Why Your BIMI Logo is Not Showing in Gmail
Why Your BIMI Logo is Not Showing in Gmail
You configured your DNS records, published your default._bimi TXT string, and confirmed your logo displays in Yahoo Mail. When you send a test message to a Gmail address, the recipient sees a generic gray silhouette instead of your brand logo.
This behavior is not a DNS propagation issue. Gmail enforces stricter BIMI validation than other mailbox providers. To display your logo in Gmail, you must meet requirements that self-asserted records do not satisfy.
The Reality of Self-Asserted BIMI
The BIMI standard defines two deployment types: Self-Asserted and Certified.
A self-asserted record references an SVG file hosted on your domain, with no cryptographic proof of ownership:
v=BIMI1; l=https://yourdomain.com/logo.svg;
Support for self-asserted records varies by mailbox provider. Yahoo Mail and AOL accept self-asserted records. If your DMARC policy is set to p=quarantine or p=reject and your SVG file conforms to the SVG Tiny P/S profile, Yahoo displays your logo without requiring a certificate [1].
The Gmail Requirement: The Verified Mark Certificate
Gmail does not accept self-asserted BIMI records. To prevent logo spoofing, Google requires cryptographic proof of trademark ownership.
To display your logo in Gmail and Apple Mail, you must obtain a Verified Mark Certificate (VMC) or a Common Mark Certificate (CMC) from a WebTrust-accredited Certificate Authority (CA), such as Entrust or DigiCert [2].
During certificate issuance, the CA verifies your organization's legal identity and confirms trademark ownership of the logo. The CA then issues a .pem certificate file that binds the logo to your domain.
The a= Tag Requirement
After you receive the certificate, add the a= tag to your BIMI DNS record. The tag must point to the publicly hosted .pem file:
v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/cert.pem;
When Gmail receives a message from your domain, it performs the following checks:
- Verifies the message passes DMARC authentication.
- Retrieves the BIMI TXT record.
- Downloads the certificate from the
a=tag. - Cryptographically validates the certificate against the Root CA.
- Renders the logo and the verified checkmark in the inbox.
If the a= tag is missing or the certificate fails validation, Gmail suppresses the logo and displays the default avatar. No error is returned to the sender.
How to Fix the Issue
A self-asserted record is not sufficient for Gmail. To display your logo across all major mailbox providers, deploy a certified BIMI record.
Step 1: Technical Prerequisites
Before you apply for a VMC, verify your infrastructure meets the requirements. You need a DMARC policy of p=quarantine or p=reject and an SVG Tiny P/S logo file that conforms to the W3C profile. You can generate a compliant SVG and audit your DMARC configuration at makeBIMI.
Step 2: The Certificate Audit
VMC issuance requires trademark verification, identity notarization, and cryptographic key generation. Organizations often use a managed service such as veriBIMI to handle the CA application, compliance documentation, and certificate delivery.
Step 3: Deployment
After the CA issues the certificate, publish it at the URL referenced in the a= tag and update your DNS record. Gmail typically begins displaying your logo and verified checkmark within 48 hours of DNS propagation.
References
[1] AuthIndicators Working Group. "BIMI Implementation Guide." BIMI Group, https://bimigroup.org/implementation-guide/ [2] Google Workspace Admin Help. "Set up BIMI." Google Support, https://support.google.com/a/answer/10911320