Guide to BIMI Email Standard

How are customers supposed to know if your email is genuine?

Even with SPF, DKIM, and DMARC perfectly in place, email authentication happens behind the scenes, invisible to the people you’re trying to reach. That leaves a trust gap, especially when phishing and brand impersonation are so common.

This is where BIMI (Brand Indicators for Message Identification) comes in. It’s a newer standard that lets organizations display their verified brand logo directly in the recipient’s inbox. By adding a visible layer of trust on top of existing security protocols, BIMI helps users instantly recognize legitimate messages and strengthens brand recognition in the process.

Still, adoption has been slow. Some email clients don’t support BIMI yet, and organizations face a few hurdles in getting it implemented. This article breaks down what BIMI is, how it works, and what to consider before rolling it out.

Summary of key concepts related to BIMI

The table below summarizes the main concepts related to the BIMI email standard that we will cover in this article.

What is BIMI?

BIMI is an email specification that allows brands to display their verified logos alongside the sender's email address field in the recipient’s inbox. This enables readers to quickly verify that an email originates from a genuine and trusted source. 

The idea of displaying brand logos in email inboxes isn’t brand new. Companies like Iconix, Inc. were experimenting with this concept as far back as the early 2000s, even securing patents for it. BIMI builds on those early innovations by creating a standardized, industry-wide approach that integrates with existing email authentication protocols. It was initially introduced in 2018 by the BIMI Working Group, a coalition of leading email companies including Gmail, Yahoo!, SendGrid, and Valimail. 

Gmail was one of the earliest email providers to adopt BIMI, initially in the pilot phase from 2019 to 2020, and then officially released it to all Gmail users in 2021. Major email providers, including Apple, Yahoo!, AOL, Comcast, and Fastmail, have also adopted the trend. Since May 2023, Gmail has begun adding a blue checkmark next to the sender’s domain name for organizations that pass the DMARC verification in addition to the standard organization logo (BIMI).

Gmail's adoption of BIMI by showing a brand logo and blue checkmark (source)

It is worth emphasizing that BIMI doesn’t provide any technical email security enhancement. Instead, it builds upon existing SPF, DKIM, and DMARC protocols and can be considered an additional layer of email security. By using BIMI, organizations not only increase brand recognition and boost email engagement but also demonstrate to their clients that they take email security seriously, as BIMI requires the implementation of SPF, DKIM, and strict DMARC to function effectively.

Implementing BIMI

Before an organization can use BIMI, it needs to go through several steps:

Acquire a Verified Mark Certificate (VMC)

A VMC is a digital certificate issued by an authorized certificate authority (CA) after an organization verifies its identity and proves ownership of a trademark/logo. Obtaining the VMC is not a trivial process and comes with a yearly cost of around $120-$1500. However, once acquired, all email providers recognize the legitimacy of the trademark logo and append the logo to all emails received from your organization.

Create an SVG logo

The SVG logo must comply with BIMI specifications and be in a specific format, such as SVG Tiny 1.2, with a file size not exceeding 32KB. The BIMI group offers an SVG conversion tool to assist in generating a compliant SVG logo.

Implement DMARC in strict mode

BIMI specifications require that organizations implement DMARC in strict mode, e.g., p=reject or p=quarantine mode. While technical DMARC implementation is not in the scope of this article, the reader can refer to our separate article for more information. 

Create a DNS TXT record

Similar to DKIM, the domain owner should create a new DNS TXT record for BIMI. This record needs to follow a specific naming convention: default._bimi.domain-example.com. 
The DNS record must contain the following three tags/elements:

1. v → BIMI version, currently BIMI1
2. l → URL to the location of a BIMI-compliant SVG logo of your organization
3. a → URL to the location where the VMC digital certificate is hosted

How BIMI works

Once your organization has completed the necessary setup steps, here’s what happens when you send an email:

1. The receiving mail server first checks your email using DMARC to make sure it is legitimate. 
2. If the DMARC check passes, the server then looks for the special DNS TXT record that contains your BIMI information and verifies your VMC digital certificate (if you have one). 
3. If everything checks out, the server retrieves your verified SVG logo from that same DNS record and displays it next to your email in the recipient’s inbox.

BIMI Email example from Bank of America in a Gmail inbox (source)

Benefits of using BIMI

While SPF, DKIM, and DMARC do the “heavy lifting” when it comes to verifying the legitimacy of an email behind the scenes, BIMI also provides additional benefits that help improve brand reputation/trust and email security.

Enhances email security posture

To use BIMI, organizations must comply with its specifications, which require implementing DMARC with a policy set to either p=reject or p=quarantine. Since DMARC can only work if SPF and/or DKIM are also implemented, this indirectly forces organizations to implement these two email authentication protocols as well, greatly enhancing their email security posture. 

Improves email deliverability

Beyond email content, modern mail servers assess the sender’s domain reputation and the use of authentication protocols, including SPF, DKIM, and DMARC. By implementing BIMI, an organization demonstrates a strong commitment to email security, having adopted all three protocols and completed a verification process to confirm logo ownership. This boosts credibility and can positively influence deliverability rates.

Boosts brand trust and recognition

SPF, DKIM, and DMARC verification results are typically not visible to email recipients. BIMI enhances this by displaying your organization’s verified logo directly in the inbox, helping to promote your brand while building trust and recognition with recipients over time.

Challenges and considerations

Despite the valuable benefits that BIMI provides, its implementation doesn’t come without certain challenges/considerations:

VMC verification

To obtain a VMC, an organization must complete a formal verification process. Additionally, this verification typically costs around $1,500 and must be renewed each year. Your organization can avoid this by creating a “self-asserted” BIMI record that leaves the “a” tag empty. However, email providers may not recognize it as valid and may not display your logo.

Email providers' adoption

Although many major email providers already support BIMI, this is not the case for all of them. For example, Microsoft Outlook (desktop version) is a major email provider that currently doesn’t support BIMI. 

Logo requirements

BIMI specifications require that the logo meet specific criteria, including being a square, vector-based image in SVG Tiny 1.2 format, with a file size not exceeding 32KB. Although the requirements may seem extensive, numerous tools and websites are available to help create BIMI-compliant logos.

DMARC required in strict mode

BIMI can only work if DMARC is enforced in strict mode. While this is done to incentivize companies to adopt DMARC and improve email security, a rushed implementation of DMARC might lead to email deliverability issues. The time needed to properly test DMARC before switching it to reject/quarantine mode might delay BIMI’s implementation. 

IRONSCALES offers a fully hosted BIMI solution integrated into our DMARC platform, handling everything from DNS record setup and logo/VMC support to DMARC alignment—so you can meet all technical requirements without the complexity. Our service streamlines implementation, enhances brand visibility, and ensures you are prepared for BIMI across major email clients.