BIMI Explained
BIMI (Brand Indicators for Message Identification) is an email specification that enables domain owners to display a verified brand logo next to authenticated messages in recipient inboxes. It sits at the top of the email authentication stack, building on SPF, DKIM, and DMARC to add a visual trust signal that recipients can recognize before opening a message. BIMI is not an authentication protocol itself. It is a coordination layer that rewards organizations for achieving DMARC enforcement by making their brand visually present in the inbox.
How BIMI Works
BIMI operates through a DNS-based publishing mechanism and a verification chain that mailbox providers evaluate at delivery time:
- DMARC enforcement. The sending domain must have a DMARC policy set to p=quarantine or p=reject. Domains with p=none (monitoring only) do not qualify. This requirement ensures that only domains actively preventing unauthorized email use can display a logo.
- Logo preparation. The brand logo must be a square image in SVG Tiny P/S (Portable/Secure) format, a restricted SVG profile that prevents embedded scripts and external references. The file must be under 32 KB and hosted over HTTPS.
- DNS TXT record. The domain owner publishes a BIMI Assertion Record as a TXT entry at default._bimi.[domain]. This record contains two fields: v=BIMI1 (the version tag) and l= (a URI pointing to the hosted SVG logo file). An optional a= field specifies the location of a certificate that validates logo ownership.
- Mailbox provider verification. When a message arrives, the receiving mail server checks DMARC alignment. If the message passes at enforcement level, the server queries the sender's BIMI DNS record, fetches the SVG logo, and (where required) validates the associated certificate. If all checks pass, the logo appears next to the message in the recipient's inbox.
BIMI Certificate Types and Provider Support
Not all mailbox providers evaluate BIMI the same way. The key variable is whether the provider requires a digital certificate to validate logo ownership:
- Verified Mark Certificate (VMC). A VMC proves logo ownership based on a registered trademark. Certificate authorities including DigiCert, Entrust, and GlobalSign issue VMCs. Gmail and Apple Mail require a VMC or its alternative (a CMC) before displaying a BIMI logo.
- Common Mark Certificate (CMC). Introduced as an alternative for organizations whose logos are not registered trademarks, a CMC validates logos with over a year of verifiable commercial use. CMCs offer a lower barrier to entry than VMCs while still providing certificate-backed verification.
- Self-asserted BIMI. Yahoo Mail and Fastmail display BIMI logos based on the DNS record alone, without requiring a VMC or CMC. This path is free but provides less assurance to the mailbox provider about logo legitimacy.
Microsoft Outlook and Exchange Online do not currently support BIMI. Among providers that do support the standard, Gmail represents the largest deployment, making its VMC/CMC requirement the practical baseline for most organizations pursuing BIMI.
Why BIMI Matters for Email Security
BIMI creates a direct incentive for organizations to strengthen their email authentication posture. Because BIMI requires DMARC at enforcement level, adopting BIMI means closing the authentication gaps that enable email spoofing and domain spoofing. The logo itself serves as a visual indicator of authentication status: if the logo appears, the message passed DMARC. If it does not, the recipient has a visible cue that something may be wrong.
From a brand protection perspective, BIMI makes impersonation harder. Attackers spoofing a domain that has BIMI implemented will fail DMARC checks, and their messages will not display the brand logo. This asymmetry gives recipients a quick, visual way to distinguish legitimate messages from fakes, without inspecting message headers or authentication results manually.
BIMI Protection from IRONSCALES
IRONSCALES DMARC management helps organizations achieve and maintain the enforcement-level DMARC policy (p=quarantine or p=reject) required as a prerequisite for BIMI implementation.
Related Terms
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.