BIMI Explained
What is BIMI?
BIMI (Brand Indicators for Message Identification) is a standard that allows organizations to display their brand logo alongside authenticated emails. By implementing BIMI, domain owners can enhance brand recognition and trust in their email communications.
BIMI works in conjunction with DMARC. To display a BIMI logo, a domain must have a DMARC policy of either
quarantine or reject, and the email must pass DMARC authentication. The BIMI logo is specified in a DNS record and is displayed by email clients that support BIMI when the email is authenticated successfully.To verify ownership of the logo, some email providers (Google/Apple) require a Verified Mark Certificate (VMC). A VMC is a digital certificate issued by a trusted certificate authority that confirms the authenticity of the brand logo.
BIMI Record
BIMI is published as a DNS TXT record in the
_bimi namespace. The default record for example.com lives at default._bimi.example.com. A typical record points to the brand logo with l= and can optionally point to a mark certificate or other evidence document with a=:v=BIMI1; l=https://static.example.com/brand/example-logo.svg; a=https://static.example.com/brand/example.vmc; avp=brand
The required
v=BIMI1 tag identifies the record as BIMI and must appear first. The required l= tag gives the HTTPS URL for the SVG logo. The optional a= tag points to authority evidence, which in production is often a VMC or CMC hosted over HTTPS. The optional avp= tag lets the sender express whether a participating mailbox provider should prefer the domain brand or a personal avatar when both are available.BIMI also supports multiple selectors, similar to DKIM. If you want a different logo for a specific mail stream, you can publish another record like
marketing._bimi.example.com and reference it with a BIMI-Selector header. If no selector is specified, receivers look up default._bimi first.Some deployments also use
lps= to derive the selector from the sender's local-part. That allows a receiver to choose a different BIMI record based on addresses like alerts@example.com or support@example.com without the sender adding a BIMI-Selector header.How BIMI Works
- Publish strict DMARC: BIMI depends on DMARC enforcement. The sending domain and its organizational domain need a policy of
quarantinewithpct=100orreject, and the message must authenticate successfully. - Publish a BIMI assertion record: Add a TXT record at
default._bimi.yourdomain.comwith at leastv=BIMI1and an HTTPSl=logo URL. It's also recommended to include authority evidence witha=. This will require obtaining a VMC from a certificate authority, which involves verifying your trademarked logo and paying a fee to the certificate authority. - Authenticate the message: The receiving mail system checks SPF, DKIM, and DMARC. BIMI processing is skipped if DMARC does not pass or if the domain policy is too weak.
- Resolve the record: The receiver looks up the sender domain's BIMI TXT record, usually at
default._bimi.example.com. If a custom selector is used, it queries<selector>._bimi.example.cominstead, with fallback to the organizational domain where applicable. - Fetch and validate the logo: The receiver downloads the logo from the HTTPS URL in
l=, validates the SVG, and may also validate the evidence referenced bya=before it decides whether to display the logo.
Important Record Details
- Location: Publish BIMI as a TXT record under
_bimi, usually atdefault._bimi.yourdomain.com. - Required tags:
v=BIMI1must be first andl=is required unless you are explicitly declining to publish with an empty record likev=BIMI1; l=; a=;. - Transport: The BIMI draft requires HTTPS URLs for the logo and for any authority evidence document.
- Image format: Current BIMI deployments generally use SVG Tiny P/Secure Tiny P compatible logos. The draft only allows registered BIMI formats, and today SVG and SVGZ are the relevant ones.
- Selectors: Use selectors when you need different branding for different mail streams, business units, or sending systems.