BIMI (Brand Indicators for Message Identification) is the email authentication standard that puts your verified brand logo in the inbox avatar slot of supported mailbox providers — Gmail, Yahoo, Apple Mail, Fastmail, La Poste. Three implementation tiers exist: self-asserted (free, no certificate, limited provider support), Common Mark Certificate (CMC, ~$650-1,100/yr, no trademark required, Gmail+Yahoo support), and Verified Mark Certificate (VMC, ~$749-1,688/yr, requires registered trademark, full provider support including Gmail's blue checkmark and Apple Mail). All tiers require DMARC at enforcement (p=quarantine or p=reject) for at least 30 days, an SVG Tiny PS logo file, and a BIMI DNS TXT record. Microsoft 365 / Outlook does not currently support BIMI as of early 2026.
BIMI is the visible payoff at the top of the email authentication pyramid. The foundation is SPF + DKIM + DMARC at enforcement; BIMI is what your customer sees when all of that is working correctly. It's also the primary business-side justification many organizations use for the engineering investment in proper email authentication that should already exist — putting a logo in the inbox is a tangible deliverable that marketing teams understand even when SPF alignment is abstract.
Most published BIMI material falls into one of two categories: vendor pages from certificate authorities promoting their VMC products, or surface-level "what is BIMI" guides that skip the operational reality. This entry synthesizes the current 2026 state — VMC vs CMC tradeoffs, real CA pricing across all five authorized issuers, the 53.6% real-world failure rate from URIports analysis, the SVG Tiny PS spec with explicit forbidden elements, mailbox provider compatibility matrix, and how BIMI fits with the rest of the auth stack.
Why BIMI matters: the engagement numbers
Industry research consistently shows measurable engagement uplift from BIMI implementations. The numbers from Validity research and TalkTalk's public case study:
Three implementation tiers: self-asserted vs CMC vs VMC
BIMI exists at three levels of trust, each with different prerequisites, costs, and provider support. The strategic decision is which tier matches your organization's brand investment and audience profile:
Self-asserted
CMC (Common Mark Certificate)
VMC (Verified Mark Certificate)
Mailbox provider compatibility matrix
BIMI support varies dramatically by mailbox provider — both in terms of which certificate types are accepted and what visual treatment is given. The current state as of early 2026:
| Provider | Self-asserted | CMC | VMC | Visual treatment | ISP share |
|---|---|---|---|---|---|
| Gmail | ✗ Not accepted | ✓ Logo only | ✓ Logo + ✓ | Blue checkmark (VMC only) | ~30% |
| Yahoo Mail | ✓ Logo | ✓ Logo | ✓ Logo + ✓ | Purple checkmark (VMC only) | ~10% |
| Apple Mail (iOS 16+, macOS Ventura+) | ✗ Not accepted | ✗ Not accepted | ✓ Logo | Logo display, no checkmark | ~15-20% |
| Fastmail | ✓ Logo | ✓ Logo | ✓ Logo | Logo display | <1% |
| La Poste (France) | ✓ Logo | ✓ Logo | ✓ Logo | Logo display | <1% globally, larger in France |
| Microsoft 365 / Outlook | ✗ Not supported | ✗ Not supported | ✗ Not supported | No BIMI support | ~30-35% |
Prerequisites: what you need before BIMI works
Six requirements that must all be met for BIMI to display. Missing any single requirement and the logo silently won't appear:
- DMARC enforcement on the organizational domain — policy must be
p=quarantineorp=reject, NOTp=none. Thepct=100attribute is implicit if not specified. Most providers require the domain to be at enforcement for at least 30 consecutive days before they pull and display your BIMI logo. - DMARC enforcement on the sending domain (if different from organizational). E.g., DMARC enforced on
example.comAND onmail.example.comif mail goes from the subdomain. - Working SPF and DKIM with alignment — DMARC requires either SPF-aligned or DKIM-aligned authentication to pass. Both passing without alignment is not sufficient. See the DMARC entry for alignment mechanics.
- SVG Tiny PS logo file hosted via HTTPS — must conform to the SVG Tiny 1.2 Portable/Secure profile (covered next section).
- BIMI DNS TXT record at
default._bimi.<your-domain>containingv=BIMI1,l=<https-logo-url>, and (for VMC/CMC)a=<https-certificate-url>. - For VMC/CMC: a valid certificate from one of five authorized CAs (DigiCert, Entrust, Sectigo, GlobalSign, SSL.com), in PEM format, hosted via HTTPS.
The first three prerequisites are typically the longest-leading-time work — bringing a domain from p=none to enforcement requires monitoring DMARC aggregate reports, identifying and fixing legitimate-but-unauthenticated senders, and progressively tightening policy. Expect 6-8 weeks for a typical organization with mature email infrastructure, longer for organizations with legacy senders that need consolidation.
The BIMI DNS record syntax
BIMI is published as a DNS TXT record at a specific subdomain. The full syntax for VMC/CMC implementations:
# BIMI DNS TXT record — VMC or CMC implementation default._bimi.example.com. 3600 IN TXT "v=BIMI1; l=https://www.example.com/logo.svg; a=https://www.example.com/cert.pem" # BIMI DNS TXT record — self-asserted (no certificate, omit a=) default._bimi.example.com. 3600 IN TXT "v=BIMI1; l=https://www.example.com/logo.svg" # BIMI opt-out (publish empty record to override organizational policy) default._bimi.example.com. 3600 IN TXT "v=BIMI1; l=; a="
The three parameters:
v=BIMI1— declares the BIMI protocol version. Only valid value isBIMI1. Required and must come first.l=<url>— (lowercase L) HTTPS URL of your SVG Tiny PS logo file. Required for visible logo. Empty (l=) for explicit opt-out.a=<url>— HTTPS URL of your VMC or CMC PEM-encoded certificate file. Required for Gmail and Apple Mail; optional for Yahoo (which accepts self-asserted).
The selector default applies to all messages from the domain. You can use other selectors (sales._bimi, marketing._bimi) by adding a BIMI-Selector header in the message itself, but most deployments use only default. ISPs cache BIMI records aggressively (3-7 days), so allow a few days for visible changes after publishing.
The SVG Tiny PS specification
BIMI doesn't accept just any SVG. The format must be the SVG Tiny Portable/Secure (SVG Tiny PS) profile — a strict subset of SVG Tiny 1.2 with additional security restrictions. This is where 80% of implementations stall. The complete spec:
SVG Tiny PS requirements vs forbidden elements
Required
baseProfile="tiny-ps"attributeversion="1.2"attributexmlns="http://www.w3.org/2000/svg"<title>element with company name (≤64 chars)- Square 1:1 aspect ratio
- File size ≤32KB (16KB recommended)
- Solid background color (no transparency)
- HTTPS hosting (not HTTP)
<desc>element recommended for accessibility- Centered logo (will be displayed as circle)
Forbidden
<script>elements (any code execution)<image>with embedded raster (PNG/JPG)<foreignObject>elements<a>hyperlinks<animate>,<animateTransform>,<set><filter>,<pattern>,<mask>- External font references or web fonts
- External resource links of any kind
x=andy=on root<svg>(Illustrator bug)- Transparent background
x="0px" and y="0px" attributes to the root <svg> element that BIMI rejects. The workflow is: export from Illustrator, open the SVG in a text editor, manually remove x= and y= attributes, change baseProfile="tiny" to baseProfile="tiny-ps", add <title> element, save. Or use a converter tool like the BIMI Working Group's Adobe Illustrator Export Script, EasyDMARC's BIMI SVG Logo Converter, or CaptainDNS's free converter.
For VMC submissions specifically, the SVG must exactly match what's filed at the trademark office — same colors, same proportions, no extra text elements. Color shade variations or minor design tweaks lead to rejection. This is one of the leading causes of VMC application delays per SSL.com's documentation.
Certificate Authority comparison
Five authorized certificate authorities issue BIMI certificates as of early 2026. They all follow the same BIMI Working Group requirements, so the validation process is nearly identical — what differs is pricing, timeline, and customer support quality. Real 2026 pricing data:
DigiCert
VMC: ~$1,499/yrCMC: ~$1,099/yr
Timeline: 2-4 weeks (VMC), 1-3 weeks (CMC)
Volume discounts available
Entrust
VMC: ~$1,099-1,499/yrCMC: ~$899-1,099/yr
Strong Red Sift integration
Established trust signal
Sectigo
VMC: ~$749-999/yrCMC: ~$649-849/yr
Most affordable VMC option
Multi-year discounts
GlobalSign
VMC: ~$1,200-1,500/yrCMC: ~$950-1,200/yr
Strong identity validation
Enterprise PKI integration
SSL.com
VMC: ~$1,099-1,688/yrCMC: not yet available
Newer to BIMI market
Detailed validation guides
The choice between CAs is rarely about technical differences — all five validate to the same BIMI Working Group spec. Differentiators: Sectigo for budget-conscious SMBs; DigiCert and Entrust for enterprise relationships and integration with deliverability platforms (Red Sift OnDMARC, Valimail); GlobalSign for organizations with existing GlobalSign PKI investments. Pricing reflects market positioning rather than product differentiation.
Why 53.6% of BIMI implementations fail
Per a 2025 URIports analysis, more than half of domains attempting to display their logo in the inbox fail validation. The failure modes, in order of frequency:
Top BIMI failure reasons (URIports 2025 analysis)
p=none (monitoring mode). BIMI silently won't display. Fix: complete DMARC enforcement journey first, wait 30+ days, then publish BIMI record.x= and y= attributes on root <svg> element, baseProfile="tiny" instead of "tiny-ps", missing <title> element, embedded raster image, file >32KB.example.com but messages go from mail.example.com without its own DMARC record. The sending domain needs DMARC enforcement too.The 53.6% failure rate is why managed BIMI services exist — the technical surface area is real and the operational tax is non-trivial. Red Sift, Valimail, PowerDMARC, and EasyDMARC all offer integrated DMARC + BIMI workflows that handle these failure modes systematically. For organizations attempting BIMI without that tooling, plan for 2-3 deployment iterations before reaching consistent display.
How BIMI fits with the rest of the auth stack
BIMI sits at the top of the email authentication pyramid. The foundation layers all need to be working before BIMI can do anything visible:
- SPF — authenticates the envelope MAIL FROM domain (RFC 7208). One of two paths DMARC alignment can take.
- DKIM — cryptographic signature on selected message headers (RFC 6376). The other path DMARC alignment can take.
- DMARC — alignment policy connecting envelope identifiers to From: header (RFC 7489). Must be at enforcement (
p=quarantineorp=reject) for BIMI. - BIMI — the visible signal that DMARC enforcement is working. The payoff layer.
Transport-layer authentication (MTA-STS, DANE, TLS-RPT) isn't a BIMI prerequisite but reflects the same authentication-and-trust posture that BIMI rewards. Organizations with mature MTA-STS + DANE deployments typically also have BIMI-ready DMARC. The reverse isn't always true — some organizations adopt BIMI before completing the transport security work.
BIMI in Cloud Server for Email infrastructure
Our managed email infrastructure handles BIMI as the final layer in a full email authentication deployment:
- DMARC enforcement journey for clients starting from
p=none— DMARC aggregate report monitoring, identification of legitimate unauthenticated senders, progressive policy tightening (none → quarantine → reject) over 6-8 weeks. BIMI prerequisites met before any logo work begins. - SVG Tiny PS conversion and validation — converting Adobe Illustrator exports to compliant SVG Tiny PS, removing forbidden elements, validating against BIMI Working Group spec before submission. Most common workflow: client provides existing vector logo, we deliver compliant .svg + hosting.
- VMC and CMC certificate procurement through partner CAs (DigiCert, Sectigo, Entrust) with vendor selection based on client's trademark status, budget, and timeline preferences. End-to-end coordination of trademark validation, organization validation, and DNS deployment.
- BIMI DNS record publication and validation — TXT record creation at
default._bimi, HTTPS hosting of SVG and PEM files on infrastructure we control, post-publication validation across Gmail, Apple Mail, Yahoo to confirm logo display. - Multi-domain BIMI strategies — organizational domain plus marketing subdomains, each with appropriate DMARC enforcement. Common pattern for enterprises with separate sending domains for transactional vs marketing vs corporate email.
- Brand refresh coordination — when a logo changes, the VMC must be reissued and DNS record updated. We handle the SVG re-conversion, certificate replacement, and parallel-run validation to avoid display gaps.
For clients with PowerMTA-based outbound infrastructure, BIMI integrates cleanly because the underlying DMARC enforcement is typically already in place — most ESP-grade infrastructure has DMARC at p=quarantine or p=reject by default. The bottleneck is usually trademark + SVG conversion rather than authentication work.
Related glossary concepts
- DMARC — the prerequisite that BIMI builds on. Must be at enforcement (
p=quarantineorp=reject) for BIMI to work. - SPF — one of two paths to DMARC alignment, which is the BIMI prerequisite.
- DKIM — the other path to DMARC alignment. Most BIMI-compliant senders rely on DKIM alignment for ESP-sent mail.
- MTA-STS — transport-layer auth that complements BIMI's content-layer auth.
- TLS-RPT — reporting layer for transport-layer auth, parallel to DMARC's reporting for content-layer auth.
- DANE — DNSSEC-anchored TLS validation. Same authentication-and-trust posture as BIMI but at the transport layer.
- Sender Reputation — even with BIMI configured, mailbox providers won't display the logo on mail flagged as spam. Reputation matters.
Frequently asked questions
Can I get BIMI without a registered trademark?
Yes — through CMC (Common Mark Certificate) introduced by Google in late 2024, or through self-asserted BIMI for Yahoo/Fastmail/La Poste. CMC requires proof of public logo use for at least 12 months on a domain you control (Prior Use Mark verification). The CA validates that your logo has been displayed on your website for the required period; no trademark filing needed. CMC works for Gmail (logo display, no blue checkmark) and most other BIMI-supporting providers except Apple Mail. The annual cost ($650-1,100) is lower than VMC ($749-1,688). For SMBs without trademark budget, CMC is the pragmatic path. For self-asserted (free, no certificate), Yahoo and Fastmail will display your logo with just DMARC enforcement + SVG hosted via HTTPS + DNS record.
How long does BIMI implementation take?
For organizations starting from scratch: 6-12 weeks total. The breakdown: DMARC enforcement journey (6-8 weeks if starting from p=none, longer if there are unmanaged legacy senders to identify and either authenticate or remove); SVG Tiny PS conversion and validation (2-3 days, often longer if logo needs trademark-matching cleanup); VMC trademark verification (2-4 weeks per DigiCert; trademark filing itself is 8-18 months if not already done); CMC verification (1-3 weeks); DNS publication and provider propagation (3-7 days for visible logo display). Per Red Sift's enterprise data: 6-8 weeks to DMARC enforcement, 7-10 days for VMC/CMC provisioning once DMARC is enforced. The 30-day enforcement minimum before mailbox providers will pull the logo means there's a hard floor on how fast this can go even with all other prerequisites met.
Does BIMI work for transactional email?
Yes — BIMI works for any authenticated email that passes DMARC alignment, regardless of whether it's transactional or marketing. Receipt confirmations, password reset emails, shipping notifications, account alerts — all display the BIMI logo if your domain meets the prerequisites. For transactional senders specifically, BIMI provides a particularly strong trust signal because phishing emails impersonating banking, e-commerce, and SaaS notifications are common attack vectors. The verified logo plus Gmail's blue checkmark gives recipients an immediate visual confirmation that "this is actually from my bank, not a phishing attempt." Many financial services and e-commerce companies cite anti-phishing as the primary BIMI investment justification, with engagement uplift as a secondary benefit. For pure-transactional sending operations (no marketing), BIMI's authentication-pyramid prerequisite still applies — DMARC at enforcement, working SPF/DKIM, etc.
What's the difference between BIMI and Apple Business Connect?
Different programs that overlap in their visual outcome. BIMI is the open standard managed by the AuthIndicators Working Group, supported by Gmail, Yahoo, Apple Mail, Fastmail, La Poste — your verified logo appears via DNS-based mechanism. Apple Business Connect is Apple's proprietary program for enriching email and other Apple ecosystem touchpoints; brands register via Apple's portal to get logo display in Apple Mail. They achieve similar visual outcomes (logo in Apple Mail inbox) but through different mechanisms. Apple supports BOTH BIMI (via VMC) and Business Connect — registering with Business Connect doesn't replace BIMI for Gmail/Yahoo coverage. The strategic answer for most organizations: implement BIMI with VMC first (covers Gmail + Apple Mail + Yahoo), then optionally register with Apple Business Connect for additional Apple ecosystem visibility (calendar invites, Maps, Wallet, etc.). BIMI is the cross-provider standard; Business Connect is Apple-specific enrichment.
Why doesn't Microsoft 365 / Outlook support BIMI?
Microsoft has not publicly committed to a BIMI implementation timeline as of early 2026, despite years of community pressure. The official position remains "limited support" — they acknowledge the protocol but don't display VMC-verified logos in Outlook or Microsoft 365 web/desktop/mobile clients. Industry speculation: Microsoft may be working on its own brand verification approach, may have concerns about the BIMI Working Group's certificate authority model, or may simply have prioritized other features. The practical impact: organizations whose audience is heavy on Microsoft 365 (B2B enterprise, government, education) lose 30-35% of potential BIMI ROI. For B2C senders with Gmail/Apple Mail/Yahoo audiences, the Microsoft gap matters less. There is occasional speculation that Microsoft will add BIMI support, but as of early 2026 no public timeline exists. Audit your audience's mailbox provider distribution to understand the BIMI ROI math for your specific situation.
Can I share a single VMC across multiple domains?
Yes — most CAs allow Subject Alternative Names (SANs) on VMCs, letting you protect multiple subdomains under a single certificate if they all use the same logo. Common pattern: a single VMC covering example.com, mail.example.com, shop.example.com, and support.example.com all displaying the same brand logo. This is significantly more cost-effective than separate VMCs per subdomain. Limitations: the logo must be byte-identical across all SANs (can't have variant logos for different subdomains under one cert), and all included domains must reach DMARC enforcement independently. For organizations with substantively different brands per domain (e.g., parent company with multiple acquired brands using different logos), separate VMCs are required per brand. DigiCert and Entrust both support SANs on VMCs; check current limits with your chosen CA as policies vary.
What happens to my BIMI logo if I rebrand?
A logo change requires a new VMC because the certificate cryptographically binds to the specific logo SVG file. The workflow: (1) update your trademark filing if the new logo isn't covered by existing registration; (2) prepare a new SVG Tiny PS file matching the new trademark; (3) request a new VMC from your CA — this is essentially a new application, not a renewal; (4) update the BIMI DNS record's l= and a= parameters to point to the new logo and certificate; (5) keep the old certificate active until the new one propagates (3-7 days for ISP cache refresh). For brands undergoing frequent visual evolution, the operational tax of certificate replacement should factor into the BIMI ROI calculation. CMCs face the same constraint — a logo change requires CMC reissuance with new prior-use proof on the new logo. Plan rebrands as 4-6 week BIMI transitions to avoid display gaps.
Last updated: May 2026 · Sources: BIMI Group official, CMC announcement, Google BIMI documentation, Red Sift BIMI 2026 guide, CaptainDNS VMC/CMC comparison, Validity BIMI guide, SSL.com VMC requirements, URIports 2025 BIMI failure analysis.