BIMI Email Authentication Setup: Requirements and DNS
BIMI lets participating mailbox providers display a brand-controlled logo beside authenticated email. A valid setup requires aligned SPF and DKIM, DMARC at enforcement, an SVG Tiny PS logo, a BIMI DNS record, and, for Gmail, a Verified Mark Certificate or Common Mark Certificate in PEM format.
Direct answer: Do not start by publishing a logo record. First inventory every sender, make DMARC pass, and move the organizational domain and relevant subdomains to
p=quarantineorp=rejectwithout partial enforcement. Then obtain the right mark certificate, host the approved files over HTTPS, publish the record atdefault._bimi, and validate both DNS and live messages.
BIMI is a visual identity layer. It does not guarantee inbox placement, bypass spam filtering, or authenticate a message by itself. Its value depends on the authentication and reputation work underneath it.
What BIMI does
Brand Indicators for Message Identification, or BIMI, gives a receiving mailbox a standard way to locate an authenticated sender's logo. The sender publishes a TXT record in DNS that points to a secure logo file and, when used, a certificate file.
A typical record looks like this:
default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/bimi/logo.svg; a=https://example.com/bimi/mark.pem"
The tags are:
v=BIMI1: the BIMI version.l=: the HTTPS location of the SVG Tiny PS logo.a=: the HTTPS location of the VMC or CMC PEM file.
The record name includes the default selector. Publishing only _bimi.example.com is not the standard default record shown in the BIMI Group implementation guide.
The receiving provider decides whether, where, and when to display the image. A syntactically valid record is therefore necessary but not sufficient.
Complete the authentication prerequisites first
SPF and DKIM must authenticate legitimate mail
SPF authorizes sending infrastructure. DKIM signs the message with a domain-controlled key. For BIMI, legitimate mail should be covered by both, and DMARC must pass through alignment with the visible From domain.
Test every production source, not just the marketing platform. A forgotten help desk, billing tool, ecommerce notification service, or employee mail system can fail after DMARC enforcement is enabled.
DMARC must be at enforcement
The BIMI Group requires DMARC enforcement on the organizational domain and subdomains. Use either:
v=DMARC1; p=quarantine; sp=quarantine; rua=mailto:dmarc-reports@example.com
or:
v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-reports@example.com
p=none does not qualify. The policy needs to cover the full applicable traffic set rather than a partial percentage.
The current DMARC specification is RFC 9989, published in 2026. It replaces RFC 7489 and removes the legacy pct tag, introducing t for testing behavior. Some BIMI and mailbox-provider documentation still describes full enforcement as pct=100. The operational requirement is unchanged: do not attempt BIMI with a partial rollout. Validate the final record against current DMARC and BIMI tooling before publishing.
If you are not at enforcement yet, follow our SPF, DKIM, and DMARC setup guide before buying a certificate.
Choose between a VMC and a CMC
Gmail requires third-party certification for the domain and logo. Google's current setup documentation accepts two certificate types.
Verified Mark Certificate
A Verified Mark Certificate, or VMC, is designed for an eligible trademarked logo. In Gmail, a sender verified with a VMC can display the verification checkmark alongside the brand identity. Eligibility depends on the certificate authority's accepted trademark offices and validation process.
Choose a VMC when:
- The exact logo is an eligible registered mark.
- The verified indicator matters to the brand.
- Legal, security, and domain owners can complete the validation process.
Common Mark Certificate
A Common Mark Certificate, or CMC, supports eligible logos that do not meet the VMC trademark requirement. Gmail can use the certificate to display the logo, but its documentation reserves the verification checkmark for VMC-verified senders.
Choose a CMC when:
- The logo is not an eligible registered trademark.
- The mark meets the issuing authority's current evidence and usage requirements.
- Logo display is the goal, without the VMC verification indicator.
Do not rely on old claims that Gmail always requires a VMC. Google's current BIMI setup guide explicitly supports VMCs and CMCs. Check the BIMI Group's current issuer list before procurement because issuers and eligibility rules can change.
Prepare the logo correctly
BIMI does not accept a normal web SVG without additional constraints. The logo must use SVG Tiny Portable/Secure, commonly called SVG Tiny PS.
The file should:
- Declare
baseProfile="tiny-ps"and SVG version1.2. - Contain no scripts, external references, animation, or unsafe active content.
- Use vector artwork rather than an embedded raster image.
- Fit within a square view box with enough safe space for circular or rounded mailbox crops.
- Remain recognizable at small inbox sizes and in light or dark surrounding interfaces.
Gmail adds a minimum width and height of 96 pixels and requires absolute pixel dimensions. The certificate authority may impose additional file rules during issuance.
Use the BIMI Group SVG tools rather than assuming an export from Figma or Illustrator is compliant. Validate the actual final file, not an earlier design version.
Implement BIMI step by step
1. Inventory all mail sources
List every system that can send with the organizational domain or its subdomains in the visible From address. Record the SPF domain, DKIM d= domain, owner, traffic type, and daily volume for each source.
2. Reach DMARC enforcement safely
Collect aggregate reports, fix unauthenticated legitimate sources, and confirm DMARC passes in real message headers. Move from monitoring to enforcement only when the impact is understood. Forwarding and mailing-list paths deserve special attention because strict rejection can disrupt indirect mail.
3. Select the exact mark
Choose the logo users should recognize in an inbox. Confirm VMC or CMC eligibility with an approved issuer before finalizing the SVG. A certificate applies to the validated mark and domains, so an unplanned redesign can create rework.
4. Create and validate SVG Tiny PS
Convert the artwork, set the square view box, inspect small-size readability, and run the BIMI SVG validator. Keep the source artwork and final certified asset under version control with named owners.
5. Obtain the certificate
Complete the certificate authority's organization, domain, and mark validation. Do not publish price or lead-time assumptions in the project plan because both vary by issuer, jurisdiction, evidence, and review queue.
6. Host the approved assets over HTTPS
Place the SVG and PEM files on a stable public HTTPS endpoint. Avoid authentication, redirects that change unexpectedly, bot blocking, short-lived signed URLs, and a content delivery rule that serves HTML instead of the file.
Google's troubleshooting guidance says the public web server should be in the same domain as the BIMI DNS record. Confirm MIME types, certificate chain, HTTP status, and access from outside the corporate network.
7. Publish the BIMI TXT record
Publish one TXT record at the correct selector and domain. For the organizational domain:
Host: default._bimi.example.com
Type: TXT
Value: v=BIMI1; l=https://example.com/bimi/logo.svg; a=https://example.com/bimi/mark.pem
If mail uses a From subdomain, confirm the applicable BIMI lookup domain and DMARC inheritance with the validator before publishing. Do not copy a record blindly between the root domain and sending subdomain.
8. Validate DNS, assets, and live mail
Use the BIMI Group validation tool to check the record, DMARC posture, logo, and certificate reference. Then send representative production messages and inspect SPF, DKIM, DMARC, and From alignment.
Test on supported recipient services, but do not treat immediate logo display as the only validation. Receivers apply their own reputation and display criteria, and caching can delay a visible change.
Troubleshoot a missing BIMI logo
Work through the dependencies in order.
| Symptom | Evidence to inspect | Likely next action |
|---|---|---|
| Validator cannot find BIMI | DNS name, selector, TXT response | Publish at default._bimi and remove conflicting records |
| DMARC is not eligible | p, sp, testing state, live DMARC result |
Complete full enforcement and fix alignment |
| SVG fails validation | Profile, version, dimensions, external content | Regenerate the SVG Tiny PS asset |
| Certificate fails | Expiration, chain, domain, mark, PEM URL | Contact the issuing authority and replace the hosted PEM |
| Asset cannot be fetched | HTTPS status, redirects, firewall, MIME type | Make the final URL publicly and consistently accessible |
| Record passes but no logo appears | Live headers, sender reputation, provider support | Confirm every requirement, then allow for receiver policy and caching |
Do not repeatedly change DNS while waiting for display. Each edit resets your evidence and can introduce a new error. Capture the validated state, timestamp, test message headers, and provider result before the next change.
Measure BIMI without inventing an open-rate promise
BIMI can improve visual recognition, but no universal open-rate lift applies to every brand. Published vendor studies often compare different audiences, brand awareness levels, mailbox mixes, and test designs. Apple Mail Privacy Protection also makes opens difficult to interpret.
Measure the rollout as a controlled operational change:
- Authentication pass rate before and after enforcement
- Provider-specific inbox and complaint signals
- Unique clicks and conversions per delivered message
- Revenue per delivered message
- Brand-recognition or trust research where the investment warrants it
- Logo-display coverage in the mailbox mix you actually serve
The safest business case includes anti-spoofing progress and operational ownership, not only a projected open-rate increase.
FAQ
Does BIMI improve email deliverability?
Not directly. BIMI is a logo-discovery and display mechanism. Its prerequisites, especially aligned authentication and DMARC enforcement, strengthen identity and domain protection. Mailbox providers still make placement decisions using reputation, recipient behavior, and other signals.
Is a trademark required for BIMI?
Not for every certificate path. A VMC generally uses an eligible registered mark. A CMC can support an eligible non-trademarked mark under the issuing authority's current requirements. Gmail accepts both certificate types, while the verification checkmark is associated with VMC verification.
Can my ESP turn BIMI on for me?
The ESP can help authenticate its sending stream, but the organization controls DMARC, the logo, certificate procurement, hosting, and BIMI DNS. Assign owners across marketing, IT or security, legal, and brand design.
Why does the validator pass while Gmail shows no logo?
A passing validator proves much of the technical setup, not an obligation for Gmail to display the image immediately. Recheck live-message alignment, certificate and asset access, sender reputation, and Google's current BIMI requirements. Then avoid unnecessary DNS changes while receiver caches update.
Deploy BIMI on top of verified authentication
Deliver audits every sending source, moves DMARC toward safe enforcement, coordinates the certified asset, and validates BIMI end to end. Book an email authentication audit.
For the surrounding controls, read the Google and Yahoo sender requirements and our email deliverability guide.
Want to apply this to your stack?
Spend 30 minutes with Charlotte to review your CRM setup, size the opportunity and leave with a practical action plan.
Book a 30-minute call →