DMARCify
Standards

What BIMI actually requires (and why it's not a logo placement project)

BIMI's marketing pitch is "a logo next to your name in Gmail." The technical reality is much more interesting — and it starts with DMARC enforcement. · 6 min read · by DMARCify team

Editorial illustration of email brand identity validation with certificate, DNS, and trust indicators.
Field note

BIMI is mostly proof of control: enforced DMARC first, then a compliant SVG, certificate, and DNS record.

BIMI is the standard that puts your brand's logo next to your name in Gmail (and Apple Mail, and a growing list of others). It's a great deliverability signal. It's also, contrary to most marketing pages, not a logo design project — it's an email authentication project that happens to involve a logo at the end.

The requirements, in order of difficulty

  1. DMARC at enforcement. Your domain's _dmarc policy must be p=quarantine or p=reject, with no sp=none loophole on subdomains. If you're at p=none, BIMI ignores you. This is by design — BIMI piggy-backs on DMARC enforcement to prevent logo impersonation.
  2. An SVG Tiny PS logo. Not a PNG, not a regular SVG — a particular subset of SVG called "Tiny Portable/Secure." Square 1:1 aspect ratio, no scripts, no external references. Any vendor that produces a real BIMI logo (your brand agency, or a paid tool) will give you this.
  3. A Verified Mark Certificate (VMC) — for Gmail. Gmail specifically requires a cryptographic certificate proving your organisation owns the trademark on the logo. Issued by DigiCert or Entrust. €1.5–2k/year. Apple Mail and Fastmail do not require this. Gmail's reach makes it worth the money for most B2C brands.
  4. A BIMI DNS record. One TXT record at default._bimi, pointing at the SVG URL and (if you have a VMC) the certificate URL.
BIMI readiness checklist
  • The organizational domain is at p=quarantine or p=reject.
  • Subdomain policy does not leave a broad sp=none loophole.
  • The logo exists as SVG Tiny Portable/Secure.
  • The VMC requirement is understood for Gmail-facing launch plans.

Why DMARC enforcement is the hard part

Steps 2–4 are mechanical: hire a vendor, buy a certificate, publish a record. Step 1 — the DMARC ramp — is the part that actually requires understanding your mail estate. Anyone sending email on your domain without proper DKIM signing will start being quarantined or rejected the moment you cross into enforcement, BIMI or no BIMI.

Which is why we say: BIMI is a side effect of doing DMARC properly. Run the ramp described in our p=reject playbook, get to p=reject, and BIMI is a checkbox.

What you don't need

  • A new logo. If your existing logo is reasonably square and trademarked, you can usually convert it. Talk to your design vendor.
  • An "expert-only" platform. Once DMARC is at p=reject, publishing the BIMI record is a single TXT change.
  • BIMI to be future-proof. The spec is stable. Apple shipped support in iOS 16. Gmail's been doing it since 2021. This isn't a beta.

Where DMARCify fits

We don't issue VMCs, and we don't sell BIMI logos — there are perfectly good vendors for both. We do the part that makes the rest possible: get you to p=rejectwithout dropping legitimate mail, then keep an eye on your alignment so it stays there.

More from the blog

DMARC, decoded.

The dashboard surfaces the things this post talks about — alignment, forwarders, source attribution — for every domain you monitor.

Start monitoringSee pricing
One DNS record · 60 seconds to set up