (SVG Tiny PS). Standard SVG or raster images (PNG, JPG) are not accepted.
- Aspect ratio: 1:1 (square).
- Background: opaque, solid color (a colored background is recommended — the logo appears on various surfaces).
- Content: the logo should be recognizable even at very small sizes (it displays as an avatar).
- File size: maximum 32 kB.
For converting your logo to the correct format, you can use tools recommended by the BIMI Group.
Email client support for BIMI
| Client | BIMI support | Certificate required |
|---|---|---|
| Gmail | Yes | VMC or CMC |
| Apple Mail | Yes (iOS 16+, macOS Ventura+) | VMC or CMC |
| Yahoo Mail | Yes | No (recommended) |
| Fastmail | Yes | No |
| Outlook / Microsoft 365 | No | — |
Microsoft has not yet implemented BIMI support. Recipients using Outlook will not see your logo regardless of your configuration.
How to set up BIMI
- Verify email authentication — check that your domain has working SPF, DKIM, and DMARC with a
quarantineorrejectpolicy. - Prepare your logo — create an SVG Tiny PS version of your logo (square, opaque background, max 32 kB).
- Obtain a certificate — if you're targeting Gmail or Apple Mail, get a VMC or CMC from an authorized certificate authority (DigiCert, Sectigo, GlobalSign, or SSL.com).
- Upload files — place the logo (
.svg) and certificate (.pem) at a publicly accessible HTTPS URL. - Add the DNS record — create a TXT record at
default._bimi.yourdomain.com:default._bimi.yourdomain.com IN TXT "v=BIMI1; l=https://yourdomain.com/.well-known/bimi/logo.svg; a=https://yourdomain.com/.well-known/bimi/vmc.pem;" - Verify the configuration — check the BIMI record in DNS and test email delivery to Gmail.
Why implement BIMI
Trust and recognition
A logo next to the sender name increases email trustworthiness. Recipients can immediately see that a message comes from a verified sender — not from an impersonator.
Brand protection
BIMI incentivizes deploying a strict DMARC policy (quarantine or reject), which actively prevents spoofing and phishing from your domain. Without a strict DMARC policy, BIMI won't work — the standard indirectly strengthens overall email security.
Inbox visibility
In a crowded inbox, an email with a brand logo stands out against generic icons. This can improve open rates for both marketing and transactional emails.
Common questions about BIMI deployment
How much does BIMI cost
The BIMI DNS record itself is free. Costs come from the certificate — VMCs typically cost hundreds to low thousands of USD per year, while CMCs are more affordable. Without a certificate, BIMI only works with Yahoo Mail and Fastmail.
Does BIMI work without DMARC
No. BIMI strictly requires DMARC with a quarantine or reject policy. If you don't have DMARC deployed, start by setting up a DMARC record and gradually enforce the policy.
Do I need a registered trademark
For VMC, yes. For CMC, you only need to demonstrate at least one year of logo usage. For Yahoo Mail and Fastmail, no certificate is needed at all.
BIMI as the final layer of email authentication
BIMI is the last layer of email authentication — visual confirmation that the sender has passed all checks. Deployment requires working SPF, DKIM, and strict DMARC, so the path to BIMI itself significantly improves your domain's security posture.
Start by verifying your current configuration. Check your domain's security to see if you meet the prerequisites for BIMI deployment.
