Back to Blog
How to Set Up BIMI
Email DeliverabilityJune 24, 20268 min read

How to Set Up BIMI

JaxSuite Team

Author

BIMI (Brand Indicators for Message Identification) lets you tell mailbox providers which logo to display next to the mail you send. It is not an authentication protocol on its own; it sits on top of SPF, DKIM, and DMARC as a visible reward for domains that have locked down their email. Setting it up is a defined sequence of steps, and skipping any one of them means the logo silently never appears. This guide walks through each step in order, with a realistic record example at the end. When you are done, validate everything with the BIMI record checker.

Step 1: Get DMARC to Enforcement

Before a single BIMI tag matters, your domain must publish a DMARC policy at enforcement. That means the p= tag in your DMARC record must be quarantine or reject. A monitoring-only policy of p=none disqualifies the domain completely, no matter how perfect the BIMI record and logo are. The logic is simple: the logo is a trust signal, and no provider will vouch for a domain that has not committed to blocking its own impersonators.

Three details trip people up at this step:

  • Subdomains must be enforced too. If your organizational domain relaxes the subdomain policy with sp=none, providers treat the domain as not enforced, because an attacker could simply spoof a subdomain. Under the current DMARC specification the same thinking extends to the np tag, which controls non-existent subdomains.
  • The pct tag is gone. Older advice about setting pct=100 is obsolete; pct was removed in DMARCbis (RFC 9989, May 2026), so enforcement can no longer be diluted by percentage.
  • Each message must actually pass DMARC with an aligned SPF or DKIM identifier, or it will never earn a logo regardless of your published policy.

If your domain is not yet at enforcement, do that first. See how to set up DMARC for the full process, and what is DMARC if you need the background.

Step 2: Build a Compliant SVG Logo

BIMI does not accept just any SVG. Logos must conform to SVG Tiny 1.2 Portable/Secure (usually written SVG Tiny P/S), a deliberately restricted profile created for BIMI. The restrictions exist because mail clients render the logo automatically for every message; scripts, external resource loading, or interactivity would hand attackers a way to run code or track users from the inbox, so the profile strips SVG down to static vector artwork.

A compliant file must:

  • Declare version="1.2" and baseProfile="tiny-ps" on the root <svg> element, with no x or y attributes on the root.
  • Include a <title> element, conventionally your brand name.
  • Contain no scripts, event handlers, animation, embedded raster images, hyperlinks, or references to any external resource.

Beyond the hard rules, providers publish strong recommendations: keep the file at or below 32 KB, use a square canvas with the mark centered, and prefer a solid background color, because the logo is usually cropped into a circle and transparency can render unpredictably against different themes.

Mainstream design tools do not export this profile directly, so the usual workflow is: export a plain SVG, open it in a text editor, set the version and base profile attributes on the root element, add the <title>, and delete anything the profile forbids (editor metadata, style imports, stray attributes). Free converters maintained by the email industry can automate the cleanup. Whichever route you take, validate the result before publishing.

Step 3: Obtain a VMC or CMC (Needed for Gmail and Apple)

A certificate is optional for some providers and mandatory for others, so this step depends on which inboxes you want to cover. There are two certificate types, both published as a PEM file:

  • Verified Mark Certificate (VMC). An X.509 certificate issued by a small number of approved certificate authorities. To get one, you must prove your logo is a registered trademark owned by your organization; the CA verifies the registration with the trademark office, performs identity checks, and embeds the logo into the certificate. Registered word or design marks from major national and regional trademark offices are accepted.
  • Common Mark Certificate (CMC). Drops the trademark requirement and instead accepts evidence that the logo has been in continuous use for at least twelve months, typically through archived web pages. Organizational vetting still happens, but no trademark registration is needed.

Provider requirements differ, and this is where most confusion lives:

  • Yahoo and AOL display BIMI logos based on the DNS record and a compliant SVG alone, with no certificate required, relying instead on your sending reputation.
  • Gmail requires a certificate before it shows a logo at all: either a VMC or a CMC unlocks the logo, but the blue verified checkmark beside the sender name is reserved for VMC holders.
  • Apple Mail requires a VMC for its branded mail treatment.
  • Microsoft has no general-availability BIMI support: consumer Outlook.com has shown BIMI logos in an inconsistent preview since around 2023, and Microsoft 365 enterprise has not shipped it. Do not count on Microsoft display.

The practical upshot: you can start certificate-free and see your logo at Yahoo and AOL, then add a CMC or VMC when you are ready to cover Gmail and Apple Mail.

Step 4: Publish the _bimi TXT Record

A BIMI record is an ordinary DNS TXT record published at a special hostname: a selector, followed by the label _bimi, followed by your domain. Almost everyone uses the default selector, so the record lives at default._bimi.yourdomain.com. Selectors let a domain publish multiple logos (chosen per message with a BIMI-Selector header), but most senders need only a single default record.

The record uses just three tags:

  • v declares the version and must be BIMI1; it has to be the first tag in the record.
  • l is the location tag: an HTTPS URL pointing to your SVG logo.
  • a is the optional authority evidence tag: an HTTPS URL pointing to the PEM file containing your VMC or CMC.

Both URLs must use HTTPS; plain HTTP is invalid. One special case to know: an empty l= value (v=BIMI1; l=;) is an explicit declaration that the domain opts out of BIMI, not a broken record.

Here is a realistic record published at default._bimi.example.com:

v=BIMI1; l=https://assets.example.com/brand/logo.svg; a=https://assets.example.com/brand/certificate.pem

The v=BIMI1 portion identifies the record type and version, exactly as v=spf1 and v=DMARC1 do for their protocols; if it is missing, misspelled, or not first, receivers ignore the entire record. The l= URL is where the receiver fetches the logo, so it must serve your compliant SVG over HTTPS from a host that does not block automated clients. The a= URL serves the certificate chain in PEM format; the certificate embeds a copy of the logo, which receivers compare against the file at l= to confirm the two match. If you are starting certificate-free, simply omit the a= tag entirely.

Step 5: Verify and Troubleshoot

Once the record is live, run it through the BIMI record checker to confirm the syntax, the SVG profile, and the certificate all pass before you wait on real inboxes. When the record looks right but the logo still does not show, work through the usual suspects in order:

  • DMARC. The most common cause by far: a policy still at p=none, an sp=none escape hatch on the organizational domain, or individual messages failing DMARC because neither SPF nor DKIM produces an aligned pass.
  • Logo problems. An SVG that fails the Tiny P/S profile, or a logo URL that redirects, requires cookies, blocks automated fetchers, or serves the wrong content type.
  • Certificate issues. An expired VMC, a chain missing its intermediates, a certificate whose embedded logo no longer matches the published SVG, or no certificate at all for a provider that demands one.
  • Causes no record check can see. Providers gate BIMI behind sender reputation, so a new domain or one with spam complaints may have a flawless setup and still show no logo until trust builds. Logos also roll out gradually because of DNS and image caching, so allow time after any change. Some clients show the logo only in certain views, a recipient who has assigned you a contact photo will see that photo instead, and mail landing in the spam folder never earns a logo: BIMI decorates inbox placement, it does not create it.

Setting up BIMI is mostly about doing the prerequisites well. Get DMARC to enforcement, build a logo that respects the profile, add a certificate when you need Gmail or Apple, and publish a clean record. Then give reputation and caching time to catch up, and verify with the checker whenever you make a change.

Tags:BIMIEmail AuthenticationDeliverabilityBrand