EmailAudit.io
All articles
Email Authentication7 min read·EmailAudit.io Security Team

BIMI Setup Guide: How to Display Your Logo in Gmail and Apple Mail

BIMI (Brand Indicators for Message Identification) displays your company logo next to authenticated emails in Gmail, Apple Mail, and Yahoo. Here's how to set it up — and what you need in place first.

The short answer: BIMI (Brand Indicators for Message Identification) is a DNS-based standard that displays your company logo next to authenticated emails in Gmail, Apple Mail, and Yahoo. To activate it, your domain needs DMARC at p=quarantine or p=reject, valid SPF and DKIM, an SVG logo in the SVG Tiny PS format, and — for Gmail specifically — a Verified Mark Certificate (VMC) from an accredited authority, which costs approximately $1,200–$1,500/year and requires a registered trademark. Get authentication right first; BIMI is the brand layer you add after.

BIMI (Brand Indicators for Message Identification) is an email standard that displays your company logo next to authenticated emails in supporting mail clients. In Gmail, it appears as the sender icon. In Apple Mail, it shows as a verified logo badge. In Yahoo Mail, it's been supported since 2021.

It's a visible trust signal — an authenticated domain with your logo attached is harder to impersonate and immediately recognisable in a crowded inbox.

This guide covers what BIMI requires, how to set it up step by step, and what the Verified Mark Certificate (VMC) requirement means for your budget.

What BIMI Actually Does

When you send an email from a BIMI-enabled domain, supporting mail clients replace the generic initial avatar with your actual company logo. The logo appears without the recipient having to add you to their contacts.

Supported clients:

  • Gmail (personal and Workspace accounts)
  • Apple Mail (iOS 16+ and macOS Ventura+)
  • Yahoo Mail
  • Fastmail
  • Zoho Mail

Not yet supported:

  • Microsoft Outlook (as of 2026)

The Outlook gap is significant — it's still the dominant client in enterprise environments. BIMI is most impactful for B2C companies or B2B businesses where decision-makers use Gmail or Apple Mail.

Prerequisites: What You Need Before BIMI Will Work

BIMI is the reward for getting email authentication right. It will not work unless all of the following are in place first.

1. DMARC at p=quarantine or p=reject

This is the hard requirement. BIMI only activates for domains with an enforced DMARC policy — p=none (monitoring mode) does not qualify.

If your DMARC is currently at p=none, you need to work through the monitoring phase first. That means identifying every legitimate sender from your domain, ensuring each one passes SPF and DKIM, and then progressing to enforcement. See the DMARC policy progression guide for the safe path through each stage.

Check your current DMARC status with the free DMARC Checker — it shows your policy level and whether you're eligible for BIMI.

2. SPF and DKIM Correctly Configured

Your domain needs valid, passing SPF and DKIM records. DMARC enforcement requires at least one of these to be in alignment. For most domains, both should pass.

If you're missing either, the SPF Checker and DKIM Validator will show what's failing. The SPF Generator and DKIM Generator let you build the correct records from scratch.

3. An SVG Logo in the Correct Format

BIMI requires a specific SVG format:

  • File type: SVG Tiny PS (a restricted SVG subset)
  • Aspect ratio: Square (1:1)
  • Background: Must have a solid background colour (not transparent)
  • Hosted at: A publicly accessible HTTPS URL

The SVG Tiny PS format is more restrictive than standard SVG. It doesn't support gradients, filters, or external fonts. If your brand SVG uses any of these, it needs to be simplified first.

Most vector design tools (Illustrator, Figma with the right export plugin) can export to a compatible format. There are also online BIMI SVG validators that check compliance.

4. A Verified Mark Certificate (VMC) — Required for Gmail

This is the cost barrier. Gmail requires a Verified Mark Certificate (VMC) — a digital certificate from an accredited authority that validates your trademark ownership. Yahoo and some others support BIMI without a VMC (using a self-asserted mark), but Gmail requires it.

VMC providers include:

  • Entrust — approximately $1,200–$1,500/year
  • DigiCert — similar pricing range

To get a VMC, your logo must be a registered trademark in the jurisdiction you're applying for. The registration process itself can take 12–18 months if you're starting from scratch.

For most SMBs: The VMC cost and trademark requirement makes BIMI a medium-term project rather than an immediate one. Set up p=reject first — that's where the security benefit is. BIMI is the brand visibility layer you add once enforcement is solid.

Step-by-Step BIMI Setup

Step 1: Confirm DMARC is at p=quarantine or p=reject

Check your current policy. If you're at p=none, work through the monitoring phase before proceeding. See DMARC policy: none vs quarantine vs reject for the timeline and approach.

Step 2: Prepare Your SVG Logo

Format requirements:

  • SVG Tiny PS format
  • Square aspect ratio
  • Solid background (no transparency)
  • No gradients, filters, or external fonts
  • File hosted at an HTTPS URL you control

Host the file somewhere accessible, for example: https://yourdomain.com/bimi/logo.svg

Step 3: Obtain a VMC (for Gmail support)

If Gmail is important to your audience:

  1. Verify your logo is a registered trademark in the relevant jurisdiction
  2. Contact Entrust or DigiCert and begin the VMC application process
  3. They'll verify trademark ownership and issue a PEM certificate file
  4. Host the certificate at an HTTPS URL: https://yourdomain.com/bimi/logo.pem

If you only need Yahoo and other non-Gmail clients for now, you can publish a BIMI record without a VMC and add the VMC later.

Step 4: Create the BIMI DNS Record

BIMI is published as a TXT record at default._bimi.[yourdomain.com].

Without VMC (Yahoo/Apple Mail support):

default._bimi.yourdomain.com  TXT  "v=BIMI1; l=https://yourdomain.com/bimi/logo.svg"

With VMC (Gmail support):

default._bimi.yourdomain.com  TXT  "v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/logo.pem"

Tag breakdown:

  • v=BIMI1 — identifies this as a BIMI record
  • l= — URL of your SVG logo (required)
  • a= — URL of your VMC certificate (required for Gmail)

Add this as a TXT record in your DNS provider (Cloudflare, GoDaddy, Namecheap, etc.). Set TTL to 3600 or your provider's default.

Step 5: Verify the Record is Live

After DNS propagation (up to 48 hours):

  1. Use a BIMI record lookup tool to confirm the record is published at default._bimi.yourdomain.com
  2. Send a test email from your domain to a Gmail account — the logo should appear in place of the initial avatar
  3. If it doesn't appear immediately, wait 24–48 hours — Gmail takes time to begin displaying the logo after the first detection

Common BIMI Issues

Logo doesn't appear in Gmail The most common reasons: DMARC policy is still p=none, no VMC is present, or the SVG format isn't compliant. Check that your DMARC policy is enforced and the VMC a= tag is included in your BIMI record.

SVG renders incorrectly Run your SVG through a BIMI SVG validator before hosting it. Common issues: use of gradients, transparent backgrounds, or SVG features not in the Tiny PS subset.

Record published but no logo shown Check that the SVG and PEM files are accessible via HTTPS from a public URL. If they're behind authentication or return a 404, BIMI won't work.

Logo appears in Yahoo but not Gmail You likely have a BIMI record without the a= (VMC) tag. Gmail requires the VMC; Yahoo does not.

Is BIMI Worth It Right Now?

For most businesses, the priority order should be:

  1. Get SPF, DKIM, and DMARC to p=reject — this is where the security value is. Spoofed emails are blocked entirely.
  2. Then consider BIMI — it's a brand visibility layer on top of a secure foundation.

If your trademark is registered and you're already at p=reject, a VMC at ~$1,200/year is a reasonable investment for high-volume senders where Gmail inbox branding provides measurable click-through or trust lift.

If you're not yet at p=reject, BIMI is a future milestone. Get there first.

How BIMI Fits Your Authentication Roadmap

Step 1: Add SPF record (list all senders)
Step 2: Enable DKIM signing
Step 3: Publish DMARC with p=none (monitoring)
Step 4: Review aggregate reports, fix failing senders
Step 5: Progress to p=quarantine
Step 6: Progress to p=reject ← security baseline achieved
Step 7: Prepare SVG logo + obtain VMC
Step 8: Publish BIMI record ← brand visibility layer

Related Guides

Check whether your domain meets BIMI's prerequisites — run a free Full Audit at EmailAudit.io. See your DMARC policy level, SPF and DKIM status, and exactly what needs to change before BIMI can be activated. No account required.

Is your domain protected?

Run a free Full Audit — check SPF, DKIM, DMARC, blacklists, and MTA-STS in seconds. Get a branded PDF report delivered to your inbox. No account required.

Check Your Domain FreeGet Free PDF Report

Related articles

Email Authentication6m

DKIM Signature Failed: What It Means and How to Fix It

Read
Email Authentication6m

DMARC Aggregate Reports: How to Read and Act on Them

Read
Email Authentication6m

SPF Hard Fail vs Soft Fail: What the Difference Means for Your Email

Read