Skip to content
DERKONLINE
Email Deliverability

Put Your Verified Logo Next to Every Email With BIMI

The DMARC enforcement, SVG-P/S logo, and VMC certificate that earn a verified brand logo and checkmark in the inbox.

Derrick S. K. Siawor6 min read
Kraft envelopes with vintage stamps and postmarks on a warm wooden table beside a green fern and succulents
Photo · ISKRA Photography / Unsplash

Open your inbox and scan down the list of senders. Most are a gray circle with an initial. A few have an actual logo, and next to some of those logos sits a small checkmark. Your eye goes straight to those. That is not an accident. Those senders set up BIMI, and the difference between a generic initial and a verified brand mark is the difference between mail that looks like everyone else's and mail that signals, before it is even opened, that it is genuinely from a brand who proved who they are.

BIMI, Brand Indicators for Message Identification, displays your verified logo next to authenticated email in the clients that support it. It is one of the few deliverability investments that pays back in something a person can see. The catch is that getting there is a sequence of prerequisites, and skipping any one of them means your logo simply does not show. Here is the full path, in order, with the requirements that actually gate it.

BIMI prerequisite pipeline from DMARC enforcement through VMC to publishing the BIMI record

BIMI is earned, not declared

The first thing to understand is that you cannot just publish a logo and have inboxes trust it. BIMI sits on top of email authentication, and the whole point of the standard is that the logo is only shown for mail that has proven it is really from your domain. So before any logo work, your authentication has to be airtight.

Specifically, BIMI requires a DMARC policy of quarantine or reject. A policy of p=none is not enough, because none means you are only monitoring, not enforcing, and BIMI will not display a logo for a domain that is not enforcing. Getting there means moving DMARC from none to reject without blocking legitimate mail, and that enforcement is also part of meeting Google and Yahoo bulk sender rules without getting throttled in the first place. Your DMARC record also needs to apply to all your mail, with the percentage set to 100. This is the real gate. If your DMARC is not at enforcement, nothing downstream matters, and getting to enforcement cleanly without accidentally quarantining your own legitimate mail is its own careful project that reading your DMARC aggregate reports makes safe. You raise the policy only after your SPF and DKIM alignment is solid across every system that sends as your domain.

The logo has strict, specific requirements

Once authentication is enforced, the logo itself has to meet a precise spec, and "we have an SVG" is rarely sufficient on the first try. The logo must be in SVG format, and not just any SVG. It must conform to the SVG Portable/Secure profile, SVG-P/S, which is a restricted subset of SVG with scripting, external references, and other risky features stripped out, because an inbox is not going to render an untrusted document with active content next to a message.

The practical requirements that trip people up:

  • The image must be square, with the logo centered, because the inbox renders it inside a circle or rounded square.
  • For Gmail, the dimensions must be specified in absolute pixels, with a minimum height and width of 96 pixels.
  • The SVG file must be 32 KB or smaller.
  • It must be the SVG-P/S profile specifically, not a generic export from a design tool.

Most logos need to be converted and cleaned to hit this. A designer's working SVG usually carries metadata, fonts, and features that the profile forbids, so the file gets simplified and re-exported until it validates against the spec.

The VMC: proving the logo is really yours

Here is the requirement that separates a serious setup from a hobby one. Gmail does not accept a self-asserted BIMI record. It is not enough to point at a logo and say it is yours; Gmail requires that the logo be certified as belonging to your specific company and domain. That certification is a Verified Mark Certificate, a VMC.

A VMC is issued by a certificate authority after they verify two things: that your organization is real and that you actually own the trademark on the logo. That trademark requirement is the part to plan for early, because it means the logo you want in the inbox generally has to be a registered trademark, and registration takes time and money you cannot compress at the last minute. The CA validates your business and your mark, then issues the certificate as a PEM file.

In the inbox, the VMC is what earns the blue verification checkmark next to your logo in Gmail. There is a lighter-weight alternative, the Common Mark Certificate or CMC, which has a lower trademark bar and shows the logo without the checkmark. A VMC shows the logo and the checkmark; a CMC shows the logo alone. For most brands that are doing this to stand out, the checkmark is the point, which means a VMC and a registered trademark.

Wiring it together

With authentication enforced, a compliant SVG hosted on your server, and a VMC PEM file in hand, the final step is the BIMI DNS record. You publish a TXT record at the default._bimi subdomain of your sending domain, pointing to two URLs: the location of your SVG logo and the location of your VMC certificate file.

default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/bimi/logo.svg; a=https://example.com/bimi/vmc.pem"

The l value is the logo, the a value is the authority evidence, your VMC. Both files have to be served over HTTPS from a stable URL, which is straightforward if you already run a self-hosted mail server that lands in the inbox and control the sending domain end to end. After you publish, allow 24 to 48 hours for the information to propagate before you expect to see the logo appear, and test with a real send to a Gmail account that has BIMI display enabled.

Is it worth the effort?

Honestly, BIMI is not the first deliverability lever to pull. If your complaint rate is above the 0.3 percent line or your authentication is failing, fix those first, because BIMI will not show at all until DMARC is at enforcement, and a logo on mail that lands in the Gmail spam folder helps no one. BIMI is a finishing move for a sender who already has clean authentication and good list practices.

But for that sender, it is a strong one. A verified logo with a checkmark in the inbox raises recognition the instant the message arrives, before the subject line does any work, and that recognition supports open rates and reinforces that you are a legitimate, established brand rather than another anonymous sender. It also makes impersonation harder, because a phishing email spoofing your domain will not carry your verified mark.

The sequence is unforgiving but clear: enforce DMARC, build a compliant SVG-P/S logo, register your trademark and obtain a VMC, publish the BIMI record. Each step gates the next, and the payoff only lands when all of them are in place. That kind of end-to-end authentication and DNS work, getting SPF, DKIM, and DMARC aligned and enforced cleanly before layering BIMI on top, is exactly the email deliverability work we run for brands who want their mail to both arrive and be recognized. Done right, your logo earns its place next to every message you send.

email-deliverabilitybimivmcdmarcbranding
All of the Journal

Related reading

Email DeliverabilityMove DMARC From None to Reject Without Killing Legitimate EmailRead
Email DeliverabilitySet Up SPF, DKIM, and DMARC So Your Mail Stops Hitting SpamRead
Email DeliverabilityRead Your DMARC Reports and Find Who Is Spoofing Your DomainRead

Where to next

More from the JournalEvery piece
What we doThe nine services
Start a projectDesign it live