BIMI Record Checker

What BIMI Is and Where Your Logo Appears

BIMI, short for Brand Indicators for Message Identification, lets a domain owner tell mailbox providers which logo to display next to the email they send. It works through a small DNS record pointing to a logo file and, optionally, to a certificate proving you have the right to use that logo. BIMI is not an authentication protocol itself; it sits on top of SPF, DKIM, and DMARC as a visible reward for domains that have done the hard work of authenticating their email. The checker above reads your domain's BIMI record, inspects the logo and certificate it points to, and reports anything that would stop the logo from showing.

When everything is in place, the logo appears in the slot most mail apps reserve for a sender avatar: the round image next to the subject line in the inbox list and at the top of an open message. Gmail, Yahoo Mail, AOL Mail, and Apple Mail all participate, each with slightly different certificate rules covered below. Some providers go further and add a verified checkmark next to the sender name when the logo is backed by a Verified Mark Certificate. Microsoft is the notable absentee: its mailboxes do not display BIMI logos at all.

The appeal is twofold: a recognizable logo in a crowded inbox makes legitimate mail easier to spot, and because the only way to qualify is to lock your domain down with a strict DMARC policy, BIMI doubles as an incentive program for better authentication across the email ecosystem.

The Hard Prerequisite: DMARC at Enforcement

Before a single BIMI tag matters, your domain must publish a DMARC policy at enforcement. That means the p= tag in your DMARC record must be quarantine or reject. A monitoring-only policy of p=none disqualifies the domain completely, no matter how perfect the BIMI record and logo are. The logic: the logo is a trust signal, and providers will not vouch for a domain that has not committed to blocking its own impersonators. If your domain fails at this step, fixing DMARC comes first.

Three details trip people up. First, enforcement must cover subdomains: if your organizational domain's record relaxes the subdomain policy with sp=none, providers treat the domain as not enforced, since attackers could simply spoof a subdomain. Under the current DMARC specification the same thinking extends to the np tag, which controls non-existent subdomains. Second, older advice about setting pct=100 is now obsolete — the pct tag was removed in the updated DMARC standard, so enforcement can no longer be diluted by percentage. Third, each message must actually pass DMARC with an aligned SPF or DKIM identifier, or it will never earn a logo regardless of your published policy.

Anatomy of a BIMI Record

A BIMI record is an ordinary DNS TXT record published at a special hostname: a selector, followed by the label _bimi, followed by your domain. Almost everyone uses the default selector, so the record lives at default._bimi.yourdomain.com. Selectors let a domain publish multiple logos — separate brands on one domain, for example — chosen per message with a BIMI-Selector header, but most senders need only a single default record.

The record itself uses just three tags. v declares the version and must be BIMI1; it has to be the first tag in the record. l is the location tag: an HTTPS URL pointing to your logo as an SVG file. a is the optional authority evidence tag: an HTTPS URL pointing to a PEM file containing your Verified Mark Certificate or Common Mark Certificate. Both URLs must use HTTPS — plain HTTP is invalid. One special case: an empty l= value (v=BIMI1; l=;) is an explicit declaration that the domain does not participate in BIMI — a deliberate opt-out, not a broken record.

A Worked Example, Tag by Tag

Here is a realistic record as the checker above would see it after looking up default._bimi.example.com: v=BIMI1; l=https://assets.example.com/brand/logo.svg; a=https://assets.example.com/brand/certificate.pem. The v=BIMI1 portion identifies the record type and version, exactly as v=spf1 and v=DMARC1 do for their protocols — if it is missing, misspelled, or not first, receivers ignore the entire record. The l= URL is where the receiver fetches the logo; it must serve a compliant SVG over HTTPS from a host that does not block automated clients. The a= URL serves the certificate chain in PEM format; the certificate embeds a copy of the logo, which receivers compare against the file at l= to confirm the two match.

When a participating provider receives a message from example.com, the sequence runs: confirm the message passes DMARC and the domain's policy is at enforcement, look up the BIMI record using the selector, download the SVG and validate it against the strict logo profile, then — where the provider requires it — validate the certificate, checking that it chains to an approved certificate authority, has not expired, and covers the sending domain. Only if every step succeeds, and the domain's sending reputation is good, does the logo render; any single failure silently falls back to a generic avatar.

Reference: BIMI Tags and Logo Requirements

The table below summarizes the three record tags alongside the requirements your logo and certificate must meet — a pre-flight list before publishing or when interpreting results from the checker above.

Building a Compliant SVG: The Tiny 1.2 P/S Profile

BIMI does not accept just any SVG. Logos must conform to SVG Tiny 1.2 Portable/Secure — usually written SVG Tiny P/S — a deliberately restricted profile created for BIMI. The restrictions exist because mail clients render the logo automatically for every message: scripts, external resource loading, or interactivity would hand attackers a way to run code or track users straight from the inbox, so the profile strips SVG down to static vector artwork and nothing else.

In practice, a compliant file must declare version="1.2" and baseProfile="tiny-ps" on the root <svg> element, must include a <title> element (conventionally your brand name), and must not contain scripts, event handlers, animation, embedded raster images, hyperlinks, or references to any external resource. The root element may not carry x or y attributes. Beyond the hard rules, providers publish strong recommendations: keep the file at or below 32 kilobytes, use a square canvas with the mark centered, and prefer a solid background color, because the logo is usually cropped into a circle and transparency can render unpredictably against different themes.

Producing such a file takes one extra step, because mainstream design tools do not export this profile directly. The usual workflow: export a plain SVG from your design tool, open it in a text editor, set the version and base profile attributes on the root element, add the <title>, and delete anything the profile forbids — editor metadata, style imports, and stray attributes. Free converters maintained by the email industry can automate the cleanup. Whichever route you take, validate the result before publishing; the checker above flags profile violations that providers would otherwise reject silently.

VMC vs CMC: Certificates and the Trademark Question

A Verified Mark Certificate, or VMC, is a special X.509 certificate issued by a small number of approved certificate authorities. To get one, you must prove your logo is a registered trademark owned by your organization; the certificate authority verifies the registration with the trademark office, performs identity checks, and embeds the logo image into the certificate itself. Registered word or design marks from major national and regional trademark offices are accepted. Published as a PEM file at your a= URL, the certificate lets a mailbox provider confirm cryptographically that the logo genuinely belongs to the sending brand.

The trademark requirement is the steepest part of that climb, so a second certificate type exists: the Common Mark Certificate, or CMC. A CMC drops the trademark requirement and instead accepts evidence that the logo has been in continuous use for at least twelve months, typically demonstrated through archived web pages. The organizational vetting still happens, but no trademark registration is needed. The trade-off is status: providers that distinguish between the two reserve their strongest trust indicators for VMC holders.

Provider requirements differ, and this is where most confusion lives. Gmail requires a certificate before it shows a BIMI logo at all: either a VMC or a CMC unlocks the logo, but the blue verified checkmark beside the sender name is reserved for VMC holders. Apple Mail likewise requires a VMC for its branded mail treatment. Yahoo and AOL sit at the other end: they display BIMI logos based on the DNS record and a compliant SVG alone, no certificate required, relying instead on the sender's reputation within their systems. Microsoft mailboxes do not display BIMI logos regardless of certificates. The practical upshot: you can start certificate-free and see your logo at Yahoo and AOL, then add a CMC or VMC when you are ready to cover Gmail and Apple Mail.

Why Your Logo Still Is Not Showing

When the record looks right but the inbox stays generic, work through the usual suspects. The most common cause by far is DMARC: a policy still at p=none, an sp=none escape hatch on the organizational domain, or individual messages failing DMARC because neither SPF nor DKIM produces an aligned pass. Next come logo problems: an SVG that fails the Tiny P/S profile, or a logo URL that redirects, requires cookies, blocks automated fetchers, or serves the wrong content type. Certificate issues follow: an expired VMC, a chain missing its intermediates, a certificate whose embedded logo no longer matches the published SVG, or no certificate at all for a provider that demands one.

Finally, there are causes no record check can see. Providers gate BIMI behind sender reputation, so a new domain or one with spam complaints may have a flawless setup and still show no logo until trust builds. Logos also roll out gradually because of DNS and image caching, so allow time after any change. Some clients show the logo only in certain views or apps, and a recipient who has assigned you a contact photo will see that photo instead. And mail landing in the spam folder never earns a logo — BIMI decorates inbox placement, it does not create it.

Frequently asked questions

Is BIMI an official internet standard?

Not yet. BIMI is specified in an Internet-Draft developed by an industry working group, while the protocols it depends on — SPF, DKIM, and DMARC — are published RFCs. Mailbox providers already implement the draft, so in practice the requirements are stable enough to build on today.

Do I need a VMC to get my logo shown in Yahoo or AOL?

No. Yahoo and AOL display BIMI logos based on a valid record, a compliant SVG, and good sending reputation — no certificate required. A certificate only becomes necessary for Gmail, which accepts a VMC or CMC, and Apple Mail, which requires a VMC.

Can I use a PNG or JPG as my BIMI logo?

No. BIMI accepts only SVG files conforming to the SVG Tiny 1.2 Portable/Secure profile. Raster formats are not supported, and even embedding a raster image inside the SVG is forbidden, so the logo must exist as genuine vector artwork.

My DMARC policy is p=none. Can I still publish a BIMI record?

You can publish it, but no provider will honor it — DMARC at p=quarantine or p=reject is a hard prerequisite. Use the monitoring period to fix authentication for all legitimate mail streams, then move to enforcement; the record you already published will start being evaluated.

What does a BIMI record with an empty l= tag mean?

v=BIMI1; l=; is a declination record: an explicit statement that the domain opts out of BIMI. Organizations publish it to make non-participation unambiguous, which can be useful for domains or subdomains that should never display a logo.

How long after publishing should the logo appear?

There is no fixed timeline. DNS propagation and provider-side caching introduce delays of hours to days, and providers also weigh sending reputation before turning the logo on, which can take longer for newer domains. If the checker above validates everything and sufficient time has passed, reputation is the usual remaining variable.

Does BIMI improve deliverability?

Not directly — the logo is a display feature, not a filtering input. Indirectly it often helps, because qualifying for BIMI forces DMARC enforcement and disciplined authentication, which do influence filtering, and a recognizable logo can lift opens and reduce spam reports over time.