BIMI Explained: How a Brand Logo Earns Its Place in the Inbox

Open Gmail and scan your inbox. Most senders show a grey circle with a letter in it. A few — your bank, a big retailer, maybe a newsletter you trust — show their actual logo, sometimes with a blue checkmark beside the name. That logo is BIMI at work, and it's one of the most misunderstood things in email.

It looks like something you'd switch on by uploading an image. It isn't. The logo is the visible end of a chain that starts deep in your email authentication, and the overwhelming majority of domains never reach it — one analysis of 13,000 domains found that more than 90% had no BIMI record at all. Here's the whole chain, and what it actually takes.

What BIMI actually is

BIMI — Brand Indicators for Message Identification — is a DNS-based standard that lets a supporting inbox display your brand's logo next to the emails you send. You publish a record telling providers where your logo lives and how to verify it; providers that trust the result show the logo. The point is trust: a recognisable mark, shown before the message is even opened, on mail that has been properly authenticated.

The supporting inboxes today include Gmail, Apple Mail, Yahoo, Fastmail, and AOL. Microsoft's Outlook is a notable holdout.

It rides on DMARC — and there are no shortcuts

This is the part people skip past, and it's the whole foundation. Before any provider will show your logo, your domain has to pass DMARC at enforcement — a policy of p=quarantine or p=reject, applied to all your mail. A monitoring-only policy of p=none does not qualify. Full stop.

Reaching enforcement means your authentication has to be genuinely in order first: SPF and DKIM set up, aligned, and passing for every legitimate source that sends as your domain. Tighten the policy before that's true and you'll start blocking your own mail. So BIMI is best understood as a reward — the visible payoff for doing the unglamorous work of email authentication correctly. Most providers also want to see your domain sitting at enforcement for around 30 days before they'll pull your logo.

The DNS record

Once you qualify, BIMI itself is a single TXT record, published at default._bimi.yourdomain.com, that looks roughly like this:

v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem

The l= tag points to your logo, and the optional a= tag points to a certificate that vouches for it. Those two assets are where the real requirements hide.

The logo: not just any image

BIMI is fussy about the logo, for good reason — it's going to be rendered inside other people's inboxes. PNG and JPEG are out, and so is an ordinary SVG. You need a specific, locked-down profile called SVG Tiny Portable/Secure (SVG Tiny PS), which strips out scripts and external references so the file can't carry anything malicious. It has to be a perfect square, kept under 32 KB, and ideally a simple, centred mark that still reads clearly at the size of a profile icon.

The certificate: where it gets expensive

For the providers that matter most, a logo on its own isn't enough — they want proof the logo is really yours. That proof is a Verified Mark Certificate (VMC): a specialised X.509 certificate, the same underlying technology as a website's TLS certificate, that cryptographically binds your registered trademark to your domain. You apply through an authorised authority — DigiCert, Entrust, Sectigo, and a couple of others — which validates your business and checks your logo against the trademark on file before issuing it.

This is the friction point. A VMC requires a trademark registered with a recognised office such as the USPTO or EUIPO, costs somewhere in the region of $1,000 to $1,700 a year, and — like the TLS certificates we've covered before — has a deliberately short life, capped at 397 days, so it needs renewing annually. In Gmail, only a VMC earns the blue authenticated checkmark next to your name.

CMC: the path without a trademark

The trademark requirement shut a lot of organisations out, so in late 2024 a cheaper alternative arrived: the Common Mark Certificate (CMC). Instead of a registered trademark, a CMC asks you to prove your logo has been publicly displayed on your domain for at least 12 months — verifiable history rather than legal registration. It runs a little cheaper, roughly $650 to $1,100 a year, and Gmail has accepted CMCs since 2024.

The trade-off: a CMC gets your logo shown, but it does not earn Gmail's blue checkmark — that stays reserved for VMCs. For a small business without a trademark, it's often the sensible middle path.

Which inboxes actually show it

Support is real but uneven, and worth knowing before you spend anything:

• Gmail — needs a VMC or a CMC to show your logo; the blue checkmark requires a VMC.
• Apple Mail (iOS 16 / macOS Ventura and later) — displays BIMI logos and expects a mark certificate.
• Yahoo, AOL, and Fastmail — will show a "self-asserted" logo from the DNS record alone, with no certificate at all. This is the free way to test the waters.
• Outlook — no meaningful BIMI support yet.

And one constant across all of them: displaying your logo is always the provider's call. Even with a flawless record and a valid certificate, they weigh your sending reputation and volume, and can simply decline to show it.

What BIMI is — and what it isn't

It's tempting to sell BIMI as an anti-phishing tool. It isn't one, not directly. A logo can't stop a spoofed message — what stops spoofing is the DMARC enforcement that BIMI forces you to put in place first. The security win is the authentication; the logo is just the visible receipt for it. Read that way, BIMI's real value is as an incentive: it gives marketing and leadership a concrete, attractive reason to finish the DMARC project that security has wanted all along.

The engagement upside is genuine but softer than the headlines suggest. Vendors and brand studies report higher open rates and stronger recognition when a verified logo is present, and the direction is plausible — a familiar mark in a sea of grey circles does stand out. Just treat the specific percentages with care, since most of them come from companies that sell BIMI services.

The takeaway

BIMI is the cherry on top of a well-run domain, not a feature you bolt on in an afternoon. Get SPF, DKIM, and DMARC right and reach enforcement; prepare a compliant SVG Tiny PS logo; then decide how far to go — a VMC for the Gmail checkmark, a CMC for a cheaper logo without it, or a self-asserted record to light up Yahoo and Fastmail for free. Do that, and your brand shows up where it counts. You can check whether a domain's BIMI record and the DMARC policy underneath it are in order with our BIMI & DMARC checker.