The BIMI DNS Record: The l= and a= Tags Explained
A complete technical reference for BIMI TXT record syntax, covering the l= logo tag and a= certificate tag, supported configurations, and common misconfigurations.
The Complete BIMI DNS Record
A BIMI (Brand Indicators for Message Identification) DNS record is a single TXT record that tells participating email clients where to find your brand logo and — when required — the certificate that proves you own it. Getting the syntax exactly right is non-negotiable: a single malformed tag causes silent failure with no bounce, no error log, and no logo.
This article covers every component of the BIMI TXT record, the rules governing each tag, the three canonical record configurations, and the misconfigurations that silently break logo display.
Prerequisites
Before publishing a BIMI record, confirm the following are in place:
- DMARC policy is set to
p=quarantineorp=rejectwith at leastpct=100(or equivalent enforcement). - Your logo file is in SVG Tiny P/S format and hosted at a publicly accessible HTTPS URL.
- If targeting Gmail or Apple Mail, you have a valid VMC (Verified Mark Certificate) or CMC (Common Mark Certificate) in PEM format, also hosted at a publicly accessible HTTPS URL.
BIMI Record Structure
A BIMI TXT record follows this general syntax:
v=BIMI1; l=<logo-url>; a=<certificate-url>
| Tag | Name | Required | Description |
|-----|------|----------|-------------|
| v= | Version | Yes | Always BIMI1. |
| l= | Logo URL | Yes | HTTPS URL pointing to your SVG Tiny P/S logo file. |
| a= | Authority Evidence | Conditional | HTTPS URL pointing to your VMC or CMC in PEM format. Required for Gmail and Apple Mail. |
The record is published as a DNS TXT record at the following subdomain:
default._bimi.<yourdomain.com>
Note: The default selector is the standard selector used by all major email clients. Custom selectors are supported by the specification but are not yet widely implemented by receivers.
The l= Tag: Logo URL
What It Does
The l= tag provides the URL from which receiving mail clients fetch your brand logo. When a message passes DMARC alignment, the client retrieves this file and renders it alongside the sender name.
Requirements
- Protocol: Must be
https://. HTTP URLs are rejected. - Accessibility: The URL must be publicly accessible — no authentication, no redirects, no geo-blocking. Mail servers fetch this URL from their own infrastructure, not from a browser.
- File format: The file must conform to SVG Tiny P/S (Portable/Secure), a restricted subset of SVG 1.2 Tiny. Standard SVG files will fail validation even if they render correctly in a browser.
- Content-Type header: The server must return
image/svg+xml. - File size: Keep the file under 32 KB. Some receivers enforce stricter limits.
SVG Tiny P/S Key Restrictions
SVG Tiny P/S prohibits the following elements and attributes commonly found in standard SVG files:
- External references (
,xlink:hrefpointing outside the file) - Scripts (
) - Animations (
,) - Raster image embeds
- Arbitrary fonts (system fonts only, or text converted to paths)
Important: A file that is valid SVG but not valid SVG Tiny P/S will cause logo display to fail silently on most clients. Always validate with a dedicated BIMI SVG checker before publishing.
Setting l= to Empty
The specification permits l= with an empty value (l=;) to explicitly opt out of BIMI display for a domain while still publishing a record. This is an edge case used in subdomain suppression scenarios.
The a= Tag: Authority Evidence (Certificate URL)
What It Does
The a= tag points to a Mark Verifying Certificate (VMC) or Common Mark Certificate (CMC) in PEM format. This certificate cryptographically binds your logo to your domain and is issued by an accredited Certification Authority (CA). Receiving mail clients fetch this certificate, validate the chain, and confirm the embedded logo matches the l= URL before displaying the mark.
Requirements
- Protocol: Must be
https://. HTTP URLs are rejected. - Accessibility: Publicly accessible with no authentication or redirects.
- Format: PEM-encoded certificate chain (
.pem). The file must include the full chain from the end-entity certificate to the trusted root. - Chain of trust: The certificate must chain to a trusted root CA recognised by the receiving mail provider. Self-signed certificates are not accepted.
- Logo hash match: The SVG file at
l=must match the logo hash embedded in the certificate. Updating your logo without reissuing the certificate breaks display. - Validity: The certificate must not be expired or revoked.
VMC vs CMC
| Certificate Type | Full Name | Trademark Required | Issued By | |---|---|---|---| | VMC | Verified Mark Certificate | Yes — registered trademark | DigiCert, Entrust | | CMC | Common Mark Certificate | No — common law mark accepted | DigiCert, Entrust |
CMCs lower the barrier to entry by removing the trademark registration requirement, making BIMI with certificate verification accessible to a broader set of organisations.
Self-Asserted vs Certified Records
Self-Asserted Record (l= only, no a=)
A self-asserted record contains only the l= tag. No certificate is referenced.
default._bimi.example.com. IN TXT "v=BIMI1; l=https:class="hl-cmt">//bimi.example.com/logo.svg;"
Where it works:
- Yahoo Mail / AOL Mail: Displays the logo without a certificate, provided DMARC is enforced.
- Fastmail: Supports self-asserted records.
Where it does not work:
- Gmail: Requires a valid VMC or CMC. Self-asserted records are ignored.
- Apple Mail: Requires a valid VMC or CMC. Self-asserted records are ignored.
- Microsoft Outlook (365): Uses its own BIMI-adjacent system (BIMI is not currently supported natively).
Summary: A self-asserted record is a valid starting point and delivers value on Yahoo Mail, but it will not unlock logo display on Gmail or Apple Mail.
VMC Record (Verified Mark Certificate)
Use this configuration when you hold a registered trademark and have obtained a VMC from an accredited CA.
default._bimi.example.com. IN TXT "v=BIMI1; l=https:class="hl-cmt">//bimi.example.com/logo.svg; a=https://bimi.example.com/vmc.pem;"
Supported by: Gmail, Yahoo Mail, Apple Mail, Fastmail, and all other BIMI-participating clients.
CMC Record (Common Mark Certificate)
Use this configuration when you have obtained a CMC. The DNS record syntax is identical to a VMC record — the distinction is in the certificate itself, not the DNS record.
default._bimi.example.com. IN TXT "v=BIMI1; l=https:class="hl-cmt">//bimi.example.com/logo.svg; a=https://bimi.example.com/cmc.pem;"
Supported by: Gmail (as of CMC support rollout), Yahoo Mail, Apple Mail, Fastmail.
Note: Always confirm current CMC support status with your target mail clients, as rollout timelines vary by provider.
Common Misconfigurations
1. Broken a= URL Causes Silent Failure
This is the most damaging and