BIMI record: how to add your company logo to email

Open Gmail and look at your inbox. Some senders show a logo next to their name. The rest get a colored circle with initials. The difference comes down to one DNS record and a few hours of work. That record is BIMI.

What BIMI is and why it matters

BIMI (Brand Indicators for Message Identification) is an open standard that lets senders specify a logo for display in the email client. The logo loads automatically — recipients do nothing.

The specification is maintained by the BIMI Working Group (AuthIndicators). Provider support has been building for years: Gmail started showing logos in July 2021, Apple Mail added support in iOS 16 and macOS Ventura, Yahoo and Fastmail have been on board since 2018. Outlook ran a pilot in late 2024 for Microsoft 365.

For recipients, a logo next to the sender name is a visual authenticity cue. It is not a silver bullet against phishing, but a phisher cannot put your logo there without controlling your domain's DNS. For senders, Entrust and Red Sift reported open-rate lifts of 10–39% (2023). The range is wide depending on industry and list quality, but the direction is consistent: recognized brands get opened more.

Prerequisite: DMARC at p=quarantine or p=reject

BIMI only works with a strict DMARC policy. If your DMARC record has p=none, providers will ignore the BIMI record entirely. The logic is simple: a provider will only show your brand logo when your domain is protected against spoofing.

Minimum DMARC record for BIMI to work:

_dmarc.yourdomain.com.  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100"

If you are still on p=none, work up to p=quarantine or p=reject first. The full process is covered in the article on configuring SPF, DKIM, and DMARC. There is no point touching BIMI without strict DMARC in place.

Also verify that SPF and DKIM are configured correctly and that alignment passes. BIMI adds no authentication checks of its own — it relies on the existing stack.

Step 1. Prepare the SVG logo

BIMI accepts logos only in SVG Tiny PS (Portable/Secure) format. This is a subset of SVG 1.2 Tiny with additional restrictions. A regular SVG exported from Figma will not work — it needs to be converted.

File requirements:

• Format: SVG Tiny PS (profile BIMI).
• Square image. The viewBox must be square, for example 0 0 512 512.
• No external references, scripts, animations, or raster embeds.
• Opaque background. Transparency is not allowed — providers will reject the file.
• File size: the recommendation is under 32 KB.

Minimal valid SVG Tiny PS:

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg"
     version="1.2" baseProfile="tiny-ps"
     viewBox="0 0 512 512">
  <title>Your Company</title>
  <rect width="512" height="512" fill="#4c49fa"/>
  <!-- your logo paths here -->
</svg>

Note baseProfile="tiny-ps" and version="1.2". Without them the file fails validation. The <title> tag is required.

For conversion, use the bimi-svg npm package from Fastmail, or the online converter at bimigroup.org/bimi-generator. After converting, validate the result with the BIMI Inspector from BIMI Group.

The file must be reachable via HTTPS. Host it on a CDN or your own server. The URL goes into the DNS record.

https://static.yourdomain.com/brand/logo-bimi.svg

Step 2. VMC certificate (optional, but required for Gmail)

A VMC (Verified Mark Certificate) confirms that the logo belongs to your organization. Think of it as the EV SSL equivalent, but for a trademark.

Gmail requires a VMC to display the logo. Yahoo and Fastmail show it without one. Apple Mail supports both paths, but visually distinguishes VMC-verified senders with a checkmark.

To get a VMC you need:

1. A registered trademark in one of the recognized registries (USPTO, EUIPO, WIPO, and others). The mark must be figurative — text-only marks do not qualify for BIMI.
2. An accredited Certificate Authority. As of early 2026, VMCs are issued by DigiCert and Entrust. Pricing runs from $1,200 to $1,500 per year.
3. A verification process: the CA checks your organization details, trademark registration, and domain control. This typically takes two to four weeks.

The VMC is delivered as a PEM file and must also be reachable over HTTPS. It contains the certificate chain.

https://static.yourdomain.com/brand/vmc.pem

If a VMC is not in the budget yet, do not stop. Set up BIMI without the certificate. The logo will appear in Yahoo, Fastmail, and Apple Mail. Add the VMC when the budget allows, and Gmail coverage follows.

Step 3. Create the BIMI DNS record

The BIMI record is a TXT record in DNS under the subdomain default._bimi. The format is fixed.

Record with VMC (for Gmail)

default._bimi.yourdomain.com.  IN  TXT  "v=BIMI1; l=https://static.yourdomain.com/brand/logo-bimi.svg; a=https://static.yourdomain.com/brand/vmc.pem"

Record without VMC

default._bimi.yourdomain.com.  IN  TXT  "v=BIMI1; l=https://static.yourdomain.com/brand/logo-bimi.svg; a="

Field breakdown:

• v=BIMI1 — version. The only one currently defined.
• l= — URL of the SVG Tiny PS logo. HTTPS required.
• a= — URL of the VMC certificate. Leave empty (a="") if you have no VMC.

The record name is default._bimi.yourdomain.com. The default part is the selector. The spec allows other selectors via the BIMI-Selector header in the message, but in practice everyone uses default.

Step 4. Verify

DNS query

dig TXT default._bimi.yourdomain.com +short

The response should contain a string starting with v=BIMI1. If it is empty, check the record name. A common mistake: missing the default._bimi. prefix, or creating a CNAME instead of a TXT record.

Online tools

• BIMI Inspector (bimigroup.org/bimi-generator) — checks the DNS record, SVG validity, and VMC in one pass.
• mxtoolbox.com/bimi.aspx — familiar interface, checks record presence and logo URL reachability.
• Google Admin Toolbox — verifies the full authentication chain (SPF + DKIM + DMARC + BIMI).

Test message

Send a message to a Gmail account. Open "Show original." In the headers, look for:

Authentication-Results: mx.google.com;
    bimi=pass header.d=yourdomain.com header.selector=default;
    dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=yourdomain.com

The line bimi=pass means Gmail found and accepted your BIMI record. The logo will appear in the interface. Keep in mind that Gmail-side caching can take up to 48 hours — if the logo does not show immediately, wait.

Common BIMI configuration mistakes

• DMARC at p=none. The BIMI record is there, the SVG is valid, but no logo appears. In 90% of cases the problem is a weak DMARC policy. Move to p=quarantine at minimum.
• SVG not in Tiny PS format. Exported from Illustrator or Figma as a plain SVG. The provider rejects it. Confirm baseProfile="tiny-ps" is present and that no forbidden elements exist (scripts, external links, raster images).
• Transparent background in SVG. The spec disallows transparency. Add a rectangle with a solid fill covering the entire viewBox.
• HTTP instead of HTTPS in the logo URL. Both URLs (logo and VMC) must use HTTPS. HTTP links are ignored.
• Wrong DNS record name. Created the record at _bimi.yourdomain.com without the selector default. The correct name is default._bimi.yourdomain.com.
• VMC issued for the wrong domain. Certificate is for company.com, but BIMI is configured on mail.company.com. The domain in the VMC must match the domain in the From header.

Full dig command checklist

Verify the full authentication chain together with BIMI:

# SPF
dig TXT yourdomain.com +short | grep spf

# DKIM (substitute your selector)
dig TXT s1._domainkey.yourdomain.com +short

# DMARC
dig TXT _dmarc.yourdomain.com +short

# BIMI
dig TXT default._bimi.yourdomain.com +short

# Check SVG reachability
curl -sI https://static.yourdomain.com/brand/logo-bimi.svg | head -5

All four records must return a response. If any one is empty, the chain is incomplete and BIMI will not work.

BIMI for subdomains

If you send from a subdomain (for example, mail.yourdomain.com), create the BIMI record under that subdomain:

default._bimi.mail.yourdomain.com.  IN  TXT  "v=BIMI1; l=https://static.yourdomain.com/brand/logo-bimi.svg; a="

A DMARC policy for the subdomain is also needed — either an explicit record or coverage through the parent domain's sp= tag. The logo file itself can be the same one; the l= URL can point anywhere.

Is BIMI worth the effort

Depends on your situation. If you already have p=reject in DMARC, setting up BIMI without a VMC takes about 30 minutes: prepare the SVG, host it, add the TXT record. The logo shows up in Yahoo, Fastmail, and Apple Mail. For a company with a recognizable brand, that is a small effort for a measurable result.

A VMC costs $1,200–$1,500 per year and requires a registered trademark. For an early-stage startup that may be overkill. For a company sending hundreds of thousands of messages a month and fighting for every percentage point of open rate, it pays back fast.

One thing worth keeping in mind: BIMI sits at the top of the email authentication stack. It only works when everything below it is solid — SPF, DKIM, DMARC, a clean list. If your bounce rate is above 3% or your domain reputation is below medium in Google Postmaster Tools, a logo in the inbox will not help. The messages will not get there.