Technical Reference · 2026 Edition

The Definitive BIMI Implementation Guide 2026

The authoritative technical reference for BIMI implementation. SVG Tiny P/S specification, DMARC enforcement requirements, VMC vs. CMC certificate landscape, DNS record structure, and a complete implementation checklist.

Last updated July 3, 2026 4 min read

What BIMI Actually Is — And Why It Matters

Brand Indicators for Message Identification (BIMI) is the most significant trust signal in email since DMARC itself. It allows domain owners to display a cryptographically verified brand logo next to every message they send — in Gmail, Yahoo, Apple Mail, and beyond.

This is not a cosmetic feature. BIMI is the visual output of a rigorous, multi-layer authentication chain. You cannot fake it. You cannot buy your way around the underlying security requirements. That is precisely what makes the logo meaningful: it is proof of work.

BIMI was formalized as RFC 9091 by the IETF in July 2021, governed by the AuthIndicators Working Group — a coalition of Gmail, Yahoo, Apple, Fastmail, and Cloudmark. Every major inbox provider has committed to this standard.

BIMI is the visual reward for strict domain security. If you have not enforced DMARC, your logo will not appear — regardless of how perfect your SVG is.

The SVG Tiny P/S Standard — Why It's So Restrictive

BIMI does not accept a standard SVG file. It requires SVG Tiny P/S (Portable/Secure) — a deliberately restrictive XML profile defined specifically for email rendering environments.

Email clients render BIMI logos in a sandboxed context alongside untrusted content from millions of senders. A standard SVG is a powerful format capable of executing scripts, loading external resources, and embedding arbitrary binary data. In an email context, these are attack vectors.

The W3C SVG Tiny P/S profile eliminates these vectors by explicitly forbidding: