BIMI — Brand Indicators for Message Identification

Standard: AuthIndicators Working Group (BIMI Group), Internet-Draft First adoption: Yahoo (early), Gmail (June 2021), Apple Mail (iOS 16, 2022) Prerequisite: DMARC at enforcement (p=quarantine or p=reject) Logo format: SVG Tiny Portable/Secure (SVG P/S), ≤32KB, 1:1 square ISP coverage: ~50-60% of global email volume Reading time: 16 minutes
Definition

BIMI (Brand Indicators for Message Identification) is the email authentication standard that puts your verified brand logo in the inbox avatar slot of supported mailbox providers — Gmail, Yahoo, Apple Mail, Fastmail, La Poste. Three implementation tiers exist: self-asserted (free, no certificate, limited provider support), Common Mark Certificate (CMC, ~$650-1,100/yr, no trademark required, Gmail+Yahoo support), and Verified Mark Certificate (VMC, ~$749-1,688/yr, requires registered trademark, full provider support including Gmail's blue checkmark and Apple Mail). All tiers require DMARC at enforcement (p=quarantine or p=reject) for at least 30 days, an SVG Tiny PS logo file, and a BIMI DNS TXT record. Microsoft 365 / Outlook does not currently support BIMI as of early 2026.

BIMI is the visible payoff at the top of the email authentication pyramid. The foundation is SPF + DKIM + DMARC at enforcement; BIMI is what your customer sees when all of that is working correctly. It's also the primary business-side justification many organizations use for the engineering investment in proper email authentication that should already exist — putting a logo in the inbox is a tangible deliverable that marketing teams understand even when SPF alignment is abstract.

Most published BIMI material falls into one of two categories: vendor pages from certificate authorities promoting their VMC products, or surface-level "what is BIMI" guides that skip the operational reality. This entry synthesizes the current 2026 state — VMC vs CMC tradeoffs, real CA pricing across all five authorized issuers, the 53.6% real-world failure rate from URIports analysis, the SVG Tiny PS spec with explicit forbidden elements, mailbox provider compatibility matrix, and how BIMI fits with the rest of the auth stack.

Why BIMI matters: the engagement numbers

Industry research consistently shows measurable engagement uplift from BIMI implementations. The numbers from Validity research and TalkTalk's public case study:

+90%
Increase in consumer confidence
Validity research
+4-6%
Higher email open rates
TalkTalk case study
+80%
Click-through rate boost
Validity research
+44%
Brand recall increase
Validity research
~50-60%
Combined ISP coverage of BIMI-supporting providers
Mapp deliverability analysis
53.6%
BIMI implementations contain at least one error
URIports 2025 analysis
The mechanism is straightforward: a recognized brand logo creates an instant trust signal that reduces the cognitive friction of opening an unknown email. Indirectly, BIMI improves deliverability because domains meeting BIMI's prerequisites are by definition properly authenticated — which mailbox providers reward with better inbox placement. The honest caveat: BIMI alone doesn't move emails from spam to inbox. It's a visible marker on top of authentication that's already working. If your DMARC posture is broken, BIMI won't fix it; if your sender reputation is poor, the logo simply won't display.

Three implementation tiers: self-asserted vs CMC vs VMC

BIMI exists at three levels of trust, each with different prerequisites, costs, and provider support. The strategic decision is which tier matches your organization's brand investment and audience profile:

Self-asserted

$0/year
SVG Tiny PS logo published, no certificate
Yahoo, Fastmail, La Poste display logo
Gmail does NOT display (rejects self-asserted)
Apple Mail does NOT display
No checkmark anywhere
Lowest barrier — start here for free

CMC (Common Mark Certificate)

$650-1,100/year
Gmail displays logo (no checkmark)
Yahoo, Fastmail, La Poste display logo
Apple Mail does NOT display CMC
Requires 12+ months public logo use proof
No registered trademark needed
Pragmatic SMB choice if no trademark

VMC (Verified Mark Certificate)

$749-1,688/year
Gmail logo + blue verified checkmark
Yahoo logo + purple checkmark
Apple Mail logo display
Fastmail, La Poste, others all display
Requires registered trademark (USPTO/EUIPO/etc.)
+$1,500-3,000 trademark filing if not done
The strategic choice in 2026: VMC if you have a registered trademark and want maximum trust signals (Apple Mail support, Gmail blue checkmark). CMC if you don't have a trademark and your audience is heavy on Gmail/Yahoo (gets you 80% of the value at 30-60% of the cost). Self-asserted if you target only Yahoo/Fastmail/La Poste or want a free starting point before committing. The CMC option (introduced by Google in late 2024) is the most underrated path — it democratizes BIMI for the SMB segment that previously couldn't justify the trademark + VMC investment.

Mailbox provider compatibility matrix

BIMI support varies dramatically by mailbox provider — both in terms of which certificate types are accepted and what visual treatment is given. The current state as of early 2026:

ProviderSelf-assertedCMCVMCVisual treatmentISP share
Gmail ✗ Not accepted ✓ Logo only ✓ Logo + ✓ Blue checkmark (VMC only) ~30%
Yahoo Mail ✓ Logo ✓ Logo ✓ Logo + ✓ Purple checkmark (VMC only) ~10%
Apple Mail (iOS 16+, macOS Ventura+) ✗ Not accepted ✗ Not accepted ✓ Logo Logo display, no checkmark ~15-20%
Fastmail ✓ Logo ✓ Logo ✓ Logo Logo display <1%
La Poste (France) ✓ Logo ✓ Logo ✓ Logo Logo display <1% globally, larger in France
Microsoft 365 / Outlook ✗ Not supported ✗ Not supported ✗ Not supported No BIMI support ~30-35%
The Microsoft gap: roughly 30-35% of global email volume sits with Microsoft 365 / Outlook, and none of it gets BIMI logos as of early 2026 — despite years of community pressure. For B2B senders whose audience is primarily Microsoft-hosted, this materially reduces BIMI's ROI calculation. For B2C senders with Gmail-heavy audiences, the math is overwhelmingly favorable. Audit your audience's mailbox provider distribution before committing to a VMC budget.

Prerequisites: what you need before BIMI works

Six requirements that must all be met for BIMI to display. Missing any single requirement and the logo silently won't appear:

  1. DMARC enforcement on the organizational domain — policy must be p=quarantine or p=reject, NOT p=none. The pct=100 attribute is implicit if not specified. Most providers require the domain to be at enforcement for at least 30 consecutive days before they pull and display your BIMI logo.
  2. DMARC enforcement on the sending domain (if different from organizational). E.g., DMARC enforced on example.com AND on mail.example.com if mail goes from the subdomain.
  3. Working SPF and DKIM with alignment — DMARC requires either SPF-aligned or DKIM-aligned authentication to pass. Both passing without alignment is not sufficient. See the DMARC entry for alignment mechanics.
  4. SVG Tiny PS logo file hosted via HTTPS — must conform to the SVG Tiny 1.2 Portable/Secure profile (covered next section).
  5. BIMI DNS TXT record at default._bimi.<your-domain> containing v=BIMI1, l=<https-logo-url>, and (for VMC/CMC) a=<https-certificate-url>.
  6. For VMC/CMC: a valid certificate from one of five authorized CAs (DigiCert, Entrust, Sectigo, GlobalSign, SSL.com), in PEM format, hosted via HTTPS.

The first three prerequisites are typically the longest-leading-time work — bringing a domain from p=none to enforcement requires monitoring DMARC aggregate reports, identifying and fixing legitimate-but-unauthenticated senders, and progressively tightening policy. Expect 6-8 weeks for a typical organization with mature email infrastructure, longer for organizations with legacy senders that need consolidation.

The BIMI DNS record syntax

BIMI is published as a DNS TXT record at a specific subdomain. The full syntax for VMC/CMC implementations:

# BIMI DNS TXT record — VMC or CMC implementation
default._bimi.example.com.  3600  IN  TXT  "v=BIMI1; l=https://www.example.com/logo.svg; a=https://www.example.com/cert.pem"

# BIMI DNS TXT record — self-asserted (no certificate, omit a=)
default._bimi.example.com.  3600  IN  TXT  "v=BIMI1; l=https://www.example.com/logo.svg"

# BIMI opt-out (publish empty record to override organizational policy)
default._bimi.example.com.  3600  IN  TXT  "v=BIMI1; l=; a="

The three parameters:

  • v=BIMI1 — declares the BIMI protocol version. Only valid value is BIMI1. Required and must come first.
  • l=<url> — (lowercase L) HTTPS URL of your SVG Tiny PS logo file. Required for visible logo. Empty (l=) for explicit opt-out.
  • a=<url> — HTTPS URL of your VMC or CMC PEM-encoded certificate file. Required for Gmail and Apple Mail; optional for Yahoo (which accepts self-asserted).

The selector default applies to all messages from the domain. You can use other selectors (sales._bimi, marketing._bimi) by adding a BIMI-Selector header in the message itself, but most deployments use only default. ISPs cache BIMI records aggressively (3-7 days), so allow a few days for visible changes after publishing.

The SVG Tiny PS specification

BIMI doesn't accept just any SVG. The format must be the SVG Tiny Portable/Secure (SVG Tiny PS) profile — a strict subset of SVG Tiny 1.2 with additional security restrictions. This is where 80% of implementations stall. The complete spec:

SVG Tiny PS requirements vs forbidden elements

Required
  • baseProfile="tiny-ps" attribute
  • version="1.2" attribute
  • xmlns="http://www.w3.org/2000/svg"
  • <title> element with company name (≤64 chars)
  • Square 1:1 aspect ratio
  • File size ≤32KB (16KB recommended)
  • Solid background color (no transparency)
  • HTTPS hosting (not HTTP)
  • <desc> element recommended for accessibility
  • Centered logo (will be displayed as circle)
Forbidden
  • <script> elements (any code execution)
  • <image> with embedded raster (PNG/JPG)
  • <foreignObject> elements
  • <a> hyperlinks
  • <animate>, <animateTransform>, <set>
  • <filter>, <pattern>, <mask>
  • External font references or web fonts
  • External resource links of any kind
  • x= and y= on root <svg> (Illustrator bug)
  • Transparent background
The Adobe Illustrator export trap: Illustrator's "Export to SVG Tiny 1.2" feature is the closest path to SVG P/S, but Illustrator consistently adds x="0px" and y="0px" attributes to the root <svg> element that BIMI rejects. The workflow is: export from Illustrator, open the SVG in a text editor, manually remove x= and y= attributes, change baseProfile="tiny" to baseProfile="tiny-ps", add <title> element, save. Or use a converter tool like the BIMI Working Group's Adobe Illustrator Export Script, EasyDMARC's BIMI SVG Logo Converter, or CaptainDNS's free converter.

For VMC submissions specifically, the SVG must exactly match what's filed at the trademark office — same colors, same proportions, no extra text elements. Color shade variations or minor design tweaks lead to rejection. This is one of the leading causes of VMC application delays per SSL.com's documentation.

Certificate Authority comparison

Five authorized certificate authorities issue BIMI certificates as of early 2026. They all follow the same BIMI Working Group requirements, so the validation process is nearly identical — what differs is pricing, timeline, and customer support quality. Real 2026 pricing data:

DigiCert

Historic market leader

VMC: ~$1,499/yrCMC: ~$1,099/yr
Timeline: 2-4 weeks (VMC), 1-3 weeks (CMC)
Volume discounts available

Entrust

Original BIMI partner

VMC: ~$1,099-1,499/yrCMC: ~$899-1,099/yr
Strong Red Sift integration
Established trust signal

Sectigo

SMB-friendly pricing

VMC: ~$749-999/yrCMC: ~$649-849/yr
Most affordable VMC option
Multi-year discounts

GlobalSign

Enterprise-focused

VMC: ~$1,200-1,500/yrCMC: ~$950-1,200/yr
Strong identity validation
Enterprise PKI integration

SSL.com

Recent BIMI authorized issuer

VMC: ~$1,099-1,688/yrCMC: not yet available
Newer to BIMI market
Detailed validation guides

The choice between CAs is rarely about technical differences — all five validate to the same BIMI Working Group spec. Differentiators: Sectigo for budget-conscious SMBs; DigiCert and Entrust for enterprise relationships and integration with deliverability platforms (Red Sift OnDMARC, Valimail); GlobalSign for organizations with existing GlobalSign PKI investments. Pricing reflects market positioning rather than product differentiation.

Why 53.6% of BIMI implementations fail

Per a 2025 URIports analysis, more than half of domains attempting to display their logo in the inbox fail validation. The failure modes, in order of frequency:

Top BIMI failure reasons (URIports 2025 analysis)

#1
DMARC not at enforcementSender published BIMI record while DMARC is still p=none (monitoring mode). BIMI silently won't display. Fix: complete DMARC enforcement journey first, wait 30+ days, then publish BIMI record.
#2
SVG Tiny PS validation failureExported from Adobe Illustrator without manual cleanup. Common issues: x= and y= attributes on root <svg> element, baseProfile="tiny" instead of "tiny-ps", missing <title> element, embedded raster image, file >32KB.
#3
Certificate misconfigurationWrong file format (DER instead of PEM), HTTP instead of HTTPS hosting, certificate URL returns 404, certificate doesn't match logo SVG (not byte-identical to what's in the cert), expired certificate.
#4
DMARC alignment brokenSPF or DKIM passing but not aligned with the From: header domain. DMARC fails alignment, BIMI ineligible. Common cause: ESP-sent mail with envelope MAIL FROM at vendor.com but From: header at yourcompany.com without DKIM alignment.
#5
Trademark mismatch (VMC only)VMC submission rejected because logo file doesn't exactly match what's filed at trademark office. Color shade variations, minor design tweaks, or extra text elements cause rejection. CA validation team reviews byte-by-byte against trademark filing.
#6
Subdomain DMARC missingOrganizational domain DMARC at enforcement but sending subdomain isn't. E.g., DMARC enforced on example.com but messages go from mail.example.com without its own DMARC record. The sending domain needs DMARC enforcement too.

The 53.6% failure rate is why managed BIMI services exist — the technical surface area is real and the operational tax is non-trivial. Red Sift, Valimail, PowerDMARC, and EasyDMARC all offer integrated DMARC + BIMI workflows that handle these failure modes systematically. For organizations attempting BIMI without that tooling, plan for 2-3 deployment iterations before reaching consistent display.

How BIMI fits with the rest of the auth stack

BIMI sits at the top of the email authentication pyramid. The foundation layers all need to be working before BIMI can do anything visible:

  • SPF — authenticates the envelope MAIL FROM domain (RFC 7208). One of two paths DMARC alignment can take.
  • DKIM — cryptographic signature on selected message headers (RFC 6376). The other path DMARC alignment can take.
  • DMARC — alignment policy connecting envelope identifiers to From: header (RFC 7489). Must be at enforcement (p=quarantine or p=reject) for BIMI.
  • BIMI — the visible signal that DMARC enforcement is working. The payoff layer.

Transport-layer authentication (MTA-STS, DANE, TLS-RPT) isn't a BIMI prerequisite but reflects the same authentication-and-trust posture that BIMI rewards. Organizations with mature MTA-STS + DANE deployments typically also have BIMI-ready DMARC. The reverse isn't always true — some organizations adopt BIMI before completing the transport security work.

BIMI as a forcing function: many organizations adopt BIMI as the business-side justification for the engineering investment in proper email authentication that should already exist. The visual logo display is tangible — marketing teams, executives, and customers all understand "our logo appears in Gmail" in a way that they don't understand "DMARC alignment is now strict." This makes BIMI a useful internal tool for getting authentication work prioritized and funded. The deliverability and security benefits accrue regardless; BIMI just makes them visible.

BIMI in Cloud Server for Email infrastructure

Our managed email infrastructure handles BIMI as the final layer in a full email authentication deployment:

  • DMARC enforcement journey for clients starting from p=none — DMARC aggregate report monitoring, identification of legitimate unauthenticated senders, progressive policy tightening (none → quarantine → reject) over 6-8 weeks. BIMI prerequisites met before any logo work begins.
  • SVG Tiny PS conversion and validation — converting Adobe Illustrator exports to compliant SVG Tiny PS, removing forbidden elements, validating against BIMI Working Group spec before submission. Most common workflow: client provides existing vector logo, we deliver compliant .svg + hosting.
  • VMC and CMC certificate procurement through partner CAs (DigiCert, Sectigo, Entrust) with vendor selection based on client's trademark status, budget, and timeline preferences. End-to-end coordination of trademark validation, organization validation, and DNS deployment.
  • BIMI DNS record publication and validation — TXT record creation at default._bimi, HTTPS hosting of SVG and PEM files on infrastructure we control, post-publication validation across Gmail, Apple Mail, Yahoo to confirm logo display.
  • Multi-domain BIMI strategies — organizational domain plus marketing subdomains, each with appropriate DMARC enforcement. Common pattern for enterprises with separate sending domains for transactional vs marketing vs corporate email.
  • Brand refresh coordination — when a logo changes, the VMC must be reissued and DNS record updated. We handle the SVG re-conversion, certificate replacement, and parallel-run validation to avoid display gaps.

For clients with PowerMTA-based outbound infrastructure, BIMI integrates cleanly because the underlying DMARC enforcement is typically already in place — most ESP-grade infrastructure has DMARC at p=quarantine or p=reject by default. The bottleneck is usually trademark + SVG conversion rather than authentication work.

  • DMARC — the prerequisite that BIMI builds on. Must be at enforcement (p=quarantine or p=reject) for BIMI to work.
  • SPF — one of two paths to DMARC alignment, which is the BIMI prerequisite.
  • DKIM — the other path to DMARC alignment. Most BIMI-compliant senders rely on DKIM alignment for ESP-sent mail.
  • MTA-STS — transport-layer auth that complements BIMI's content-layer auth.
  • TLS-RPT — reporting layer for transport-layer auth, parallel to DMARC's reporting for content-layer auth.
  • DANE — DNSSEC-anchored TLS validation. Same authentication-and-trust posture as BIMI but at the transport layer.
  • Sender Reputation — even with BIMI configured, mailbox providers won't display the logo on mail flagged as spam. Reputation matters.

Frequently asked questions

Can I get BIMI without a registered trademark?

Yes — through CMC (Common Mark Certificate) introduced by Google in late 2024, or through self-asserted BIMI for Yahoo/Fastmail/La Poste. CMC requires proof of public logo use for at least 12 months on a domain you control (Prior Use Mark verification). The CA validates that your logo has been displayed on your website for the required period; no trademark filing needed. CMC works for Gmail (logo display, no blue checkmark) and most other BIMI-supporting providers except Apple Mail. The annual cost ($650-1,100) is lower than VMC ($749-1,688). For SMBs without trademark budget, CMC is the pragmatic path. For self-asserted (free, no certificate), Yahoo and Fastmail will display your logo with just DMARC enforcement + SVG hosted via HTTPS + DNS record.

How long does BIMI implementation take?

For organizations starting from scratch: 6-12 weeks total. The breakdown: DMARC enforcement journey (6-8 weeks if starting from p=none, longer if there are unmanaged legacy senders to identify and either authenticate or remove); SVG Tiny PS conversion and validation (2-3 days, often longer if logo needs trademark-matching cleanup); VMC trademark verification (2-4 weeks per DigiCert; trademark filing itself is 8-18 months if not already done); CMC verification (1-3 weeks); DNS publication and provider propagation (3-7 days for visible logo display). Per Red Sift's enterprise data: 6-8 weeks to DMARC enforcement, 7-10 days for VMC/CMC provisioning once DMARC is enforced. The 30-day enforcement minimum before mailbox providers will pull the logo means there's a hard floor on how fast this can go even with all other prerequisites met.

Does BIMI work for transactional email?

Yes — BIMI works for any authenticated email that passes DMARC alignment, regardless of whether it's transactional or marketing. Receipt confirmations, password reset emails, shipping notifications, account alerts — all display the BIMI logo if your domain meets the prerequisites. For transactional senders specifically, BIMI provides a particularly strong trust signal because phishing emails impersonating banking, e-commerce, and SaaS notifications are common attack vectors. The verified logo plus Gmail's blue checkmark gives recipients an immediate visual confirmation that "this is actually from my bank, not a phishing attempt." Many financial services and e-commerce companies cite anti-phishing as the primary BIMI investment justification, with engagement uplift as a secondary benefit. For pure-transactional sending operations (no marketing), BIMI's authentication-pyramid prerequisite still applies — DMARC at enforcement, working SPF/DKIM, etc.

What's the difference between BIMI and Apple Business Connect?

Different programs that overlap in their visual outcome. BIMI is the open standard managed by the AuthIndicators Working Group, supported by Gmail, Yahoo, Apple Mail, Fastmail, La Poste — your verified logo appears via DNS-based mechanism. Apple Business Connect is Apple's proprietary program for enriching email and other Apple ecosystem touchpoints; brands register via Apple's portal to get logo display in Apple Mail. They achieve similar visual outcomes (logo in Apple Mail inbox) but through different mechanisms. Apple supports BOTH BIMI (via VMC) and Business Connect — registering with Business Connect doesn't replace BIMI for Gmail/Yahoo coverage. The strategic answer for most organizations: implement BIMI with VMC first (covers Gmail + Apple Mail + Yahoo), then optionally register with Apple Business Connect for additional Apple ecosystem visibility (calendar invites, Maps, Wallet, etc.). BIMI is the cross-provider standard; Business Connect is Apple-specific enrichment.

Why doesn't Microsoft 365 / Outlook support BIMI?

Microsoft has not publicly committed to a BIMI implementation timeline as of early 2026, despite years of community pressure. The official position remains "limited support" — they acknowledge the protocol but don't display VMC-verified logos in Outlook or Microsoft 365 web/desktop/mobile clients. Industry speculation: Microsoft may be working on its own brand verification approach, may have concerns about the BIMI Working Group's certificate authority model, or may simply have prioritized other features. The practical impact: organizations whose audience is heavy on Microsoft 365 (B2B enterprise, government, education) lose 30-35% of potential BIMI ROI. For B2C senders with Gmail/Apple Mail/Yahoo audiences, the Microsoft gap matters less. There is occasional speculation that Microsoft will add BIMI support, but as of early 2026 no public timeline exists. Audit your audience's mailbox provider distribution to understand the BIMI ROI math for your specific situation.

Can I share a single VMC across multiple domains?

Yes — most CAs allow Subject Alternative Names (SANs) on VMCs, letting you protect multiple subdomains under a single certificate if they all use the same logo. Common pattern: a single VMC covering example.com, mail.example.com, shop.example.com, and support.example.com all displaying the same brand logo. This is significantly more cost-effective than separate VMCs per subdomain. Limitations: the logo must be byte-identical across all SANs (can't have variant logos for different subdomains under one cert), and all included domains must reach DMARC enforcement independently. For organizations with substantively different brands per domain (e.g., parent company with multiple acquired brands using different logos), separate VMCs are required per brand. DigiCert and Entrust both support SANs on VMCs; check current limits with your chosen CA as policies vary.

What happens to my BIMI logo if I rebrand?

A logo change requires a new VMC because the certificate cryptographically binds to the specific logo SVG file. The workflow: (1) update your trademark filing if the new logo isn't covered by existing registration; (2) prepare a new SVG Tiny PS file matching the new trademark; (3) request a new VMC from your CA — this is essentially a new application, not a renewal; (4) update the BIMI DNS record's l= and a= parameters to point to the new logo and certificate; (5) keep the old certificate active until the new one propagates (3-7 days for ISP cache refresh). For brands undergoing frequent visual evolution, the operational tax of certificate replacement should factor into the BIMI ROI calculation. CMCs face the same constraint — a logo change requires CMC reissuance with new prior-use proof on the new logo. Plan rebrands as 4-6 week BIMI transitions to avoid display gaps.

Last updated: May 2026 · Sources: BIMI Group official, CMC announcement, Google BIMI documentation, Red Sift BIMI 2026 guide, CaptainDNS VMC/CMC comparison, Validity BIMI guide, SSL.com VMC requirements, URIports 2025 BIMI failure analysis.