Identity Security

BIMI & VMC Brand-Verified Email Identity

Show your verified brand logo in supported inboxes using BIMI and Verified Mark Certificates. Build trust, improve open rates, and strengthen your email authentication strategy.

How It Works Email Services

What You Need

  • SPF, DKIM, and DMARC correctly configured
  • DMARC policy set to enforcement level (quarantine/reject)
  • SVG Tiny P/S compliant brand logo for BIMI
  • Verified Mark Certificate (VMC) issued by approved authority

BIMI & VMC Workflow

A straightforward process to verify your brand identity in customer inboxes.

Step 1

Secure Email Auth

Set up SPF, DKIM, and DMARC with proper policy alignment.

Step 2

Prepare Brand Logo

Create SVG Tiny P/S logo and verify trademark eligibility.

Step 3

Issue VMC

Obtain verified mark certificate from an authorized issuer.

Step 4

Publish BIMI DNS

Add BIMI TXT records and validate mailbox provider display.

Get Implementation Help

Key Benefits

Enhance your email security and brand trust

Increased Trust

Verified logo in inbox builds confidence and reduces phishing susceptibility.

Higher Open Rates

Brand recognition and visual trust indicators improve email engagement metrics.

Brand Protection

VMC proves ownership and prevents imposters from spoofing your identity.

Supported Mailbox Providers

Gmail / Google

Full BIMI support

Yahoo Mail

Full BIMI support

Microsoft Outlook

Rolling deployment

Apple Mail

Partial support

BIMI & VMC Comparison

See the difference between BIMI alone and BIMI with VMC verification

Feature BIMI Only BIMI + VMC
Logo Display Limited support Full support
Brand Verification Verified badge
Gmail Visibility Partial Full
DMARC Required
Implementation Cost Free/Low VMC certificate fee
Anti-spoofing Protection Moderate Maximum

Complete BIMI Implementation Guide

Step-by-step instructions to set up BIMI and VMC for your domain. Follow each section carefully to ensure proper configuration and maximum mailbox provider support.

Step 1: Email Authentication Prerequisites

BIMI display requires three email authentication mechanisms properly configured in your domain's DNS. Mailbox providers verify these before showing your logo.

1

SPF Record

Identifies authorized mail servers for your domain

v=spf1 include:... ~all

2

DKIM Signature

Cryptographically signs email messages

v=DKIM1; k=rsa; p=...

3

DMARC Policy

Enforces authentication alignment

v=DMARC1; p=quarantine

⚠️ Critical Requirement: DMARC policy must be set to p=quarantine or p=reject. A policy of p=none will not enable BIMI display in any mailbox provider.

SPF Alignment

Domain in SPF record Return-Path header must align with sending domain

DKIM Alignment

DKIM signature domain (d= tag) must align with From: header domain

DMARC Enforcement

Ensure at least 50% of email traffic passes DMARC authentication before enforcement

✓ Pre-BIMI Checklist:

  • SPF record published and validates
  • DKIM keys generated and published in DNS
  • All outbound emails signed with DKIM
  • DMARC policy set to quarantine or reject
  • Alignment established for SPF and DKIM
  • Receiving aggregate and forensic DMARC reports

Step 2: Prepare & Validate Your Brand Logo

Your logo must meet strict SVG format requirements and specifications. Non-compliant logos will be rejected by mailbox providers or fail to render properly.

SVG Format Requirements

  • Format: SVG Tiny 1.2 P/S profile (not regular SVG)
  • Aspect Ratio: Exactly square (1:1)
  • Minimum Size: 200×200 pixels
  • Recommended: 1000×1000 pixels for quality
  • Maximum Size: 32 KB file size

Design Best Practices

  • Background: Solid color (avoids rendering issues)
  • Contrast: High contrast for visibility in light and dark modes
  • Simplicity: Avoid gradients, transparency, patterns
  • No Text: Logo only—no taglines or slogans
  • Recognizable: Logo must be instantly recognizable at 96×96px

SVG Technical Details

<svg viewBox="0 0 1000 1000" xmlns="http://www.w3.org/2000/svg">

✓ Use viewBox instead of fixed width/height

✓ Avoid style attributes; use presentation attributes only

✓ Validate using BIMI Group SVG checker (bimi.org)

⚠️ Common Mistakes: Using generic SVG tools that output standard SVG instead of SVG Tiny P/S. Request "SVG Tiny 1.2 P/S profile" from your designer explicitly. Many vector design tools default to standard SVG format which will fail BIMI validation.

✓ Logo Validation Checklist:

  • Logo is perfectly square (1:1 aspect ratio)
  • File is valid SVG Tiny 1.2 P/S profile
  • File size is under 32 KB
  • Logo passes BIMI Group online validator
  • Logo is recognizable at small sizes (96×96px)
  • No gradients, transparency, or complex paths

Step 3: Obtain Verified Mark Certificate (VMC)

A VMC proves your brand ownership and enables full BIMI support in major mailbox providers. This requires trademark verification with an approved Certificate Authority.

1

Verify Trademark Registration

Search trademark databases to confirm you own an active, registered trademark matching your domain and brand.

USPTO (United States) WIPO (International)
2

Gather Required Documentation

Prepare documents for VMC issuer verification. CAs typically require:

  • • Trademark registration certificate
  • • Proof of company ownership
  • • Government-issued ID of authorized representative
  • • Brand guidelines or logo usage policy
  • • Proof of domain ownership
3

Select Approved VMC Issuer

Only authorized Certificate Authorities can issue VMCs. Approved CAs include:

Entrust

Industry-leading VMC issuer

DigiCert

Global certificate authority

Sectigo

Comprehensive PKI provider

GoDaddy

Domain and certificate services

4

Apply & Verification Process

Submit your application to the CA. Expect 5-15 business days for verification including:

  • • Trademark ownership verification
  • • Company registration validation
  • • Legal representative identity check
  • • Domain control verification
5

Receive & Install VMC

Once approved, the CA issues your VMC certificate. You'll receive a .pem file to host on your web server for BIMI DNS record reference.

VMC Benefits

  • ✓ Full logo display in Gmail
  • ✓ Verified badge next to logo
  • ✓ Support in Yahoo Mail & Outlook
  • ✓ Anti-spoofing protection
  • ✓ Increased recipient trust

VMC Timeline

  • • Application: 1-2 days
  • • Verification: 3-10 days
  • • Issuance: 1-3 days
  • • Validity: Typically 1 year
  • • Renewal: Before expiration

ℹ️ Optional But Recommended: You can implement BIMI with just SPF/DKIM/DMARC, but support will be limited. VMC is required for reliable logo display across major providers. Cost is typically $50-200/year, a small investment for brand visibility.

Step 4: Configure BIMI DNS Record

Publish your BIMI record in the DNS zone for your domain. Mailbox providers query this record to retrieve your logo and VMC certificate.

; BIMI DNS Record Format:

default._bimi.yourdomain.com IN TXT "v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem;"

Record Components Explained:

default._bimi.yourdomain.com

Standard BIMI record name (always "default._bimi")

v=BIMI1

Protocol version (always BIMI1)

l=https://yourdomain.com/logo.svg

Location of your SVG logo (HTTPS required, must be public)

a=https://yourdomain.com/vmc.pem

URL to VMC certificate (optional if no VMC yet)

With VMC

default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/brand-logo.svg; a=https://example.com/vmc.pem;"

Full BIMI with logo + verified certificate

Without VMC

default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/brand-logo.svg;"

BIMI authentication-only (limited provider support)

Alternative Format

default._bimi.example.com TXT v=BIMI1 l=https://example.com/logo.svg

Some DNS providers use space-separated format

File Hosting Requirements

HTTPS Only: Both logo and VMC URLs must use HTTPS (not HTTP)
Publicly Accessible: Files must be accessible without authentication
Persistent URLs: URLs must remain stable (don't move files later)
Valid Certificates: Your server's SSL certificate must be trusted
Correct MIME Types: image/svg+xml for SVG, application/x-pem-file for VMC

⚠️ Before Publishing: Verify URLs work by opening them directly in your browser. Test that files download correctly and display properly. Some DNS providers have TXT record length limits (255 chars/string)—your entire BIMI record must fit within DNS limits.

✓ DNS Configuration Checklist:

  • DNS record name is exactly "default._bimi"
  • All URLs use HTTPS protocol
  • Logo and VMC files are publicly accessible
  • Record is published in primary DNS zone
  • Tested record for syntax errors

Step 5: Validate & Monitor BIMI Configuration

After publishing your BIMI DNS record, validate configuration and wait for mailbox provider adoption. Proper validation catches issues before they affect email display.

Validation Steps

  1. 1. Verify DNS Record Published: Use command line tools (nslookup, dig) or online checkers to confirm BIMI record is in DNS
  2. 2. Check Logo URL: Open your logo URL directly in browser—it should download without errors
  3. 3. Validate SVG Format: Use BIMI Group validator or online SVG checkers
  4. 4. Test VMC (if applicable): Verify VMC certificate file is accessible and valid
  5. 5. Check Authentication: Ensure SPF/DKIM/DMARC alignment is correct

Command Line Validation

# Check BIMI DNS record:

nslookup -type=TXT default._bimi.yourdomain.com

# Or using dig:

dig default._bimi.yourdomain.com TXT

# Expected output:

"v=BIMI1; l=https://... a=https://..."

DNS Propagation Timeline

  • 15-30 min: Primary DNS provider updates
  • 1-4 hours: Secondary DNS, local caches update
  • 12-48 hours: Full global propagation
  • 24-72 hours: Gmail starts displaying logo
  • 1-2 weeks: Full provider rollout

Recommended Validators

Ongoing Monitoring

Monitor DMARC Reports: Review weekly for authentication failures
Test Email Display: Periodically send test emails to check logo rendering
Track VMC Expiration: Renew certificate before expiration
Update URLs if Changed: If moving logo/VMC, update DNS record

✓ Validation Checklist:

  • BIMI record appears in DNS queries
  • Logo URL accessible and downloads SVG
  • SVG validates with external checker
  • VMC URL accessible (if using VMC)
  • SPF/DKIM/DMARC alignment confirmed
  • Allowed 48+ hours for propagation

Step 6: Test, Troubleshoot & Optimize

After configuration, systematically test BIMI across providers, identify issues, and optimize for best results.

Phase 1: Immediate Testing (Days 1-3)

  1. 1. Send test emails from your domain to multiple personal accounts (Gmail, Yahoo, Outlook, Apple)
  2. 2. Check if logo appears in sender's avatar area or next to sender name
  3. 3. View on both desktop and mobile clients
  4. 4. Screenshot results and compare across providers

Phase 2: Provider-Specific Testing (Days 3-14)

Gmail
24-48 hours after record propagation. Logo may show in Promotions tab before Inbox. Re-send test if not visible after 72 hours.
Yahoo
Typically 24-72 hours. Requires full VMC + enforcement DMARC. Logo appears with "Verified" badge if VMC present.
Outlook
Slower rollout (1-4 weeks). Requires VMC. Mobile clients may lag desktop support.
Apple Mail
Depends on iOS/macOS updates. Partial support in recent versions. May not show on older devices.

Common Issues & Solutions

Logo Not Displaying in Gmail

  • ✓ Verify DMARC policy is p=quarantine or p=reject (not p=none)
  • ✓ Check SPF/DKIM alignment is correct
  • ✓ Ensure logo URL returns 200 OK status code
  • ✓ Wait full 48-72 hours before troubleshooting

SVG File Rejected or Blank

  • ✓ Validate SVG with BIMI Group checker
  • ✓ Ensure file is SVG Tiny 1.2 P/S profile, not standard SVG
  • ✓ Check file size is under 32 KB
  • ✓ Remove any transparency, gradients, or unsupported elements

VMC Not Recognized

  • ✓ Verify VMC certificate is valid and not expired
  • ✓ Ensure certificate URL is accessible via browser
  • ✓ Check certificate is issued by approved CA
  • ✓ Providers cache VMC—wait 24+ hours before re-testing

Logo Looks Distorted or Low Quality

  • ✓ Logo must be recognizable at 96×96 pixels (test in browser dev tools)
  • ✓ Use solid background (avoid transparency, gradients)
  • ✓ Ensure high contrast for readability
  • ✓ Remove unnecessary complexity or fine details

Optimization Tips

Cache Busting: If updating logo, increment URL (logo-v2.svg) to force provider refresh
Monitor DMARC: Regular failures indicate alignment issues preventing BIMI display
Test Subdomains: Consider separate BIMI records for subdomains (mail._bimi, etc.)
Communication: Inform support team about BIMI for consistent branding in support emails

✓ Testing & Optimization Checklist:

  • Tested on Gmail, Yahoo, Outlook, Apple Mail
  • Logo visible on both desktop and mobile
  • Logo quality good at small sizes
  • No authentication errors in DMARC reports
  • Documented results and provider timeline
  • Set calendar reminder for VMC renewal date

Additional Resources

BIMI Group

Official BIMI specification and implementation guides

Google Workspace BIMI

Gmail and Google Workspace BIMI setup

BIMI Validation Checker

Test and validate your BIMI implementation

MXToolbox DNS Checker

Validate DNS records including BIMI

Frequently Asked Questions

Get answers to common questions about BIMI and VMC implementation

What's the difference between BIMI and VMC?

BIMI is the standard for displaying logos in email. VMC (Verified Mark Certificate) is the trusted credential that authorizes and verifies logo display. You can use BIMI without VMC, but full provider support requires VMC.

Is DMARC enforcement required for BIMI?

Yes. DMARC policy must be set to p=quarantine or p=reject for mailbox providers to display your logo. Basic DMARC monitoring (p=none) is not sufficient for BIMI display.

How long does VMC issuance take?

VMC issuance typically takes 5-15 business days, depending on the issuing CA and verification of your trademark registration.

What if my logo is rejected or not displayed?

Common reasons include SVG format issues, logo size/dimensions, DMARC alignment problems, or provider-specific delays. We provide testing and troubleshooting support.

Can I use BIMI with multiple domains?

Yes. Each domain publishes its own BIMI DNS records. You may need separate VMCs per domain depending on your trademark registrations.

Back to Email Infrastructure & Security

Ready to Get Started?

Enhance your email security and brand trust today. Get expert implementation support and maximize your BIMI ROI.

No credit card required. Setup takes less than 5 minutes.