The Definitive BIMI Implementation Guide 2026
The authoritative technical reference for BIMI implementation. SVG Tiny P/S specification, DMARC enforcement requirements, VMC vs. CMC certificate landscape, DNS record structure, and a complete implementation checklist.
What BIMI Actually Is — And Why It Matters
Brand Indicators for Message Identification (BIMI) is the most significant trust signal in email since DMARC itself. It allows domain owners to display a cryptographically verified brand logo next to every message they send — in Gmail, Yahoo, Apple Mail, and beyond.
This is not a cosmetic feature. BIMI is the visual output of a rigorous, multi-layer authentication chain. You cannot fake it. You cannot buy your way around the underlying security requirements. That is precisely what makes the logo meaningful: it is proof of work.
BIMI was formalized as RFC 9091 by the IETF in July 2021, governed by the AuthIndicators Working Group — a coalition of Gmail, Yahoo, Apple, Fastmail, and Cloudmark. Every major inbox provider has committed to this standard.
BIMI is the visual reward for strict domain security. If you have not enforced DMARC, your logo will not appear — regardless of how perfect your SVG is.
The SVG Tiny P/S Standard — Why It's So Restrictive
BIMI does not accept a standard SVG file. It requires SVG Tiny P/S (Portable/Secure) — a deliberately restrictive XML profile defined specifically for email rendering environments.
Email clients render BIMI logos in a sandboxed context alongside untrusted content from millions of senders. A standard SVG is a powerful format capable of executing scripts, loading external resources, and embedding arbitrary binary data. In an email context, these are attack vectors.
The W3C SVG Tiny P/S profile eliminates these vectors by explicitly forbidding:
elements andon*event handlers — prevents malicious code injection via email clientstags and embedded bitmap data — prevents tracking pixels and raster data embedding. This prohibition is absolute.- Relative dimensions (
width="100%") — prevents layout attacks - CSS
@importrules and external stylesheets — prevents CSS-based side-channel attacks - Animations — prevents distraction and timing-based attacks
Mandatory Structural Requirements
- Root
must declareversion="1.2"andbaseProfile="tiny-ps" - Square
viewBox(1:1 aspect ratio) required - Solid, fully opaque background
covering the entire canvas element required- Valid, well-formed XML
<svg xmlns="http:class="hl-cmt">//www.w3.org/2000/svg"
version="1.2"
baseProfile="tiny-ps"
viewBox="0 0 100 100">
<title>Brand Logo</title>
<rect width="100" height="100" fill="class="hl-cmt">#ffffff"/>
<!-- Pure vector paths only -->
</svg>
makeBIMI's self-healing engine enforces all requirements automatically. For raster uploads (PNG, JPG), it runs a true vectorization pipeline — Sharp preprocessing followed by Potrace tracing — producing pure elements with zero embedded pixels.
The DMARC Prerequisite — The Non-Negotiable Foundation
Before any mail provider will honor your BIMI record, your domain must have a fully enforcing DMARC policy.
p=none— Monitoring only. BIMI will not render.p=quarantine— Failing messages sent to spam. BIMI may render.p=reject— Failing messages rejected. BIMI will render. Required by Gmail for VMC-backed display.
<h1 id="correct-dmarc-record-for-bimi-eligibility" class="md-h1">Correct DMARC record for BIMI eligibility</h1>
_dmarc.example.com IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com;"
Use the Domain Audit tool to verify your DMARC posture instantly.
The Certificate Landscape — VMC vs. CMC in 2026
Verified Mark Certificate (VMC)
Issued by Entrust or DigiCert against a registered trademark. Enables the official Gmail Blue Checkmark. Required for Gmail display. Right choice for: enterprises, publicly traded companies, brands with existing trademark registrations.
Common Mark Certificate (CMC)
No trademark required. Verifies domain ownership and logo association. Accepted by Yahoo Mail, Apple Mail, and Fastmail. Right choice for: startups, SMBs, creators, and any brand building toward a VMC.
The bottom line: if Gmail is your primary target, you need a VMC. Start with a CMC if you want broad coverage while building toward it.
The DNS Record
default._bimi.example.com IN TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/cert.pem"
v=BIMI1— version tagl=— Logo URI: publicly accessible HTTPS URL to your SVG Tiny P/S filea=— Authority Evidence Location: HTTPS URL to your VMC or CMC certificate PEM file
Hosting & Infrastructure Requirements
- Valid TLS certificate (no self-signed)
- HTTP
200 OKwithContent-Type: image/svg+xml - No authentication on the SVG URL
- CDN hosting strongly recommended
- File size under 32 KB
Implementation Checklist
- SPF record published and passing for all authorized sending IPs
- DKIM signing enabled with
d=tag aligned to the From domain - DMARC policy at
p=quarantineorp=rejectwithpct=100 - SVG Tiny P/S file created, validated, and hosted over HTTPS
- VMC or CMC certificate obtained and hosted over HTTPS
- BIMI DNS TXT record published at
default._bimi.yourdomain.com - Record verified using the Domain Audit tool
- End-to-end test email sent to Gmail or Yahoo to confirm logo display