The Definitive BIMI Implementation Guide
Everything your team needs to go from zero to a verified logo in the inbox — the SVG specification, the DMARC prerequisite, and the certificate landscape explained in full.
I. What BIMI Actually Is
Brand Indicators for Message Identification (BIMI) is an email specification that allows domain owners to display a verified, authenticated logo next to their messages in supporting email clients. It is not a marketing gimmick — it is the visual output of a rigorous, multi-layer authentication chain.
BIMI was formalized as RFC 9091 (Experimental) by the IETF in July 2021, authored by Seth Blank, Peter Goldstein, and Thede Loder. The standard is governed by the AuthIndicators Working Group, a coalition of Gmail, Yahoo, Apple, Fastmail, and Cloudmark. It sits at the intersection of email security, brand identity, and DNS infrastructure.
The core value proposition is simple: BIMI is the visual reward for strict domain security. You cannot fake it. You cannot buy it without doing the underlying security work. That is precisely what makes the logo meaningful.
II. The SVG Tiny P/S Standard — Why It's So Restrictive
BIMI does not accept a standard SVG file. It requires a file conforming to SVG Tiny P/S (Portable/Secure) — a highly restrictive XML profile defined specifically for use in email rendering environments. Understanding why it is so restrictive is essential to understanding the standard itself.
Email clients render BIMI logos in a sandboxed context alongside untrusted content from millions of senders. A standard SVG file is a powerful, general-purpose format capable of executing scripts, loading external resources, and embedding arbitrary binary data. In an email context, these capabilities are not features — they are attack vectors.
The W3C SVG Tiny P/S profile eliminates these vectors by explicitly forbidding:
<script>elements andon*event handlers — prevents malicious code injection via email clients. A crafted SVG with an embedded script could exfiltrate session tokens or execute arbitrary JavaScript in a vulnerable mail client.<image>tags andxlink:hrefbitmap references — prevents tracking pixels, external resource loading, and the embedding of raster images that could contain steganographic payloads or bypass content filters.- Relative dimensions (
width="100%") — prevents layout attacks and ensures the logo renders predictably at any size without depending on the surrounding DOM context. - CSS
@importrules and external stylesheets — prevents data exfiltration via CSS-based side-channel attacks and ensures the file is fully self-contained. - Animations (
<animate>,<animateTransform>) — prevents distraction, battery drain, and potential timing-based attacks.
The following structural requirements are mandatory for a compliant file:
- The root
<svg>element must declareversion="1.2"andbaseProfile="tiny-ps". - A square
viewBox(1:1 aspect ratio) is required. Non-square logos must be letterboxed. - A solid, fully opaque background
<rect>must cover the entire canvas. Transparent backgrounds are not permitted. - A
<title>element must be present for accessibility. - The file must be valid, well-formed XML with no parsing errors.
makeBIMI's self-healing engine automatically enforces all of these requirements. It strips forbidden elements, normalizes the viewBox to a 1:1 ratio, injects the mandatory background <rect>, and declares the correct profile attributes — outputting a file that passes strict W3C validation.
III. The DMARC Prerequisite — The Non-Negotiable Foundation
BIMI is the visual reward for strict domain security. Before any mail provider will honor your BIMI record and display your logo, your domain must have a fully enforcing DMARC policy. This is not optional, and it cannot be bypassed.
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS-published policy that instructs receiving mail servers on what to do with messages that fail SPF or DKIM alignment. The three policy levels are:
p=none— Monitoring only. No action is taken on failing messages. BIMI will not render. This policy signals that the domain owner has not committed to enforcement.p=quarantine— Failing messages are sent to the spam folder. BIMI may render (accepted by most providers, with some requiringpct=100).p=reject— Failing messages are rejected outright and never delivered. BIMI will render. This is the gold standard and the policy required by Gmail for VMC-backed display.
The enforcement chain works as follows: SPF authorizes the sending IP, DKIM provides a cryptographic signature, and DMARC requires that at least one of these mechanisms aligns with the RFC5322.From domain. Only when this chain is unbroken — and the policy is at enforcement — does BIMI become meaningful. A logo displayed without this foundation would be trivially spoofable, which is why the requirement exists.
The practical implication: if you are deploying BIMI for the first time, begin by auditing your DMARC record. A p=none policy must be graduated to p=quarantine and ultimately to p=reject before your logo will appear. Use the DNS checker built into this tool to verify your current posture.
IV. The Certificate Landscape — VMC vs. CMC in 2026
The BIMI specification supports two certificate types that bind your verified logo to your domain. Understanding the distinction is critical for planning your deployment, as they differ significantly in requirements, cost, and the level of trust they convey.
Verified Mark Certificate (VMC)
A VMC is the premium certificate tier. It is issued by an accredited Certification Authority — currently Entrust and DigiCert — and requires the applicant to hold a registered trademark for the logo in a recognized jurisdiction (USPTO, EUIPO, UKIPO, and others).
The VMC cryptographically binds the SVG logo to the domain and the trademark registration. It is this binding that enables the official Gmail blue checkmark — the verified sender indicator that appears next to your brand name in Gmail's inbox view. Yahoo Mail and Apple Mail also honor VMCs for their highest-trust display tier.
VMCs are the right choice for: established enterprises, publicly traded companies, brands with existing trademark registrations, and any organization for which the Gmail blue checkmark is a strategic priority.
Common Mark Certificate (CMC)
A CMC is the accessible certificate tier introduced to lower the barrier to BIMI adoption. It does not require a registered trademark. Instead, it verifies domain ownership and logo association — confirming that the entity controlling the domain has authorized the use of the logo, without requiring trademark registration as proof of identity.
CMCs are issued by an expanding set of CAs and are accepted by Yahoo Mail, Apple Mail, and Fastmail. As of 2026, Gmail does not display the blue checkmark for CMC-backed BIMI records, though logo display in other clients is supported.
CMCs are the right choice for: startups, SMBs, creators, non-profits, and any brand that wants verified logo display in the inbox without the cost and timeline of trademark registration.
- ✓ Registered trademark required
- ✓ Gmail blue checkmark
- ✓ Yahoo, Apple, Fastmail
- ✓ Highest trust tier
- ✓ No trademark required
- — Gmail checkmark not included
- ✓ Yahoo, Apple, Fastmail
- ✓ Accessible to all brands
V. The DNS Record
A BIMI record is a DNS TXT record published at a specific subdomain of your sending domain. The standard location uses the default selector:
The record contains three tags: v=BIMI1 (version), l= (the Logo URI — a publicly accessible HTTPS URL pointing to your SVG Tiny P/S file), and a= (the Authority Evidence Location — the HTTPS URL of your VMC or CMC certificate PEM file). The a= tag is required for certificate-backed display; omitting it limits BIMI to logo-only mode where supported.
VI. Hosting & Infrastructure Requirements
The BIMI SVG file must be served from a stable, publicly accessible HTTPS endpoint. Key requirements: a valid TLS certificate (no self-signed), an HTTP 200 OK response with Content-Type: image/svg+xml, no authentication or access control on the URL, and high availability (CDN hosting is strongly recommended). File size should be kept under 32 KB for optimal compatibility across all providers.
VII. Implementation Checklist
- SPF record published and passing for all authorized sending IPs
- DKIM signing enabled with
d=tag aligned to the From domain - DMARC policy at
p=quarantineorp=rejectwithpct=100 - SVG Tiny P/S file created, validated, and hosted over HTTPS
- VMC or CMC certificate obtained and hosted over HTTPS (for certificate-backed display)
- BIMI DNS TXT record published at
default._bimi.yourdomain.com - Record verified using the DNS checker in this tool or the BIMI Group Inspector
- End-to-end test email sent to a Gmail or Yahoo account to confirm logo display
Ready to generate your BIMI-compliant SVG?
Convert Your Logo →