[deliver]
Deliver article · 2026-07-16 · Charlotte Rodrigues

BIMI Email Authentication Setup: Requirements and DNS

BIMI lets participating mailbox providers display a brand-controlled logo beside authenticated email. A valid setup requires aligned SPF and DKIM, DMARC at enforcement, an SVG Tiny PS logo, a BIMI DNS record, and, for Gmail, a Verified Mark Certificate or Common Mark Certificate in PEM format.

Direct answer: Do not start by publishing a logo record. First inventory every sender, make DMARC pass, and move the organizational domain and relevant subdomains to p=quarantine or p=reject without partial enforcement. Then obtain the right mark certificate, host the approved files over HTTPS, publish the record at default._bimi, and validate both DNS and live messages.

BIMI is a visual identity layer. It does not guarantee inbox placement, bypass spam filtering, or authenticate a message by itself. Its value depends on the authentication and reputation work underneath it.

What BIMI does

Brand Indicators for Message Identification, or BIMI, gives a receiving mailbox a standard way to locate an authenticated sender's logo. The sender publishes a TXT record in DNS that points to a secure logo file and, when used, a certificate file.

A typical record looks like this:

default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/bimi/logo.svg; a=https://example.com/bimi/mark.pem"

The tags are:

The record name includes the default selector. Publishing only _bimi.example.com is not the standard default record shown in the BIMI Group implementation guide.

The receiving provider decides whether, where, and when to display the image. A syntactically valid record is therefore necessary but not sufficient.

Complete the authentication prerequisites first

SPF and DKIM must authenticate legitimate mail

SPF authorizes sending infrastructure. DKIM signs the message with a domain-controlled key. For BIMI, legitimate mail should be covered by both, and DMARC must pass through alignment with the visible From domain.

Test every production source, not just the marketing platform. A forgotten help desk, billing tool, ecommerce notification service, or employee mail system can fail after DMARC enforcement is enabled.

DMARC must be at enforcement

The BIMI Group requires DMARC enforcement on the organizational domain and subdomains. Use either:

v=DMARC1; p=quarantine; sp=quarantine; rua=mailto:dmarc-reports@example.com

or:

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-reports@example.com

p=none does not qualify. The policy needs to cover the full applicable traffic set rather than a partial percentage.

The current DMARC specification is RFC 9989, published in 2026. It replaces RFC 7489 and removes the legacy pct tag, introducing t for testing behavior. Some BIMI and mailbox-provider documentation still describes full enforcement as pct=100. The operational requirement is unchanged: do not attempt BIMI with a partial rollout. Validate the final record against current DMARC and BIMI tooling before publishing.

If you are not at enforcement yet, follow our SPF, DKIM, and DMARC setup guide before buying a certificate.

Choose between a VMC and a CMC

Gmail requires third-party certification for the domain and logo. Google's current setup documentation accepts two certificate types.

Verified Mark Certificate

A Verified Mark Certificate, or VMC, is designed for an eligible trademarked logo. In Gmail, a sender verified with a VMC can display the verification checkmark alongside the brand identity. Eligibility depends on the certificate authority's accepted trademark offices and validation process.

Choose a VMC when:

Common Mark Certificate

A Common Mark Certificate, or CMC, supports eligible logos that do not meet the VMC trademark requirement. Gmail can use the certificate to display the logo, but its documentation reserves the verification checkmark for VMC-verified senders.

Choose a CMC when:

Do not rely on old claims that Gmail always requires a VMC. Google's current BIMI setup guide explicitly supports VMCs and CMCs. Check the BIMI Group's current issuer list before procurement because issuers and eligibility rules can change.

Prepare the logo correctly

BIMI does not accept a normal web SVG without additional constraints. The logo must use SVG Tiny Portable/Secure, commonly called SVG Tiny PS.

The file should:

Gmail adds a minimum width and height of 96 pixels and requires absolute pixel dimensions. The certificate authority may impose additional file rules during issuance.

Use the BIMI Group SVG tools rather than assuming an export from Figma or Illustrator is compliant. Validate the actual final file, not an earlier design version.

Implement BIMI step by step

1. Inventory all mail sources

List every system that can send with the organizational domain or its subdomains in the visible From address. Record the SPF domain, DKIM d= domain, owner, traffic type, and daily volume for each source.

2. Reach DMARC enforcement safely

Collect aggregate reports, fix unauthenticated legitimate sources, and confirm DMARC passes in real message headers. Move from monitoring to enforcement only when the impact is understood. Forwarding and mailing-list paths deserve special attention because strict rejection can disrupt indirect mail.

3. Select the exact mark

Choose the logo users should recognize in an inbox. Confirm VMC or CMC eligibility with an approved issuer before finalizing the SVG. A certificate applies to the validated mark and domains, so an unplanned redesign can create rework.

4. Create and validate SVG Tiny PS

Convert the artwork, set the square view box, inspect small-size readability, and run the BIMI SVG validator. Keep the source artwork and final certified asset under version control with named owners.

5. Obtain the certificate

Complete the certificate authority's organization, domain, and mark validation. Do not publish price or lead-time assumptions in the project plan because both vary by issuer, jurisdiction, evidence, and review queue.

6. Host the approved assets over HTTPS

Place the SVG and PEM files on a stable public HTTPS endpoint. Avoid authentication, redirects that change unexpectedly, bot blocking, short-lived signed URLs, and a content delivery rule that serves HTML instead of the file.

Google's troubleshooting guidance says the public web server should be in the same domain as the BIMI DNS record. Confirm MIME types, certificate chain, HTTP status, and access from outside the corporate network.

7. Publish the BIMI TXT record

Publish one TXT record at the correct selector and domain. For the organizational domain:

Host: default._bimi.example.com
Type: TXT
Value: v=BIMI1; l=https://example.com/bimi/logo.svg; a=https://example.com/bimi/mark.pem

If mail uses a From subdomain, confirm the applicable BIMI lookup domain and DMARC inheritance with the validator before publishing. Do not copy a record blindly between the root domain and sending subdomain.

8. Validate DNS, assets, and live mail

Use the BIMI Group validation tool to check the record, DMARC posture, logo, and certificate reference. Then send representative production messages and inspect SPF, DKIM, DMARC, and From alignment.

Test on supported recipient services, but do not treat immediate logo display as the only validation. Receivers apply their own reputation and display criteria, and caching can delay a visible change.

Troubleshoot a missing BIMI logo

Work through the dependencies in order.

Symptom Evidence to inspect Likely next action
Validator cannot find BIMI DNS name, selector, TXT response Publish at default._bimi and remove conflicting records
DMARC is not eligible p, sp, testing state, live DMARC result Complete full enforcement and fix alignment
SVG fails validation Profile, version, dimensions, external content Regenerate the SVG Tiny PS asset
Certificate fails Expiration, chain, domain, mark, PEM URL Contact the issuing authority and replace the hosted PEM
Asset cannot be fetched HTTPS status, redirects, firewall, MIME type Make the final URL publicly and consistently accessible
Record passes but no logo appears Live headers, sender reputation, provider support Confirm every requirement, then allow for receiver policy and caching

Do not repeatedly change DNS while waiting for display. Each edit resets your evidence and can introduce a new error. Capture the validated state, timestamp, test message headers, and provider result before the next change.

Measure BIMI without inventing an open-rate promise

BIMI can improve visual recognition, but no universal open-rate lift applies to every brand. Published vendor studies often compare different audiences, brand awareness levels, mailbox mixes, and test designs. Apple Mail Privacy Protection also makes opens difficult to interpret.

Measure the rollout as a controlled operational change:

The safest business case includes anti-spoofing progress and operational ownership, not only a projected open-rate increase.

FAQ

Does BIMI improve email deliverability?

Not directly. BIMI is a logo-discovery and display mechanism. Its prerequisites, especially aligned authentication and DMARC enforcement, strengthen identity and domain protection. Mailbox providers still make placement decisions using reputation, recipient behavior, and other signals.

Is a trademark required for BIMI?

Not for every certificate path. A VMC generally uses an eligible registered mark. A CMC can support an eligible non-trademarked mark under the issuing authority's current requirements. Gmail accepts both certificate types, while the verification checkmark is associated with VMC verification.

Can my ESP turn BIMI on for me?

The ESP can help authenticate its sending stream, but the organization controls DMARC, the logo, certificate procurement, hosting, and BIMI DNS. Assign owners across marketing, IT or security, legal, and brand design.

Why does the validator pass while Gmail shows no logo?

A passing validator proves much of the technical setup, not an obligation for Gmail to display the image immediately. Recheck live-message alignment, certificate and asset access, sender reputation, and Google's current BIMI requirements. Then avoid unnecessary DNS changes while receiver caches update.

Deploy BIMI on top of verified authentication

Deliver audits every sending source, moves DMARC toward safe enforcement, coordinates the certified asset, and validates BIMI end to end. Book an email authentication audit.

For the surrounding controls, read the Google and Yahoo sender requirements and our email deliverability guide.

CR
Charlotte Rodrigues · CRM Lead at Deliver. Questions about this article? charlotte@agence-deliver.com

Want to apply this to your stack?

Spend 30 minutes with Charlotte to review your CRM setup, size the opportunity and leave with a practical action plan.

Book a 30-minute call →