BIMI: Brand Indicators for Message Identification

Display your brand logo in supporting email clients by deploying BIMI alongside strong email authentication.

What BIMI does

Brand Indicators for Message Identification (BIMI) is a DNS-based standard that allows organizations to display a brand-controlled logo next to authenticated email messages in participating email clients. When a recipient opens a message that passes DMARC authentication, the email client fetches the sender's BIMI record, retrieves the logo, and displays it in the inbox alongside the message.

BIMI is supported by Gmail, Apple Mail, Yahoo Mail, Fastmail, and a growing number of other clients. It is not a security mechanism in itself -- it is a brand visibility incentive that rewards domains with properly deployed email authentication. The prerequisites for BIMI are the actual security measures:

DMARC at enforcement -- your domain must publish a DMARC record with a policy of p=quarantine or p=reject. A p=none policy is not sufficient for BIMI.
DKIM signing -- messages must pass DKIM verification with alignment to the From: domain.
SPF alignment -- while not strictly required by BIMI itself, aligned SPF strengthens overall DMARC pass rates.

The practical effect: deploying BIMI forces you to have solid email authentication in place first. The logo is the reward for getting SPF, DKIM, and DMARC right.

VMC requirement and exemptions

A Verified Mark Certificate (VMC) is a digital certificate issued by a Certificate Authority (currently DigiCert and Entrust) that attests that the logo associated with the BIMI record is a registered trademark owned by the domain holder. The VMC links the domain, the logo, and the trademark registration together.

VMC requirements vary by email client:

Gmail -- requires a VMC. Without one, Gmail will not display the BIMI logo, regardless of how correct the rest of the setup is. The trademark must be registered with an intellectual property office recognized by the VMC issuer.
Apple Mail -- requires a VMC as of iOS 16 and macOS Ventura.
Yahoo Mail / Fastmail -- do not currently require a VMC. They will display logos from BIMI records that contain only the l= tag (logo URL) without an a= tag (authority/VMC).

VMCs are not cheap -- expect annual costs in the range of $1,000-$1,500 USD. For organizations where brand visibility in Gmail is critical, the cost is justified. Smaller organizations may choose to deploy BIMI without a VMC to gain visibility in Yahoo/Fastmail while waiting for costs to decrease.

The VMC is published as a PEM file served over HTTPS. The a= tag in the BIMI DNS record points to this URL.

SVG Tiny PS specification requirements

BIMI logos must conform to the SVG Tiny PS (Portable/Secure) profile, a restricted subset of SVG designed for safe rendering in email clients. A standard SVG file will almost certainly fail BIMI validation. The key requirements:

Square aspect ratio -- the viewBox must be square (e.g., 0 0 100 100). Non-square logos are rejected.
No scripts or animations -- no <script> elements, no <animate>, no <set>, no event handlers. The logo must be entirely static.
No external references -- no <image> elements linking to external URLs, no xlink:href references to remote resources, no CSS @import or url() pointing outside the document.
No embedded raster images -- base64-encoded PNG/JPEG inside the SVG is not allowed. The logo must be pure vector.
Title element required -- the SVG must contain a <title> element with the brand name.
Supported elements -- only a subset of SVG elements are allowed: <svg>, <g>, <path>, <circle>, <ellipse>, <rect>, <line>, <polygon>, <polyline>, <text>, <defs>, <linearGradient>, <radialGradient>, <stop>, <solidColor>, <clipPath>, and <title>.
Background recommended -- the logo should have an opaque background. Transparent backgrounds render poorly in some clients, especially dark mode.

A minimal SVG Tiny PS file looks like this:

<svg xmlns="http://www.w3.org/2000/svg"
     version="1.2" baseProfile="tiny-ps"
     viewBox="0 0 100 100">
  <title>Example Corp</title>
  <rect width="100" height="100" fill="#0066cc"/>
  <circle cx="50" cy="50" r="30" fill="#ffffff"/>
</svg>

Use the BIMI Group's SVG validator at https://bimigroup.org/bimi-generator/ to check your logo before publishing. Many common SVG editors (Illustrator, Inkscape, Figma) export SVG that requires manual cleanup to meet SVG Tiny PS requirements.

DNS record format

BIMI is published as a TXT record at default._bimi.<domain>. The record has two tags:

default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/brand/logo.svg; a=https://example.com/brand/vmc.pem"

v=BIMI1 -- version identifier (required).
l= -- URL of the SVG Tiny PS logo file, served over HTTPS (required). The URL must be publicly accessible with no authentication or redirects.
a= -- URL of the VMC PEM file, served over HTTPS (optional, but required for Gmail and Apple Mail). Omit or leave empty if you do not have a VMC.

The default selector is used for the organizational domain. BIMI also supports per-selector records (e.g., brand2._bimi.example.com) for organizations that send from multiple brands, but default covers the common case.

BIMI without a VMC

default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/brand/logo.svg; a="

Setting a= to empty explicitly signals that no VMC is provided. This is functionally equivalent to omitting the a= tag entirely, but some validators prefer the explicit form.

Practical examples

Creating a BIMI TXT record

Assuming your logo is hosted at https://example.com/assets/logo.svg and your VMC at https://example.com/assets/vmc.pem:

# DNS zone file entry
default._bimi.example.com. 3600 IN TXT "v=BIMI1; l=https://example.com/assets/logo.svg; a=https://example.com/assets/vmc.pem"

Verify the record is published correctly:

dig +short TXT default._bimi.example.com
# Expected: "v=BIMI1; l=https://example.com/assets/logo.svg; a=https://example.com/assets/vmc.pem"

Validating SVG logo requirements

Check your SVG file against BIMI requirements manually:

# Check that the viewBox is square
grep -o 'viewBox="[^"]*"' logo.svg
# Should output something like: viewBox="0 0 100 100"

# Check for forbidden elements
grep -iE '<script|<animate|<set |<image|xlink:href' logo.svg
# Should return no matches

# Verify the title element exists
grep '<title>' logo.svg
# Should return your brand name in a title element

# Check baseProfile
grep 'baseProfile="tiny-ps"' logo.svg
# Should match

Checking BIMI with beacon

The netray.info beacon tool checks your BIMI record as part of a comprehensive email security audit. It verifies:

The DNS TXT record exists and has valid syntax
The logo URL is reachable and serves an SVG file
DMARC policy is at enforcement level (prerequisite for BIMI)
The VMC URL is reachable (if provided)

Checklist before going live

DMARC policy is p=quarantine or p=reject
DKIM is signing all outbound mail with alignment to the From: domain
SVG logo passes SVG Tiny PS validation
Logo is hosted on HTTPS, publicly accessible, no redirects
VMC is obtained and hosted (if targeting Gmail/Apple Mail)
DNS TXT record published at default._bimi.<domain>
Record verified via dig or beacon