What Is BIMI?

BIMI (Brand Indicators for Message Identification) is an email specification that enables organizations to display their brand logos within supporting email clients when emails pass DMARC authentication checks. BIMI requires a Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) that verifies the organization's rights to the trademark, along with a BIMI DNS TXT record pointing to the brand's logo. BIMI leverages proper DMARC authentication as an incentive for organizations to strengthen their email security posture while providing visual brand recognition in recipient inboxes. It's not an authentication mechanism itself but rather a visual display layer that rewards organizations implementing strong email security.

How does BIMI work?

BIMI operates as a visual authentication indicator that displays brand logos in email clients, but only after verifying the sender has implemented proper email security and proven trademark rights.

The process begins when an organization obtains a Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) from an authorized certificate authority. VMCs verify the organization's legal rights to the trademarked logo through trademark registration documentation, typically costing over $1,000 per year. CMCs, introduced by Google in 2025, require proof that the logo has been in use for at least a year but don't require formal trademark registration, reducing cost barriers while still providing verification.

The organization prepares its brand logo in SVG Tiny format—a scalable vector graphic standard optimized for email display. This format requirement is strict; logos must comply with SVG Tiny specifications or email clients will fail to display them. The organization hosts the SVG logo file at a publicly accessible HTTPS URL with reliable uptime.

The organization then publishes a BIMI TXT record in their DNS with required tags: "v=bimi1" specifying the BIMI version, "l=" pointing to the URL of the logo file, "a=" pointing to the URL of the certificate (optional but recommended), and "avp=" indicating the assertion type ("personal" or "brand"). This record is published at "default._bimi.domain.com" in DNS.

Critically, the organization must maintain strict DMARC enforcement policy at p=quarantine or p=reject with 100% enforcement. BIMI is designed to incentivize proper email authentication, so it only functions when the domain has achieved strong DMARC implementation. Organizations with p=none monitoring or partial enforcement cannot use BIMI.

When an email is sent from the domain, it includes all authentication headers for SPF, DKIM, and DMARC. The receiving mail server checks the email against the sender's DMARC policy. If the email passes DMARC authentication, and the receiving email client supports BIMI, and a valid VMC or CMC is present, the client performs a DNS lookup to retrieve the BIMI record.

The email client retrieves the logo from the URL specified in the BIMI record and validates the certificate. If all verification succeeds, the client displays the authenticated brand logo alongside the sender's email address in the recipient's inbox. Users see the verified logo, which increases trust in the email's legitimacy and reduces susceptibility to phishing from spoofed domains.

How does BIMI differ from email authentication protocols?

Why does BIMI matter?

BIMI provides visual authentication indicators that help users distinguish legitimate emails from phishing attempts, particularly valuable for consumer-facing brands that suffer from impersonation attacks.

In 2025, Google announced adoption of Common Mark Certificates (CMC) as an alternative to Verified Mark Certificates, significantly reducing the barrier to BIMI adoption. CMCs eliminate the trademark requirement, instead requiring only proof that the logo has been in use for a year. This change addresses one of BIMI's primary limitations—the cost and complexity of obtaining VMCs—making BIMI accessible to smaller organizations without formal trademark registrations.

Major email providers supporting BIMI include Gmail, Yahoo Mail, and AOL, representing significant portions of consumer email usage. However, major providers NOT supporting BIMI include Microsoft Outlook.com, Hotmail, Microsoft 365, ProtonMail, and Comcast. This limited support means BIMI's effectiveness depends heavily on recipient email client distribution.

BIMI serves as an incentive for organizations to implement strong DMARC enforcement. Since BIMI requires p=reject or p=quarantine at 100% enforcement, organizations motivated by brand visibility may accelerate their DMARC implementation to qualify for BIMI. This creates a positive security outcome: organizations strengthen email authentication to achieve brand recognition.

However, adoption remains low. Analysis of 13,000 domains found that 90.85% had no BIMI record, 4.57% had valid BIMI records, and 4.58% had invalid BIMI records. As of Q3 2021, only 9,860 BIMI records were observed globally, indicating minimal adoption despite the protocol's availability since 2019.

What are the limitations of BIMI?

Microsoft Outlook does not support BIMI. This excludes a significant portion of the B2B email market from seeing BIMI logos. Organizations sending primarily to business recipients using Microsoft 365, Outlook.com, or Hotmail may see minimal return on investment from BIMI implementation, since most recipients won't see the logo regardless of proper configuration.

Limited email client support overall. Beyond Microsoft's non-support, many enterprise email systems, smaller email providers, and mobile email clients don't render BIMI logos. The protocol's effectiveness is constrained by receiving client adoption, which progresses slowly and remains far from universal.

VMC costs over $1,000 per year. Verified Mark Certificates from authorities like DigiCert, Entrust, and GlobalSign typically cost $1,000-$1,500 annually, making BIMI impractical for small organizations and nonprofits. While CMCs reduce this barrier, they're not yet widely available from all certificate authorities, and pricing remains uncertain as the market develops.

Complex technical implementation. Incorrect SVG file format is the most common reason BIMI setup fails. The SVG Tiny specification has strict requirements that standard logo files often don't meet, requiring specialized design work. Additionally, organizations must coordinate DNS record publication, certificate acquisition, HTTPS hosting, and DMARC enforcement—creating multiple points of potential failure.

Certificate management burden. VMCs and CMCs have expiration dates that must be tracked and renewed. If a certificate expires, BIMI logo display ceases even though the organization properly configured everything initially. This ongoing management requirement adds operational overhead.

Requires DMARC enforcement at p=reject or p=quarantine at 100%. Many organizations haven't achieved this level of DMARC maturity. As discussed in the DMARC article, 63% of DMARC-implementing organizations use p=none (monitoring-only), and only 2.5% of all domains enforce p=reject. This means BIMI is inaccessible to most organizations until they strengthen their DMARC implementation.

Modest real-world ROI. Early promotional materials suggested BIMI significantly increased email open rates, but real-world implementations show much smaller benefits. The incremental increase in trust and engagement is positive but rarely justifies the cost and complexity for most organizations, particularly given limited email client support.

Logo display is not guaranteed. Even with valid BIMI implementation, email clients may not display logos due to rendering issues, client updates, policy changes, or performance optimization. Organizations cannot rely on BIMI for critical brand recognition since display is at the discretion of receiving email clients.

How can organizations implement BIMI effectively?

Start with proper SPF, DKIM, and DMARC implementation before considering BIMI. BIMI is only available to organizations that have achieved DMARC enforcement at p=reject or p=quarantine with 100% enforcement. Focus on building this foundation first, which provides genuine security benefits regardless of BIMI.

Understand email client support before investing in BIMI. If your primary recipients use Microsoft Outlook or Microsoft 365, BIMI provides minimal value since these platforms don't support logo display. Analyze your recipient email client distribution to determine whether enough recipients use BIMI-supporting clients (Gmail, Yahoo, AOL) to justify the investment.

Obtain a VMC (Verified Mark Certificate) or CMC (Common Mark Certificate) from a reputable certificate authority. Ensure trademark rights are properly established before requesting a VMC, or prepare documentation showing logo usage for at least a year for CMC. Budget for annual renewal costs and calendar certificate expiration dates.

Design your brand logo in SVG Tiny format compliant with BIMI specifications. Work with designers familiar with SVG Tiny requirements, as standard SVG files often don't meet the strict specification. Use BIMI validation tools to verify the SVG file before proceeding with full implementation.

Host the SVG logo on a reliable HTTPS-only server with good uptime. The logo URL must remain stable and accessible; changing URLs breaks BIMI for all users. Ensure the hosting infrastructure has redundancy and monitoring to prevent logo retrieval failures.

Publish a BIMI DNS TXT record at "default._bimi.domain.com" with correct syntax including the logo URL and certificate reference. Test the record using BIMI checkers from BIMI-Checker.org, EasyDMARC, or DNSChecker before considering the implementation complete.

Monitor certificate expiration dates and renew before expiration. Set calendar reminders at 60 days, 30 days, and 7 days before expiration to ensure renewal happens on time. Certificate expiration causes BIMI logo display to cease immediately.

Set realistic expectations for BIMI ROI. Consider BIMI primarily as a brand trust and anti-phishing measure rather than an email deliverability optimization or engagement improvement tool. The primary value is helping users distinguish legitimate email from spoofed phishing attempts, not increasing open rates.

Use BIMI alongside comprehensive anti-phishing measures including DMARC enforcement, user security awareness training, and threat detection systems. BIMI is a supplementary visual indicator, not a replacement for robust email security controls.

For global organizations, implement BIMI for major markets where email client support is strong (particularly consumer email in markets with high Gmail usage) while understanding that B2B recipients using Outlook won't see logos.