Resources / Authentication
BIMI: Logos, DMARC, and Mark Certificates
BIMI puts a brand logo next to authenticated mail, but it authenticates nothing itself - it rides on enforced DMARC. This covers the prerequisites, the SVG Tiny PS logo, VMC and CMC mark certificates, the DNS record, and the honest provider-support reality.
Last checked: June 21, 2026
BIMI (Brand Indicators for Message Identification) is the only part of the email-authentication stack a recipient sees directly: a brand’s logo shown next to its messages in supporting clients. It is easy to mis-sell, so be clear up front - BIMI authenticates nothing. It “leverages an organization’s DMARC deployment to bring brand logos to the recipient’s inbox” (BIMI Group). It is a reward layered on top of authentication you already did, not a new form of it.
The 60-second version
- BIMI does not authenticate mail. It relies entirely on DMARC, DKIM, and SPF; the logo only shows when the message passes DMARC (BIMI Group).
- It requires DMARC at enforcement:
p=quarantine; sp=quarantineorp=reject; sp=reject.p=noneis not enough (BIMI Group, implementation guide). - The logo must be an SVG Tiny PS file (BIMI Group, implementation guide).
- A VMC (Verified Mark Certificate) or CMC (Common Mark Certificate) is strongly recommended and, at many providers, effectively required to display the logo (BIMI Group, implementation guide).
- It is published as a DNS TXT record at
default._bimi.<domain>(BIMI Group, implementation guide).
Prerequisite 1: authenticated, aligned, and enforced
The first step is not a BIMI step at all. You must authenticate all organizational email with SPF, DKIM, and DMARC, with everything aligned, and your DMARC policy must be at enforcement (BIMI Group, implementation guide). Enforcement has a specific meaning here:
p=quarantine; sp=quarantine, orp=reject; sp=reject
p=none is explicitly insufficient - a monitoring-only DMARC record will not display a BIMI logo. (For what p, sp, and the policy values mean, see DMARC in 2026; the policy values themselves are defined in RFC 9989 §4.7.)
This dependency is the whole point: BIMI only rewards domains that have already committed to stopping spoofing. The logo is the visible payoff for getting DMARC to enforcement.
Prerequisite 2: the SVG Tiny PS logo
The logo has to be produced as an SVG Tiny PS (Portable/Secure) file - a constrained, secure subset of SVG, not an arbitrary SVG export (BIMI Group, implementation guide). The constraint exists so mailbox providers can render the file safely; a normal SVG with scripting or external references will not qualify.
Prerequisite 3 (recommended): VMC or CMC
The third step is acquiring a mark certificate. It is described as highly recommended rather than strictly mandatory by the BIMI specification, but in practice it is what most major providers require to show a logo (BIMI Group, implementation guide):
| Certificate | What it is | Based on |
|---|---|---|
| VMC (Verified Mark Certificate) | validates ownership of the organization’s logo | a registered trademark of the logo/image |
| CMC (Common Mark Certificate) | used in place of a trademarked logo; allows some flexibility (e.g. seasonal color changes) | non-trademark marks |
The honest reality: self-asserted BIMI records (no VMC/CMC) have limited support across mailbox providers - many require a VMC or CMC before they will render the logo (BIMI Group, implementation guide). So while the spec allows a self-asserted record, do not expect broad logo display without a certificate.
The DNS record
BIMI is published as a DNS TXT record at the default._bimi selector (BIMI Group, implementation guide):
default._bimi.example.com. 3600 IN TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem"| Tag | Required | What it is |
|---|---|---|
v= | required | version; BIMI1 |
l= | - | URL of the SVG Tiny PS logo file |
a= | optional | URL of the PEM-encoded VMC/CMC certificate (reserved for the mark certificate) |
The a= tag is currently optional in the record syntax, but it is the tag that carries the VMC/CMC most providers want - so “optional in syntax” and “needed in practice” are both true.
What BIMI is and is NOT
BIMI does:
- display a brand-controlled logo in supporting clients when DMARC passes at enforcement
- let the brand control which logo appears with its authenticated mail
- provide an authenticated visual indicator of the sender and aid brand recognition in the inbox
BIMI does NOT:
- authenticate email - it relies entirely on DMARC/DKIM/SPF (BIMI Group)
- display a logo without DMARC at enforcement (
p=nonewill not work) - display a logo at most major providers without a VMC/CMC
- improve deliverability by itself, guarantee inbox placement, or substitute for reputation
Provider support reality
The verifiable, source-backed statement is narrow and worth stating exactly: self-asserted BIMI (no certificate) has limited support, and many mailbox providers require a VMC/CMC to display the logo (BIMI Group, implementation guide). We are deliberately not publishing a provider-by-provider support matrix here, because a precise per-provider breakdown was not part of our verified source extraction; treat “you most likely need a VMC/CMC, and support varies by provider” as the reliable takeaway.
Common confusion / what does NOT change
- “BIMI improves deliverability.” It is a display feature gated on DMARC enforcement; it does not authenticate or score the message.
- “BIMI works with
p=none.” No. Enforcement (quarantineorreject, with matchingsp) is required. - “Any SVG will do.” No - it must be SVG Tiny PS.
- “Self-asserted is enough.” Sometimes, but support is limited; most major providers want a VMC or CMC.
- “BIMI is a security control.” It is the visible reward for one (enforced DMARC), not a control of its own.
What Egressif does
BIMI is a downstream consequence of doing the authentication work correctly, so we treat it as the last mile rather than the goal. Because we already operate the domains we manage at DMARC enforcement with aligned SPF and DKIM, the prerequisite that blocks most BIMI rollouts is already satisfied. From there, publishing a conformant default._bimi record with an SVG Tiny PS logo - and a VMC or CMC where logo display is the objective - is a straightforward final step, and we are candid that the certificate, not the DNS record, is usually what determines whether the logo actually appears.
Related references
- Email Authentication: SPF, DKIM, DMARC, ARC, BIMI SPF, DKIM, and DMARC are not interchangeable, and none of them on their own tells a receiver a message is safe. This is the map: what each layer checks, what a pass actually proves, and how alignment, ARC, and BIMI sit on top.
- DMARC in 2026 (RFC 9989, 9990, 9991) The RFC most "DMARC explained" articles still cite is obsolete. In May 2026 DMARC was re-issued as three Standards-Track RFCs. Here is everything that changed - tags, the Tree Walk, reporting, and the new p=reject guidance - in plain language, with records you can copy.
- SPF Deep Dive (RFC 7208) SPF authorizes which hosts may use your domain in the SMTP envelope. This is the full RFC 7208 picture: record format, every mechanism and qualifier, the hard 10-lookup limit that breaks records, the result codes, and the mistakes that quietly cause permerror.
- DKIM Deep Dive (RFC 6376) DKIM signs a message so a domain can take cryptographic responsibility for it. This is the full RFC 6376 picture: selectors, the signature and key tags, simple vs relaxed canonicalization, the l= body-length trap, key rotation, and the crypto updates from RFC 8301 and RFC 8463.
- ARC: Authenticated Received Chain (RFC 8617) ARC preserves a message's authentication result across the intermediaries that break SPF and DKIM. This is the RFC 8617 picture: the three header fields, how a chain is built and validated, the chain-validation states, and the honest limits - ARC is advisory, not a pass.
Tell us what you run today.
Domains, rough volume, current providers, and what hurts. You will get a straight answer on fit, and a real number, in one conversation.