What Is BIMI? Brand Indicators for Email Explained

BIMI (Brand Indicators for Message Identification) is an email authentication standard that lets a verified sender display its brand logo next to messages in supporting inboxes. It builds on DMARC; the sender must be at quarantine or reject, publish an SVG Tiny PS logo, and (for Gmail's blue checkmark) hold a Verified Mark Certificate.

A 2021 pilot run by Verizon Media and the BIMI Group reported roughly a 10% lift in email engagement for senders displaying a BIMI logo, and a 2022 Red Sift / Entrust study found 42% of respondents were more likely to open a message from a sender whose logo they recognized. Those aren't Mailneo numbers; your mileage will depend on how strong your brand is and how often subscribers already trust what you send.

Table of contents

What is BIMI?

BIMI is a DNS-based specification that tells participating mailbox providers which logo to show next to your messages. The sender publishes a default._bimi TXT record pointing at a hosted SVG file (and, optionally, a Verified Mark Certificate). Supporting clients then render that logo in the inbox list, the avatar circle, or a profile card.

The draft spec is maintained at the IETF as draft-brand-indicators-for-message-identification, with the BIMI Group acting as the coordinating body. It's been in working-group status for years; that's part of why adoption has been uneven (we'll get to that).

One thing worth saying up front: BIMI isn't a deliverability booster on its own. It sits on top of authentication you should already have. If your SPF, DKIM, and DMARC aren't clean, BIMI does nothing. For the prerequisites, see our primer on what DMARC is and the SPF vs DKIM vs DMARC comparison.

How does BIMI work?

At a technical level, BIMI glues three things together: a DMARC policy, a hosted SVG logo, and (optionally) a certificate proving you own the mark.

When a message arrives, a BIMI-aware mail server does roughly this:

1. Authenticates the message with SPF, DKIM, and DMARC.
2. If DMARC passes and the policy is at quarantine or reject (with pct=100), it looks up default._bimi.yourdomain.com.
3. Fetches the SVG from the l= tag in that TXT record.
4. If an a= tag points at a Verified Mark Certificate, validates that cert against a trusted CA.
5. Renders the logo alongside the message.

Here's what a minimal BIMI record looks like in DNS:

default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/bimi/logo.svg; a=https://example.com/bimi/vmc.pem"

The v=BIMI1 tag is the version. l= is the HTTPS URL of the SVG Tiny PS logo (must be served over TLS, must be publicly reachable, must be under ~32KB in practice). a= is the URL of your VMC .pem file; leave it out and Gmail will fall back to no-logo for your domain.

One gotcha: the SVG has to be in the SVG Tiny Portable/Secure profile. That's a constrained subset of SVG 1.2 Tiny with no scripts, no external references, no animation, and a specific baseProfile="tiny-ps" attribute. Most designers hand you a regular SVG; it won't validate. You'll need to either run it through a converter or rebuild the file in a SVG Tiny PS-compliant editor. (The BIMI Group FAQ has a list of tools.)

[SCREENSHOT: Gmail inbox showing a BIMI logo next to a verified sender]

What are the BIMI requirements?

Short version: valid DMARC enforcement, a square SVG Tiny PS logo, a trademarked mark for Gmail's blue checkmark, and a VMC or CMC from an approved certificate authority. Let's break each one down.

DMARC at quarantine or reject

Your published DMARC record must be at p=quarantine or p=reject with pct=100. A policy of p=none won't satisfy BIMI; neither will a partial percentage rollout. Gmail added this check early and the other providers followed. Full stop.

A compliant SVG Tiny PS logo

Square aspect ratio. No raster images embedded. No external fonts; all text has to be converted to paths. The file should be under 32KB. It needs <title> and <desc> tags, and the root <svg> element must declare baseProfile="tiny-ps" and version="1.2". Our BIMI generator tool walks you through this and validates the file before you publish it.

A Verified Mark Certificate (for Gmail's blue checkmark)

This is the part that trips up most senders. A VMC is essentially a TLS certificate issued against a registered trademark. Only two CAs issue them commercially at the time of writing: DigiCert and Entrust. Expect to pay around $1,000–$1,500 per year per domain, plus the lead time of the trademark check (two to six weeks is typical in our experience).

If you don't have a registered trademark, DigiCert and Entrust now issue a cheaper option called a Common Mark Certificate (CMC). CMCs use a proof of prior use instead of a trademark filing; they display the logo in some clients but do not grant the Gmail blue verified checkmark. Think of a CMC as the "my-logo-appears-but-without-a-badge" tier.

Mailbox providers that actually render BIMI

As of April 2026, the list is short but growing:

• Gmail (Google) rolled out BIMI in July 2021; the verified blue checkmark (requires a VMC) was announced in May 2023.
• Apple Mail (iOS 16, iPadOS 16, macOS Ventura and later) was announced at WWDC 2022 and shipped in September 2022. Apple accepts both VMCs and CMCs.
• Yahoo Mail, AOL, and Fastmail shipped earlier than Gmail and remain supporters.
• Microsoft 365 / Outlook.com is still not generally available as of April 2026, though Microsoft has had a private preview running since 2023.

So if your audience is mostly Outlook, BIMI won't do much for you yet; plan accordingly.

Provider	BIMI support	Certificate needed for full display
Gmail	Yes (since July 2021)	VMC required for the blue verified checkmark.
Apple Mail	Yes (iOS 16, iPadOS 16, macOS Ventura and later)	Accepts both VMC and CMC.
Yahoo Mail / AOL / Fastmail	Yes (shipped before Gmail)	No VMC strictly required to display a logo.
Microsoft 365 / Outlook.com	Private preview only (as of April 2026)	Not yet generally available.

Does BIMI actually improve engagement?

Honest answer: probably a little, and mostly for brands subscribers already recognize.

The most-cited number comes from that Verizon Media / Yahoo 2021 pilot, reported on BIMI Group's site: roughly a 10% lift in engagement metrics for senders who enabled BIMI. A follow-up Red Sift and Entrust consumer survey put the open-rate intent lift at 39% when a logo was present (self-reported, so take it with a grain of salt). Google's own 2022 announcement talked about phishing reduction more than engagement, which is telling.

My honest take after running BIMI setups for several senders: the engagement numbers are real but modest, and they're strongest for B2C senders with a recognizable logo. A B2B SaaS sending transactional receipts is unlikely to see a measurable open-rate change. Where BIMI does help everyone is brand consistency; a Gmail inbox with your logo in every row looks like a brand, not a mailing list.

[MY EXPERIENCE: describe setting up BIMI for a Mailneo customer, the VMC process, and the first time you saw their logo appear in Gmail]

How do you set up BIMI?

Rough sequence, assuming you already have DMARC running:

1. Move your DMARC policy to p=quarantine; pct=100 (or p=reject). Give it a few weeks of monitoring first.
2. Prepare a square SVG Tiny PS logo. Use our BIMI generator to validate it.
3. Host the SVG at an HTTPS URL on your domain (CDN is fine).
4. Decide on VMC vs. CMC. If Gmail's blue checkmark matters to your brand and you hold the trademark, buy a VMC from DigiCert or Entrust. If you just want the logo in Apple Mail, a CMC is cheaper (~$400-600/year).
5. Publish the default._bimi TXT record pointing at the SVG (and the VMC, if you bought one).
6. Wait. Gmail caches heavily; allow 24-48 hours before testing.
7. Send yourself a test message from the domain and confirm the logo renders in Gmail, Yahoo, and Apple Mail.

If you're still a few steps back and haven't nailed deliverability yet, start with the full email deliverability guide before spending money on a certificate.

[ORIGINAL DATA: percentage of Mailneo customer domains currently eligible for BIMI (DMARC at quarantine or reject) versus actually publishing a BIMI record]

Key takeaways

• BIMI requires DMARC at p=quarantine or p=reject, an SVG Tiny PS logo, and (for Gmail's blue checkmark) a Verified Mark Certificate from DigiCert or Entrust.
• VMCs cost roughly $1,000–$1,500 per year and require a registered trademark; Common Mark Certificates are cheaper but won't earn the Gmail blue checkmark.
• Supporting clients in April 2026: Gmail, Apple Mail (iOS 16+/macOS Ventura+), Yahoo, AOL, and Fastmail. Outlook is still in limited preview.
• Reported engagement lift is ~10% on average (BIMI Group / Verizon Media), with stronger effects for consumer brands than B2B senders.

Frequently asked questions

Do I need a Verified Mark Certificate for BIMI to work?

Not for the logo to appear. Apple Mail, Yahoo, Fastmail, and AOL will render a BIMI logo without one. You need a VMC (or the newer CMC for some clients) for Gmail to render anything at all, and only a VMC will produce Gmail's blue verified checkmark.

How much does BIMI cost to set up?

The DNS record, the SVG file, and the hosting are effectively free. The real cost is the certificate: ~$1,000–$1,500 per year for a VMC from DigiCert or Entrust, or ~$400–$600 per year for a Common Mark Certificate. Budget a few hours of engineering time and a few weeks of lead time for trademark checks.

Why isn't my BIMI logo showing in Gmail?

Common causes, in the order I hit them in practice: DMARC isn't at p=quarantine or p=reject with pct=100; the SVG isn't SVG Tiny PS compliant; the VMC URL in the a= tag is wrong or the cert has expired; Gmail's cache hasn't refreshed yet (give it 24-48 hours); the sending domain doesn't match the domain in the DMARC alignment check. Our BIMI glossary entry and the DMARC entry have the debugging checklists.

Can I use BIMI without a trademark?

Yes, through a Common Mark Certificate. A CMC uses proof of prior use (typically 12+ months of the logo appearing on your site and marketing) instead of a trademark filing. The tradeoff: CMCs work in Apple Mail and some other clients, but do not grant the Gmail verified checkmark.

Does BIMI protect against phishing?

Indirectly. BIMI can't stop a phisher from sending a lookalike-domain email; it can only prevent that phisher's message from showing your logo (because they don't have your VMC and can't pass DMARC on your domain). The security benefit is that subscribers learn to distrust messages that claim to be from you but lack the logo they're used to seeing.

Related resources

• What is DMARC? A plain-English guide
• SPF vs DKIM vs DMARC: what each one does
• Email deliverability guide
• BIMI generator tool
• BIMI glossary entry
• DMARC glossary entry