Technical Reference · 2026 Edition

Apple Mail BIMI Support: iOS and macOS Requirements Explained

Apple Mail enforces BIMI with Verified Mark Certificates (VMC) on iOS and macOS. Learn the exact requirements, how the 'Digitally Certified' header works, and why Apple's implementation makes VMC non-negotiable for B2C brands.

Last updated min read

Apple Mail. Certified.

Apple Mail's BIMI implementation is one of the most consequential developments in email authentication since DMARC became an industry standard. Unlike some mailbox providers that display brand logos on a best-effort basis, Apple enforces a strict, certificate-backed model. If your organisation sends to consumers, understanding Apple's requirements is not optional.

This article explains exactly how Apple Mail handles BIMI, what the Verified Mark Certificate (VMC) requirement means in practice, and why Apple's adoption has fundamentally changed the calculus for B2C email programmes.


What Apple Mail actually does with BIMI

Apple introduced BIMI support across iOS 16, iPadOS 16, and macOS Ventura (13). The implementation differs from Google's in one critical way: Apple does not display a BIMI logo without a valid VMC. There is no fallback rendering for self-asserted BIMI records.

When a qualifying message arrives, Apple Mail:

  1. Reads the sender domain's BIMI DNS TXT record.
  2. Fetches the SVG logo file referenced in the l= tag.
  3. Fetches the VMC referenced in the a= tag.
  4. Validates the VMC against the issuing Certificate Authority (DigiCert or Entrust).
  5. Confirms the logo embedded in the VMC matches the logo served at the l= URL.
  6. Renders the logo in the sender avatar position and displays the "Digitally Certified" header indicator.

If any step fails — invalid certificate, mismatched logo, expired VMC, or missing a= tag — Apple Mail renders no logo. The message falls back to a standard initial or generic avatar.


The "Digitally Certified" indicator

The "Digitally Certified" label is Apple's trust signal to end users. It appears as a badge or header annotation within the message view on both iOS and macOS Mail, indicating that:

  • The sender's identity has been verified by a trusted Certificate Authority.
  • The displayed logo is cryptographically bound to the sending domain.
  • The email passed DMARC authentication at the p=quarantine or p=reject policy level.

This indicator is distinct from, and additive to, the logo itself. It gives recipients a clear, human-readable signal that the brand identity has been independently validated — not simply claimed by the sender.

Important: The "Digitally Certified" label only appears when a valid VMC is present. A BIMI record without a VMC a= tag produces no visual output in Apple Mail.

Full technical requirements for Apple Mail BIMI display

Meet all of the following requirements for your logo to render in Apple Mail.

1. DMARC policy

  • A valid DMARC record must exist at _dmarc.yourdomain.com.
  • The policy must be set to p=quarantine or p=reject.
  • p=none does not qualify, regardless of alignment.

2. SPF and DKIM alignment

  • The sending domain must pass DKIM alignment or SPF alignment (or both) as defined in your DMARC record.
  • DKIM alignment is strongly preferred. SPF alignment alone is considered less reliable due to forwarding behaviour.

3. BIMI DNS record

  • A TXT record must exist at default._bimi.yourdomain.com.
  • The record must include both the l= tag (SVG URL) and the a= tag (VMC URL).
  • Example:
text
default._bimi.yourdomain.com IN TXT "v=BIMI1; l=https://brand.example.com/logo.svg; a=https://brand.example.com/vmc.pem"

4. SVG logo file

  • The logo must conform to the BIMI SVG Tiny P/S profile (SVG Tiny 1.2, Portable/Secure subset).
  • The file must be served over HTTPS with a valid TLS certificate.
  • The SVG must be square (1:1 aspect ratio) with no external references or scripts.
  • The logo embedded within the VMC must be byte-for-byte identical to the file served at the l= URL.

5. Verified Mark Certificate (VMC)

  • A VMC must be issued by an approved CA: DigiCert or Entrust.
  • The VMC must be issued to the exact domain used in the From: header of outgoing mail.
  • The trademark or registered mark underlying the VMC must be active and registered in a recognised jurisdiction.
  • The VMC must not be expired.
  • The .pem file must be served over HTTPS and remain publicly accessible.

6. iCloud Mail infrastructure note

Apple processes BIMI validation through its own mail infrastructure, including for iCloud Mail (@icloud.com, @me.com, @mac.com) accounts. Third-party senders reaching iCloud Mail recipients are subject to the same VMC requirement. There is no separate or relaxed policy for iCloud-hosted domains.


Why Apple's implementation makes VMC a necessity for B2C brands

Before Apple's adoption, a brand could reasonably argue that BIMI without a VMC was sufficient — Google's Gmail displayed logos for VMC-backed records, and some providers rendered logos on a best-effort basis without certificates. That argument no longer holds.

Consider the following:

  1. Apple Mail market share is significant. Apple Mail consistently ranks as one of the top two email clients globally by open share, with iOS Mail alone accounting for a substantial proportion of consumer opens in North America, Western Europe, and Australia. Ignoring Apple Mail means ignoring a large segment of your recipient base.
  1. Apple's model is binary. There is no partial rendering. Either you have a VMC and your logo displays with the "Digitally Certified" indicator, or you have nothing. A BIMI record without a VMC is invisible to Apple Mail users.
  1. The VMC requirement is now the de facto industry standard. With both Google (for certain senders) and Apple requiring VMCs for logo display, the BIMI Working Group's certificate-backed model has become the practical standard — not an optional enhancement.
  1. Consumer trust signals compound. The "Digitally Certified" label in Apple Mail, combined with logo display in Gmail and other providers, creates a consistent, authenticated brand presence across the inbox. Brands that invest in VMC see this signal across multiple platforms simultaneously.
  1. Phishing and brand impersonation risk. A VMC cryptographically binds your logo to your domain. Without it, your brand identity in the inbox is unverified. Apple's enforcement model directly addresses this attack surface.

Common implementation errors that break Apple Mail BIMI

The following errors are the most frequently observed causes of BIMI failure in Apple Mail specifically:

| Error | Effect | |---|---| | Missing a= tag in BIMI DNS record | No logo rendered; Apple requires VMC tag | | SVG served over HTTP (not HTTPS) | Fetch fails; no logo rendered | | SVG does not conform to BIMI Tiny PS profile | Certificate validation fails | | VMC issued to subdomain, mail sent from root domain | Domain mismatch; certificate invalid | | VMC expired | Validation fails immediately | | Logo in VMC differs from logo at l= URL | Mismatch detected; no logo rendered | | DMARC policy set to p=none | Does not qualify; no logo rendered |


Verifying your BIMI configuration for Apple Mail

Before expecting logo display in Apple Mail, validate the following:

  1. Check your DMARC record — confirm p=quarantine or p=reject is set and alignment is passing for your sending streams.
  2. Validate your SVG — use a BIMI-specific SVG validator to confirm Tiny PS compliance before submitting for VMC issuance.
  3. Confirm VMC domain scope — ensure the VMC covers the exact