BIMI Eighteen Months After Common Mark Certificates

June 2026 — Operational note. Eighteen months after the BIMI Working Group introduced Common Mark Certificates in September 2024, the ecosystem has expanded but the operational reality has not simplified. More than half of published BIMI records still fail to display logos in at least one major provider. The certificate-authority landscape has churned through a major distrust event and one issuer exiting the market. The provider fragmentation that BIMI was supposed to solve still exists, just with a slightly larger set of viable paths through it. This note works through what eighteen months of CMC availability have actually produced for senders, and whether the engineering investment is warranted in 2026 outside the Fortune 500.

The short version is that BIMI in mid-2026 is a more accessible standard than it was in early 2024, but it remains a brittle deployment with high failure rates, ongoing maintenance overhead, and benefits that are easier to defend in brand-presence terms than in deliverability terms. Senders evaluating BIMI should treat it as a brand-marketing investment with technical prerequisites, not as a deliverability lever. The deliverability work that BIMI requires — reaching DMARC enforcement — is the thing producing the placement improvements that BIMI marketing material attributes to BIMI itself.

53.6%
BIMI records with at least one error severe enough to prevent logo display (URIports, 2025)
22,631
Top-million domains with BIMI records published as of late 2024 (Wombatmail)
4.57%
Sample domains with valid BIMI records out of 13,000 audited (Validity)
~35%
Fortune 500 DMARC records at p=reject, the prerequisite for BIMI (2026 benchmarks)

What the Common Mark Certificate Actually Changed

Until September 2024, BIMI was effectively a Fortune-500 standard. The Verified Mark Certificate required a registered trademark. Trademark registration in the major jurisdictions takes between six and eighteen months. The VMC itself cost roughly $1,000 to $1,500 per year, plus the trademark registration fees, plus the time of the legal team that registered and maintained the mark. A SaaS company at $5M ARR could not realistically justify the path. A Fortune 500 brand with an existing trademark portfolio paid the marginal cost without thinking about it. The result was a BIMI ecosystem populated almost entirely by large brands, with adoption stuck below 5% of large-domain BIMI records validating cleanly.

The Common Mark Certificate was announced via BIMI Working Group draft-06 in September 2024 to break that bottleneck. The CMC removes the trademark prerequisite entirely. Instead of verifying brand ownership through a national trademark office, the CMC verifies it through demonstrated logo use: typically twelve months of the logo appearing in publicly archived sources (the company website, captured by Wayback Machine or equivalent), plus standard organisational identity verification. The validation work is shifted from trademark law to web archaeology. A CMC issues in two to five business days. Pricing settled, by mid-2026, in the $200 to $400 per year range — roughly one-quarter of VMC cost.

That change unlocked BIMI for a category of senders who could not previously reach it: B2B SaaS without trademark portfolios, ecommerce brands operating under names not yet registered, agencies managing client domains, and organisations in jurisdictions where trademark registration is administratively heavy. Eighteen months on, the data on whether those senders actually adopted is mixed. CMC issuance has climbed steadily, but the absolute volume remains modest. BIMI Working Group statistics from early 2026 suggest that CMCs now represent a substantial minority of new mark certificates issued each quarter, but the total number of brands with any BIMI deployment remains well under 30,000 across the top million domains. The constraint that the CMC removed was not the only constraint. The DMARC enforcement prerequisite remains the harder bottleneck.

The DMARC bottleneck is the real BIMI bottleneck. Both VMC and CMC require the sender's organisational domain to be at DMARC p=quarantine or p=reject. As of 2026, only about 2.5% of global domains have reached p=reject, and only roughly 35% of Fortune 500 domains. The reason adoption of BIMI is still constrained at 30,000 brands rather than 300,000 is not that VMCs are too expensive. It is that most senders have not done the DMARC enforcement work, and BIMI is downstream of that.

The Provider Landscape: Five Different Behaviours, Two Real Audiences

A sender deploying BIMI in 2026 is deploying for a fragmented set of recipient behaviours. The standard is one specification; the mailbox-provider implementations diverge significantly. The following table summarises what each major provider does with a published BIMI record as of June 2026.

ProviderSelf-asserted (no certificate)CMCVMCAdditional notes
GmailNot displayedLogo displaysLogo + blue verified checkmarkStrictest CMC validation; rejects PEM with wrong Content-Type
Apple Mail / iCloudNot displayedNot acceptedLogo displaysApple does not honour CMCs; VMC required
Yahoo Mail / AOLLogo displaysLogo displaysLogo displaysMost permissive; self-asserted accepted on reputation
FastmailLogo displays (limited)Logo displaysLogo displaysImplementation incomplete; smaller user base
La PostePartialLimitedLimitedFrench-specific; small audience for non-French senders
Microsoft OutlookDoes not use BIMIDoes not use BIMIDoes not use BIMISeparate brand-logo programme via partner enrolment

Three observations follow from this table. The first is that the realistic BIMI audience for most senders consists of two providers: Gmail and Apple Mail. Yahoo and AOL combined have a small consumer footprint in most Western European and North American audiences; Fastmail is a niche provider; La Poste is largely irrelevant outside France. If a sender is making the BIMI investment, the decision is principally about whether the audience includes enough Gmail and Apple Mail users to justify the certificate cost and operational overhead.

The second is the Microsoft gap. Microsoft does not implement BIMI. A sender with a B2B audience heavy on Outlook and Microsoft 365 gets no logo display benefit from BIMI investment, even after deployment. Microsoft offers its own brand-logo programme via a partner pathway that involves separate enrolment, separate validation, and separate maintenance. Senders with Microsoft-heavy audiences either accept the gap, run two separate brand-logo programmes (BIMI for Gmail and Apple Mail, Microsoft's programme for Outlook), or skip both. None of those choices is straightforwardly attractive.

The third is the certificate-versus-self-asserted divergence between Yahoo and Gmail/Apple. Yahoo will accept a self-asserted BIMI record (no certificate, just the DNS record pointing to an SVG logo) for senders with reasonable reputation. Gmail and Apple will not. The result is that a sender targeting Yahoo-heavy audiences (older email demographics in North America, in particular) can get logo display without certificate investment, while a sender targeting Gmail-and-Apple audiences cannot. The CMC closes part of the gap for Gmail; it does not close it for Apple.

The 53.6% Failure Rate: Where BIMI Breaks in Production

URIports published an analysis in 2025 that produced one of the most quoted statistics in BIMI: 53.6% of published records contain at least one error severe enough to prevent logo display in at least one major mailbox provider. The figure is consistent with smaller samples from Validity (4.57% valid versus 4.58% invalid among 13,000 audited domains). Breaking the failure modes down into operational categories produces a clearer picture of where the engineering effort actually fails.

BIMI Failure Modes by Approximate Frequency (Field Observation)
Aggregated from URIports' 2025 analysis, Validity's domain sample, and observed failure patterns across managed PowerMTA infrastructure during Q1 and Q2 2026. Percentages are approximate; not all records have a single primary cause.
FAILURE MODE APPROX. SHARE Certificate type mismatch (CMC at Apple, etc.) ~24% DMARC not at p=quarantine or p=reject ~19% PEM hosting Content-Type errors ~16% SVG Tiny PS format errors ~13% Expired or revoked certificate ~11% DNS / TXT record syntax ~9% Other (DMARC alignment, etc.) ~8%

Certificate type mismatch is the single largest failure category. The mistake is straightforward: a sender obtains a CMC, assumes (reasonably, given the marketing material) that it works everywhere BIMI works, deploys it, and discovers six weeks later that Apple Mail recipients still see the default avatar. Apple does not honour CMCs. The correction requires either obtaining a separate VMC for Apple coverage (expensive and possibly impossible without an existing trademark) or accepting that Apple recipients will not see the logo. The lesson: certificate selection has to be made deliberately against the actual audience composition, not against the BIMI standard in the abstract.

DMARC enforcement is the second largest category, and one that should not happen. BIMI specifications require DMARC at p=quarantine or p=reject on the organisational domain. Senders sometimes deploy BIMI while DMARC is still at p=none, either because the operator did not read the prerequisite carefully or because they assumed Gmail's "recommendations" were soft. They are not soft. A BIMI record with DMARC at p=none will simply not produce a logo, anywhere, regardless of the certificate. The fix is to migrate DMARC to enforcement, which is the actual work that justifies the BIMI investment in the first place.

PEM hosting errors are the third category, and operationally the most frustrating because they are silent. The certificate is correct. The DNS record is correct. The SVG is correct. The DMARC is correct. The logo does not appear because the web server hosting the PEM file is returning the wrong Content-Type header, or because HTTPS is failing intermittently, or because the file is served with a cache-control header that confuses the mailbox provider's fetcher. Gmail is particularly strict about Content-Type; expecting application/pkix-cert and rejecting on application/octet-stream. The provider does not produce an error message; the logo just does not display. Diagnosis requires running a fetch manually with curl and inspecting headers.

SVG Tiny PS is its own gotcha. BIMI requires the logo to be in SVG Tiny PS (Portable/Secure) format. This is a restricted subset of SVG: no scripts, no external references, square aspect ratio, solid background, no embedded raster images, attribute baseProfile="tiny-ps" set explicitly. Most logo files exported from design tools are not Tiny PS compliant by default. Converting requires a manual round trip through a converter (BIMI Group provides one) or careful hand-editing. Senders frequently publish records pointing to SVGs that fail the Tiny PS validation step, and the resulting BIMI deployment displays nothing.

The Entrust Distrust Episode: A CA Lesson in 18-Month Retrospective

The certificate-authority landscape for BIMI has churned more in the past eighteen months than the BIMI Working Group seems to have anticipated. The Entrust distrust event in late 2024 is the cleanest case study. The sequence:

November 15, 2024
Apple stops trusting Entrust certificates
Apple announces it will no longer trust SSL/TLS, S/MIME, Timestamping, or BIMI Mark Certificates issued by Entrust public roots dated November 15, 2024 or later. The decision follows compliance issues with Entrust's broader certificate operations.
December 2024
Industry distrust cascade
Major browsers including Chrome and Mozilla products signal distrust of Entrust as well. The combined effect is that Entrust's certificate business becomes commercially untenable.
January 2025
Entrust exits public certificate market
Entrust sells its public certificate business to Sectigo and stops issuing new VMCs. Existing Entrust-issued VMCs remain valid but cannot be renewed through Entrust. GlobalSign appears as a new authorised MVA on BIMI Working Group's list.
April 2025
SSL.com appears on the VMC issuer list
Roster of authorised MVAs broadens to DigiCert, GlobalSign, Sectigo, and SSL.com. The Entrust gap is operationally filled, but every sender with an Entrust-issued VMC has a forced migration to plan.

For senders who had selected Entrust as their VMC provider before November 2024, the operational sequence was uncomfortable. Apple Mail BIMI display started failing intermittently in late November 2024 as Apple's caches expired. Renewal through Entrust was impossible. Migrating to a new CA required restarting the validation process from scratch, including trademark verification and SVG re-validation, plus updating the BIMI DNS record to point at the new PEM file once the replacement certificate was issued. The cost was not the new certificate fee; it was the engineering and legal hours required to complete the migration, plus the period of broken BIMI display during the transition.

The structural lesson is that BIMI senders are exposed to certificate-authority-level risks that do not affect senders without BIMI. A CA distrust event affects every sender using that CA, and the remediation path is not under the sender's control. The defence is to track CA trust status as part of regular monitoring (Certificate Transparency logs are public; trust-store changes are announced) and to select a CA based on jurisdictional and stability characteristics rather than purely on price. DigiCert and GlobalSign have, as of mid-2026, the longest track record of stable BIMI operations. Sectigo is newer to the BIMI market but acquired Entrust's customer base and certificate operations. SSL.com is the newest entrant and has the smallest operational footprint to date.

Does BIMI Actually Improve Deliverability?

This is the question senders most frequently ask before committing to BIMI, and the honest answer is no, not directly. BIMI is a display-layer enhancement that runs after the mailbox provider has already accepted the message and decided to route it to the inbox. By the time BIMI is consulted, the deliverability decision has been made. A non-compliant or low-reputation sender cannot use BIMI to improve placement; the message will not reach the inbox where BIMI would have rendered.

The claim that BIMI improves deliverability comes from a confounding variable: BIMI requires DMARC at enforcement. DMARC at p=quarantine or p=reject produces measurable deliverability improvements at Gmail, Yahoo, and Microsoft. Senders who deploy BIMI complete the DMARC enforcement work as a prerequisite, and then observe that their deliverability improves after BIMI deployment. The improvement is the DMARC posture change, not BIMI itself. Disentangling the two requires comparing senders who reach DMARC enforcement without deploying BIMI against senders who reach enforcement specifically to enable BIMI; the controlled studies of this type are scarce and the available data does not suggest a measurable BIMI-specific deliverability lift.

What BIMI does produce is brand-presence signal in the inbox itself. A recipient seeing a verified logo from a known sender is incrementally more likely to engage than a recipient seeing a generic letter avatar. The size of that lift varies by audience: brand-aware audiences in B2C contexts respond more than transactional audiences in B2B contexts. The Mailjet 2024 data put the share of consumers ranking sender brand recognition as "very" or "somewhat important" at 94.5%, which is a strong upstream signal even if not all of those recipients consciously notice the BIMI logo. The benefit is real but not quantifiable in the way the certificate authorities' marketing material sometimes implies.

The honest framing. BIMI is best understood as a brand-marketing investment with technical prerequisites. The technical prerequisites — especially DMARC at enforcement — have independent deliverability value. The BIMI investment itself produces a brand-presence benefit in supported clients that is roughly comparable to having a verified profile photo on a social platform. It is not a deliverability lever. Senders should choose whether to invest based on the brand-presence value, not based on hopes of inbox-placement lift.

When BIMI Makes Sense in 2026

From eighteen months of CMC availability and the broader BIMI experience since 2021, the senders who benefit most cleanly from BIMI deployment cluster around four characteristics. The senders who get the least value from BIMI deployment cluster around the inverse.

ScenarioRecommendationReasoning
Consumer brand with high Gmail and Apple Mail audience share, existing trademarkDeploy with VMCFull coverage of the two largest BIMI-supporting providers; trademark already in place; brand-recognition value highest
SaaS or ecommerce, no trademark, audience mostly GmailDeploy with CMCLower cost, faster issuance, full Gmail coverage; accept missing Apple Mail logo
B2B SaaS with Outlook-heavy audienceSkip BIMI; consider Microsoft programme separatelyMicrosoft does not use BIMI; investment produces no visible result for the primary audience
Sender still at DMARC p=noneDo the DMARC work first; revisit BIMI in 6-12 monthsBIMI requires enforcement; the DMARC progression is the harder and more valuable work
Low-volume sender (under 10K/month)DeferThe maintenance overhead and risk of silent failure outweigh the brand-recognition benefit at low volume
Agency managing many client domainsSelective CMC deployment per clientCMC is operationally feasible at scale; trademark requirement makes VMC impractical for most clients

The deferred-while-doing-DMARC scenario is the most common one across CSE's managed-infrastructure customer base. Senders show up wanting BIMI, discover they are at p=none, and the right operational answer is to spend the next nine to twelve months progressing DMARC to enforcement first. The BIMI deployment afterwards is a comparatively trivial exercise once the DMARC work is done.

The B2B-with-Outlook-audience scenario is the most expensive misallocation of engineering time. Senders see BIMI in their competitors' Gmail demos, decide they need it, and discover only after deployment that their actual audience — corporate Outlook users on Microsoft 365 — sees no difference. The remediation is either accepting the situation or undertaking a parallel Microsoft brand-logo enrolment that has its own validation and maintenance requirements. Neither option is satisfying. The lesson is to verify audience composition before committing.

The Operational Decision in Mid-2026

A sender approaching the BIMI decision in mid-2026 has more options than they did in 2023, and a more complicated decision than they had in 2024. The CMC eliminated the trademark barrier for new entrants but did not change the fundamental DMARC prerequisite. The CA landscape stabilised after the Entrust event but the underlying brittleness remains. The provider fragmentation persists, with Gmail and Apple Mail as the two audiences worth optimising for and Microsoft as a separate problem entirely.

The operational framework that produces clear decisions: first, audit the audience for Gmail and Apple Mail share. If together they represent less than 30% of the addressable audience, the BIMI investment is hard to justify on brand-presence grounds alone. Second, verify DMARC posture. If still at p=none, the DMARC progression is the actual project; BIMI is downstream. Third, select certificate type based on audience composition. Apple-Mail-heavy audiences require VMC; Gmail-only audiences can use CMC. Fourth, plan for ongoing maintenance: certificate renewal, CA trust monitoring, PEM hosting verification, DMARC posture preservation. The annual maintenance overhead, once in place, is modest but it is not zero.

For organisations operating dedicated email infrastructure, BIMI is an additive deployment that sits alongside the existing authentication and reputation work. It does not change the underlying deliverability fundamentals. It does not substitute for SPF, DKIM, DMARC, list hygiene, complaint management, or any of the other operational work that determines inbox placement. It is a brand-marketing display layer that becomes available once the foundational work is complete. Senders who treat it that way — as the visible reward for completing the harder underlying work — tend to get value from the investment. Senders who treat BIMI as the goal and try to deploy it without finishing the DMARC progression tend to produce records that join the 53.6% of failed deployments.

Considering BIMI Deployment? Get the DMARC Foundation Right First.

Cloud Server for Email operates managed PowerMTA infrastructure with end-to-end DMARC progression support: aggregate report analysis, authentication source identification, gradual posture migration from p=none to p=reject, plus BIMI deployment once the foundation is in place. EU-based dedicated infrastructure from Tallin.

Related operational notes on the authentication and reputation foundation that BIMI requires: DMARC at p=reject One Year After Mandate, Why DMARC Reporting Is Underused, Six Months Without Domain Reputation, Apple iCloud Enforcement Watch, and Why Sending Domain Matters as Much as IP. For the broader context, see the operational notes archive and the PowerMTA technical FAQ.