How to Set Up BIMI: Display Your Brand Logo in Email Inboxes (2026)

When a subscriber opens their Gmail or Apple Mail inbox, they see a sender name next to a small circular image. For most senders, that image is a grey circle with an initial — a generic fallback that blends into the inbox without distinguishing anything. For senders who have implemented BIMI, it is their brand logo — crisp, recognisable, and visible before the email is even opened.

BIMI — Brand Indicators for Message Identification — is the email standard that enables verified brand logos to appear next to messages in supporting inbox clients. It is the most visible trust signal available in email marketing today, and in 2026 it is no longer the preserve of Fortune 500 brands. Gmail, Apple Mail, Yahoo Mail, Fastmail, and Outlook are all expanding BIMI support, and the certification process — once complex and expensive — has become more accessible.

This guide covers everything you need to set up BIMI: the prerequisites, the SVG logo requirements, the DNS record syntax, the Verified Mark Certificate process, and the step-by-step implementation checklist. BIMI is the final layer of the email authentication stack — and one of the lowest-difficulty, highest-visibility improvements a well-authenticated sender can make.

What Is BIMI?

BIMI (Brand Indicators for Message Identification) is a DNS-based standard that allows organisations to publish their brand logo in a DNS record, enabling supporting inbox providers to display that logo next to the sender's name in the inbox view.

When a receiving mail server processes an email, it checks the sender's DNS for a BIMI record. If one exists, it retrieves the linked logo file and displays it in the inbox UI next to the sender name. The logo appears as a small circular image — the same slot currently occupied by a grey initial for senders without BIMI.

Why BIMI exists: Email spoofing and phishing have made recipients increasingly sceptical of email from unfamiliar senders. A verified brand logo — authenticated through DMARC enforcement and optionally through a Verified Mark Certificate — signals to recipients that the email genuinely comes from the brand it claims to be from. This trust signal consistently improves open rates, click rates, and brand recognition in the inbox.

What BIMI Is Not

BIMI is not a spam filter bypass or a deliverability silver bullet. It does not improve your sender reputation or inbox placement rate on its own. It is a trust and recognition signal that appears after your email reaches the inbox — it enhances the experience of an already well-delivered email, rather than fixing delivery problems.

The prerequisite for BIMI — DMARC at p=reject — does improve deliverability, because it is required for BIMI and it happens to be the most protective authentication configuration available. But the logo itself is a branding and engagement enhancement, not an inbox placement driver.

Which Inbox Providers Support BIMI in 2026?

BIMI adoption by inbox providers has accelerated significantly since 2021. As of 2026, the supporting landscape is:

The practical implication: Gmail and Apple Mail together cover approximately 60–65% of US email opens. Implementing BIMI means your logo appears in the majority of your subscribers' inboxes. The Microsoft Outlook gap is the primary reason BIMI has not reached universal deployment — but the Gmail and Apple Mail coverage alone justifies the implementation effort.

BIMI Prerequisites: What You Must Have First

BIMI has strict prerequisites. Attempting to implement BIMI without meeting all of them will result in the logo not displaying — with no error visible to the sender, just a silent failure to show the logo.

Prerequisite 1: DMARC at p=quarantine or p=reject

BIMI requires DMARC enforcement. A DMARC policy of p=none (monitoring mode only) is not sufficient — your DMARC policy must be at p=quarantine or p=reject.

In practice, all major inbox providers that support BIMI require p=reject to display the logo. p=quarantine technically satisfies the written specification, but Gmail and Apple Mail consistently require p=reject in practice for logo display.

If you have not yet configured DMARC, or if your DMARC is at p=none, completing the DMARC progression is the necessary first step. Our DMARC setup guide covers the full p=none → p=quarantine → p=reject progression. For understanding the policy levels, see our DMARC policy levels guide.

Migomail's hosted DMARC service processes your aggregate reports automatically and includes a policy progression assistant that recommends when you are ready to advance to the next enforcement level.

Prerequisite 2: SPF and DKIM Fully Configured and Passing

SPF and DKIM must be correctly configured for your sending domain, with both passing for all legitimate sending sources. BIMI is evaluated in the context of the full authentication stack — a domain with passing DMARC but failing SPF or DKIM sends mixed signals that can prevent logo display. Our SPF, DKIM, and DMARC setup guide covers the complete setup.

Prerequisite 3: A Verified Mark Certificate (VMC)

For Gmail, Apple Mail, Yahoo, and other major providers, a Verified Mark Certificate (VMC) is required to display the BIMI logo.

A VMC is a digital certificate issued by an accredited Certificate Authority (CA) that cryptographically links your brand logo to your domain and verifies that you are the legitimate owner of the trademarked logo. The VMC is what distinguishes BIMI from a basic logo assertion that any sender could fake.

VMC issuers accredited as of 2026:

• Entrust — entrust.com/digital-security/certificate-solutions/verified-mark-certificate
• DigiCert — digicert.com/verified-mark-certificate
• Sectigo — sectigo.com/ssl-certificates-tls/verified-mark-certificates

VMC cost: VMCs are typically priced at $1,200–$1,499 per year per domain. This is the primary cost associated with BIMI and the primary barrier for smaller businesses. The annual cost reflects the CA's due diligence process — verifying trademark ownership and issuing the certificate.

VMC trademark requirement: To obtain a VMC, your logo must be registered as a trademark in the country or region where you are seeking certification. In the US, this means a registered trademark with the USPTO (United States Patent and Trademark Office). Trademark registration typically takes 8–18 months for a US mark — if you have not yet begun trademark registration, start that process in parallel with your DMARC progression.

Prerequisite 4: A Square SVG Logo File

BIMI uses SVG (Scalable Vector Graphics) format for the logo — specifically the SVG Tiny PS (Tiny Portable/Secure) profile, which is a restricted subset of SVG designed for security and cross-platform consistency.

Requirements for the BIMI logo file:

• Format: SVG Tiny PS profile (not standard SVG)
• Shape: Must be square in its natural dimensions — the inbox will display it as a circle, so the subject matter should be centred with some padding
• Content: Must contain only the logo/brand mark itself — no text, no background, no complex scenes
• File size: Recommended under 32KB
• Colours: Use solid fills — gradients and complex effects may not render correctly in all clients
• Hosting: Must be hosted at a publicly accessible HTTPS URL (no authentication, no redirects)

The SVG Tiny PS requirement is the most common technical stumbling block. Standard SVG files exported from Adobe Illustrator or similar tools are not automatically BIMI-compliant — they must be converted to the Tiny PS profile. Tools like the BIMI Validator (bimigroup.org/bimi-generator/) can validate your SVG file before you publish your DNS record.

Step 1: Prepare Your BIMI Logo File

Before touching DNS, prepare and validate your SVG logo file.

Converting Your Logo to SVG Tiny PS

If you have an existing SVG logo, it likely needs to be converted or cleaned up for BIMI compatibility. The most reliable approach:

Option A — Use BIMI Group's free tools: The BIMI Group (bimigroup.org) provides a free SVG validator and converter. Upload your existing logo and the tool will identify any elements that are not SVG Tiny PS compliant and generate a compliant version where possible.

Option B — Manual conversion in Illustrator or Inkscape:

1. Open your logo in Adobe Illustrator or Inkscape
2. Ensure the artboard is perfectly square
3. Remove any raster images embedded in the SVG
4. Expand all text to outlines (text elements are not SVG Tiny PS compliant)
5. Flatten transparency and convert gradients to solid fills where possible
6. Save/export as SVG Tiny 1.2 (the closest built-in option to Tiny PS)
7. Manually edit the SVG file header to declare the correct profile:

<svg xmlns="http://www.w3.org/2000/svg"
     xmlns:xlink="http://www.w3.org/1999/xlink"
     version="1.2" baseProfile="tiny-ps"
     viewBox="0 0 100 100">

Option C — Commission from a designer: If your logo is complex, a vector designer familiar with BIMI specifications can prepare a compliant SVG in 1–2 hours. This is often the fastest path to a working file.

Host the Logo at an HTTPS URL

Once your SVG file is ready, host it at a publicly accessible HTTPS URL. The URL must:

• Be accessible without authentication
• Not redirect to another URL (no 301 or 302 redirects)
• Return the file with Content-Type: image/svg+xml
• Use HTTPS (not HTTP)

A common hosting location: https://static.yourdomain.com/brand/bimi-logo.svg or https://yourdomain.com/assets/bimi-logo.svg.

Step 2: Obtain Your Verified Mark Certificate

Submit your VMC application to one of the accredited CAs (Entrust, DigiCert, or Sectigo). The process typically takes 5–10 business days.

The VMC Application Process

1. Trademark verification Provide your registered trademark registration number and jurisdiction. The CA will verify that the trademark is active, registered in your name (or your parent company's name), and that the logo in the trademark registration matches the SVG file you are submitting.

2. Domain ownership verification The CA verifies you control the domain listed in the BIMI record. This is typically done via DNS validation (add a TXT record to your domain) or file-based validation (place a file at a specific URL).

3. Logo review The CA reviews the SVG file for technical compliance with the BIMI specification.

4. Certificate issuance Once all three verifications are complete, the CA issues a .pem file — the VMC. This file contains your certificate chain and is referenced in your BIMI DNS record.

Host the VMC

The VMC (.pem file) must be hosted at a publicly accessible HTTPS URL — the same requirements as the logo file. A common location: https://static.yourdomain.com/brand/bimi-vmc.pem.

Step 3: Create the BIMI DNS TXT Record

The BIMI record is a DNS TXT record published at default._bimi.yourdomain.com.

BIMI Record Syntax

Tag Reference

Without the a= tag (no VMC): A BIMI record without a VMC reference is valid syntax but will only display the logo in inbox providers that support self-asserted BIMI (very few major providers). Gmail, Apple Mail, and Yahoo all require a VMC. Publishing a BIMI record without a= will not display a logo in the major providers.

Publishing the DNS Record

In your DNS management panel:

DNS propagation typically completes in 10–30 minutes but can take up to 48 hours.

Step 4: Verify Your BIMI Implementation

After DNS propagation, verify that every component is correctly configured.

BIMI Validator Tools

BIMI Group Inspector: Visit bimigroup.org/bimi-generator/ and enter your domain. The tool checks:

• BIMI DNS record existence and syntax
• Logo file accessibility and SVG Tiny PS compliance
• VMC validity and chain of trust
• DMARC policy level (must be p=quarantine or p=reject)

MXToolbox BIMI Lookup: Visit mxtoolbox.com/bimi.aspx for a quick DNS record check.

Gmail test: Send an email from your BIMI-enabled domain to a Gmail account. If implementation is correct, your logo should appear within 24–48 hours of the BIMI record propagating. Note: Gmail may take up to a week after initial setup to begin displaying the logo consistently.

What to Check in the Verification

• BIMI DNS record published at default._bimi.yourdomain.com
• Logo URL is accessible via HTTPS with no redirects
• Logo file is valid SVG Tiny PS
• VMC URL is accessible via HTTPS
• VMC is valid and not expired
• DMARC is at p=reject (or p=quarantine at minimum)
• SPF and DKIM are passing for all sending sources
• BIMI Group Inspector returns all-green

Step 5: Handle Subdomains and Multiple Sending Domains

A BIMI record published at yourdomain.com covers emails sent from @yourdomain.com. If you send from subdomains — newsletter.yourdomain.com or mail.yourdomain.com — each subdomain may need its own BIMI record, or you can use the root domain's record depending on inbox provider behaviour.

Gmail's subdomain handling: Gmail evaluates BIMI at the organizational domain level — the root domain. If your DMARC is configured at the root domain with DKIM alignment for subdomains, Gmail will typically apply the root domain's BIMI record to emails sent from subdomains.

Explicit subdomain BIMI record (recommended for certainty):

default._bimi.newsletter.yourdomain.com  TXT  "v=BIMI1; l=https://...; a=https://..."

Publishing explicit subdomain records ensures consistent logo display regardless of inbox provider's lookup behaviour.

Multiple sending domains: Each domain (and relevant subdomain) requires its own BIMI record. If yourdomain.com and yourotherbrand.com both send email, each needs its own BIMI record, its own SVG logo file, and its own VMC (and its own trademark registration).

BIMI and the Complete Email Authentication Stack

BIMI is the final layer of the email authentication stack. Here is where it fits:

Each layer builds on the previous one. BIMI cannot function without DMARC. DMARC requires SPF and DKIM. MTA-STS sits alongside DMARC at the transport layer. Our MTA-STS setup guide covers the transport security layer if you have not yet implemented it.

Migomail's authentication dashboard validates all layers in one view — SPF, DKIM, DMARC, and BIMI record status — so you can confirm the complete stack is functioning correctly without running separate tool checks for each protocol.

Does BIMI Actually Improve Open Rates?

The evidence from industry testing suggests yes — measurably, though not dramatically:

• Entrust (VMC issuer) internal data shows a 10% increase in email opens for brands that implemented BIMI with a VMC compared to pre-BIMI periods
• Red Sift's analysis of BIMI-enabled senders found open rate improvements of 5–15% in Gmail, with stronger effects for brands with high name recognition
• Brand recall improvement: Research from the BIMI Group found that displaying a logo in the inbox increases brand recognition and recall for the sender brand by approximately 18%

The mechanism is intuitive: a recognisable logo in the inbox reduces the cognitive friction of deciding whether to open an email. When subscribers see a brand logo they recognise next to a sender name, they open faster and with less deliberation than when they see a grey initial circle.

The effect is strongest for:

• Well-recognised consumer brands with high name and logo familiarity
• Senders where the inbox is competitive and differentiation matters
• B2B senders where multiple contacts from the same organisation receive email

The effect is weakest for:

• Brands with low logo recognition among their subscriber base
• Senders with small lists where statistical significance is difficult to establish
• Transactional email where the subscriber is motivated by the content (an OTP or order confirmation) rather than the brand identity

Common BIMI Implementation Mistakes

Using a standard SVG instead of SVG Tiny PS. The most common reason a BIMI record does not display a logo. Standard SVG files from Illustrator or other design tools are not automatically compliant. Always validate the file with the BIMI Group's validator before publishing your DNS record.

DMARC at p=none or p=quarantine. While p=quarantine technically satisfies the BIMI specification, Gmail and Apple Mail consistently require p=reject in practice. If your logo is not showing in Gmail and your DMARC is at p=quarantine, enforcing p=reject is the fix.

Logo file not accessible without redirects. BIMI validators follow the URL to retrieve the logo. If the URL redirects (even a simple HTTP → HTTPS redirect), many implementations will fail to retrieve the file. Ensure the logo URL returns the file directly at the stated URL without any redirect chain.

VMC referencing a different domain. The VMC is issued for a specific domain. The BIMI record a= tag must reference a VMC issued for the same domain as the BIMI record itself. A VMC issued for yourdomain.com cannot be used in a BIMI record for newsletter.yourdomain.com — a separate VMC is required for the subdomain (or check with your CA about subdomain coverage within the certificate).

Publishing BIMI before DMARC enforcement is complete. BIMI will not display until DMARC is at enforcement level. Publishing the BIMI record early — before DMARC has progressed to p=reject — results in a silent failure with no visible error. Complete DMARC enforcement first, then publish BIMI.

Forgetting to renew the VMC. VMCs are annual certificates. An expired VMC causes logo display to stop immediately — no warning emails or countdown alerts from inbox providers. Set a calendar reminder 30 days before your VMC expiry date and renew with your CA before it lapses.

BIMI Implementation Checklist

Prerequisites

• DMARC published at p=reject (verified via MXToolbox or Migomail's authentication dashboard)
• SPF passing for all sending sources
• DKIM passing for all sending sources
• Trademark registered for your logo in the relevant jurisdiction (US: USPTO)

Logo preparation

• Logo file in SVG format
• Converted to SVG Tiny PS profile
• Logo is square (equal width and height in viewBox)
• No embedded raster images, no text, no external references
• File size under 32KB
• Validated as BIMI-compliant via bimigroup.org validator

Logo hosting

• SVG file hosted at a publicly accessible HTTPS URL
• No authentication required to access the file
• No HTTP redirects at the URL
• Content-Type header returns image/svg+xml

VMC

• VMC applied for and issued by accredited CA (Entrust, DigiCert, or Sectigo)
• Trademark ownership verified in VMC application
• VMC (.pem) hosted at a publicly accessible HTTPS URL
• VMC renewal calendar reminder set (30 days before expiry)

DNS record

• default._bimi.yourdomain.com TXT record published
• Record contains correct v=BIMI1; l=[logo URL]; a=[VMC URL] syntax
• Separate records published for all sending subdomains (if applicable)

Verification

• BIMI Group Inspector returns all-green for your domain
• Test email to Gmail shows logo after 24–48 hour propagation period
• Test email to Apple Mail shows logo

Frequently Asked Questions

What is BIMI and why should I set it up?
BIMI (Brand Indicators for Message Identification) is the email standard that displays your brand logo next to your sender name in supporting inbox clients — primarily Gmail and Apple Mail. When implemented correctly, subscribers see your verified logo in their inbox before they even open the email. Research shows BIMI implementation improves email open rates by 5–15% in Gmail, increases brand recognition in the inbox, and signals to recipients that your email is authenticated and trustworthy. The DMARC enforcement that BIMI requires as a prerequisite also improves deliverability independently — so BIMI setup delivers dual benefits: the logo itself and the authentication protection that enables it.

Do I need a Verified Mark Certificate (VMC) for BIMI?
Yes — for logo display in Gmail, Apple Mail, Yahoo, and other major inbox providers. A VMC is a digital certificate issued by an accredited Certificate Authority that cryptographically verifies you are the legitimate owner of the trademarked logo. Without a VMC, a BIMI record is technically valid but will not display a logo in Gmail or Apple Mail — the two inbox providers that cover over 60% of US email opens. The VMC requires a registered trademark for your logo, which is a prerequisite that must be arranged before applying for the certificate.

How long does BIMI setup take?

The technical setup — DNS record, logo file, VMC hosting — takes 2–4 hours once all prerequisites are in place. The most time-consuming element is obtaining the VMC, which typically takes 5–10 business days from application to issuance. The DMARC prerequisite — progressing from p=none to p=reject — typically takes 4–8 weeks if starting from scratch. Trademark registration, if not already in place, takes 8–18 months for a US mark. Total timeline from starting trademark registration to BIMI live: plan for 12–18 months. For brands that already have DMARC at p=reject and a registered trademark, the implementation timeline is 1–2 weeks.

Will BIMI work in Microsoft Outlook?
As of 2026, Microsoft Outlook's BIMI support is limited and inconsistently deployed. Outlook.com has shown preliminary BIMI support in testing environments, but widespread logo display for standard commercial senders has not been confirmed. Microsoft has indicated BIMI support is on their roadmap but has not committed to a specific timeline. Gmail, Apple Mail, and Yahoo — which together cover approximately 70% of US email opens — all support BIMI fully. Implement BIMI now for the majority of your subscribers; Outlook logo display will follow when Microsoft completes their rollout.

Can I set up BIMI without a VMC?
You can publish a BIMI DNS record without a VMC by omitting the a= tag, but the logo will not display in any of the major inbox providers (Gmail, Apple Mail, Yahoo) that require VMC verification. A few smaller inbox providers and email clients support self-asserted BIMI (without VMC) — you may see logo display in niche clients. For practical purposes, BIMI without a VMC provides no visible benefit to the vast majority of subscribers. The VMC is the mechanism that makes BIMI work where it matters.

Summary

BIMI is the final piece of the email authentication stack — and in 2026 it is the most visible differentiator available in the inbox.

The implementation path:

1. Confirm prerequisites: DMARC at p=reject, SPF and DKIM passing, registered trademark
2. Prepare your logo: SVG Tiny PS profile, square format, validated at bimigroup.org
3. Obtain your VMC: Apply via Entrust, DigiCert, or Sectigo — allow 5–10 business days
4. Host both files at publicly accessible HTTPS URLs with no redirects
5. Publish the BIMI DNS record at default._bimi.yourdomain.com
6. Verify with BIMI Group Inspector and a Gmail test send
7. Set a VMC renewal reminder 30 days before annual expiry

The compounding effect of a complete authentication stack — SPF, DKIM, DMARC at p=reject, MTA-STS, and BIMI — is the highest-trust email sending profile available. Inbox providers treat fully authenticated, BIMI-enabled senders as the most trustworthy class of sender, with corresponding inbox placement treatment.

Migomail's hosted DMARC service accelerates the DMARC prerequisite — automated report processing, policy progression assistant, and instant alerts for any new authentication failures. Migomail's authentication dashboard validates your complete stack in one view.

Start your free trial to run a full authentication audit on your domain and see exactly what is needed before BIMI implementation can begin.