BIMI: your logo in the inbox, earned by good authentication
BIMI shows your brand logo beside the messages you send in supporting inboxes. It is the visible reward for getting DMARC right, and a signal recipients can trust at a glance.
Your brand shown beside every message
At enforcement first, or BIMI does nothing
A verified mark that unlocks the major inboxes
A trust signal recipients actually see
Most email security is invisible. SPF, DKIM and DMARC all do their work behind the scenes, and a recipient never sees the difference between a genuine message and a well-made fake until it is too late. BIMI (Brand Indicators for Message Identification) turns some of that protection into something people can see: your official brand logo, shown right next to your name in the inbox.
The important part is that the logo is earned, not simply declared. An inbox will only display it once your domain is authenticating properly and enforcing a DMARC policy, so the badge becomes a shorthand for “this domain has done the work.” It lifts recognition and open rates, and it makes a spoofed message that carries no logo stand out by its absence.
Why this matters, whoever you are
- BIMI makes your genuine mail recognisable at a glance, and impersonation more obvious.
- Running your own domains? It rewards the DMARC work you have already done with better recognition and trust.
- Managing clients? It is a visible, sellable outcome you can point a client to once their authentication is in order.
How it works: a logo, published and verified
You publish a small DNS record that points to a specially formatted version of your logo. Supporting inboxes read it, confirm your domain is enforcing DMARC, and then show your logo beside your messages. The larger inboxes add one more requirement before they display it: proof that the logo is really yours.
The record, the logo and the certificate
BIMI lives in a DNS record at default._bimi.<your-domain>. It points to your logo, published as an SVG in the tightly constrained SVG Tiny 1.2 PS profile so every inbox renders it the same way.
A BIMI record looks roughly like this:
default._bimi.example.com. TXT "v=BIMI1; l=https://…/logo.svg; a=https://…/vmc.pem"
The l= value is your logo. The optional a= value is a Verified Mark Certificate (VMC), issued by a certificate authority after they confirm you own the trademark for the logo. Gmail and Apple Mail require a VMC before they will show your mark; other inboxes will display a logo without one.
What an inbox checks before it shows your logo
- That your domain enforces DMARC (p=quarantine or p=reject)
- That a BIMI record exists and points to a valid logo
- That the logo meets the SVG Tiny 1.2 PS profile
- For Gmail and Apple, that a valid VMC backs the logo
- If all pass, your logo appears beside your mail
BIMI is the reward for enforcing DMARC
BIMI is not a shortcut. An inbox will only trust your logo once you are enforcing a DMARC policy, because the logo is only meaningful if fakes are already being rejected. That makes BIMI a natural next step rather than a starting point: get SPF, DKIM and DMARC in order, move your policy to enforcement, and BIMI becomes available to you.
That ordering is also what makes it valuable. Because a domain has to earn its way to a logo, the presence of one is itself a trust signal, and a message claiming to be from a big brand with no logo where you would expect one is a quiet red flag.
The path to a logo in the inbox
- Authenticate: SPF and DKIM aligned
- Enforce: DMARC at p=quarantine or p=reject
- Prepare the logo in the required SVG profile
- Publish the BIMI DNS record
- Add a VMC to reach Gmail and Apple Mail
How DMARCER helps
DMARCER checks whether your domain is ready for BIMI, confirming that DMARC is at enforcement and flagging exactly what stands between you and a logo in the inbox. When you are ready, it validates your logo against the strict SVG profile the inboxes demand, hosts the record and the image for you so there is no infrastructure to stand up, and lets you switch it on or off in a click. A Verified Mark Certificate for Gmail and Apple Mail is on our roadmap, so you can start with the inboxes that need no certificate today and extend coverage as that lands. For a business that means turning the DMARC work you have already done into visible brand recognition; for an MSP it is a clear, sellable next step to offer every client once their authentication is in order.
Related
DMARC →
The enforcement BIMI is built on top of.
Trust Mark →
Show your security score anywhere, not just the inbox.
All the controls →
See how the whole stack fits together.
See if you're ready for a logo in the inbox
Run a free check to see whether your DMARC is at enforcement, and what's left between you and BIMI.
Check your domain