Suped

What are BIMI best practices for domain setup and VMC implementation?

Matthew Whittaker profile picture
Matthew Whittaker
Co-founder & CTO, Suped
Published 30 Apr 2025
Updated 17 Aug 2025
8 min read
Getting a brand logo to appear next to your emails in a recipient's inbox can significantly boost trust and recognition. This visual indicator is powered by Brand Indicators for Message Identification (BIMI), an email standard that works in conjunction with robust email authentication protocols. It allows verified brand logos to be displayed in supporting email clients, providing an immediate visual cue of authenticity to your recipients. The key to successful BIMI implementation lies in understanding the foundational requirements and best practices for domain setup, particularly concerning DMARC and Verified Mark Certificates (VMCs).
Many brands struggle with their logos not showing up, often due to overlooked technical details or a misunderstanding of how BIMI interacts with their existing domain infrastructure. It is essential to ensure that your domain's email authentication is robust, your logo is correctly formatted and hosted, and you have the necessary certifications in place. This guide covers the best practices to help ensure your BIMI implementation is successful, leading to a more secure and visually appealing email presence.

Foundation: DMARC enforcement

BIMI does not operate in isolation, it builds upon established email authentication standards like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and especially Domain-based Message Authentication, Reporting, and Conformance (DMARC). Before you even consider preparing your logo or obtaining a certificate, your domain must have a DMARC policy set to enforcement, meaning either p=quarantine or p=reject. A p=none policy, while useful for monitoring, is insufficient for BIMI to function, as it does not enforce authentication.
The reason for this strict DMARC requirement is simple: BIMI is designed to enhance trust. Without a strong DMARC policy, email clients cannot reliably verify that the emails originate from the claimed sender. This foundational security layer prevents unauthorized parties from displaying your logo, protecting your brand from impersonation and phishing attempts. Therefore, the first best practice is to achieve DMARC enforcement across all your sending domains and subdomains.
  1. Check DMARC policy: Before anything else, ensure your DMARC record is published and your policy is at p=quarantine or p=reject. You can use a free DMARC record generator to assist with this.
  2. Monitor DMARC reports: Regularly review your DMARC reports to identify any legitimate email sources that are not yet authenticated. This ensures all your sending traffic aligns with your policy. DMARC monitoring helps you gain visibility into your email ecosystem.
  3. Ensure alignment: SPF and DKIM must be correctly configured and aligned with your DMARC policy. This means the domain used in your SPF and DKIM records should match the domain in your "From" address.
For domains with multiple subdomains, a DMARC record published at the organizational domain will typically propagate its policy to all subdomains, provided they do not have their own explicit DMARC records. This can simplify management for large organizations. To understand more about how this works, you can review details on implementing DMARC with BIMI on multiple subdomains.

Verified mark certificates (VMCs)

A Verified Mark Certificate (VMC) is a digital certificate that verifies your ownership of a brand logo. While it is possible to set up BIMI without a VMC (often referred to as a self-asserted BIMI record), many major email service providers, including gmail.com logoGmail, require a VMC for your logo to display and for your brand to receive a verified checkmark. This added layer of validation further assures recipients of your email's authenticity.
The primary requirement for obtaining a VMC is that your brand logo must be a registered trademark with a recognized intellectual property office. This is a critical step, as Certificate Authorities (CAs) will verify your trademark ownership before issuing the VMC. Without a registered trademark, you typically cannot obtain a VMC. You can learn more about VMC requirements for BIMI.
Once you have a registered trademark, you'll need to prepare your logo as a Scalable Vector Graphics (SVG) Tiny 1.2 file. This specific SVG format is required by BIMI for its scalability and security features. After creating the SVG, you must host it on a public web server using HTTPS. The URL to this SVG file will be included in your BIMI DNS record. You can find guidance on BIMI requirements and implementation steps.
While yahoo.com logoYahoo Mail supports BIMI without a VMC, it has its own set of requirements for self-asserted records. However, for broader adoption and the highest level of trust, a VMC is strongly recommended, especially given Google's recent emphasis on its use. You can refer to Yahoo's official BIMI guidelines for more specific details on their requirements.

BIMI without VMC

  1. Visibility: Logo display limited to providers like yahoo.com logoYahoo that support self-asserted BIMI records.
  2. Trust: Relies solely on DMARC authentication. No explicit third-party verification of logo ownership.
  3. Cost: No direct cost for certificate acquisition, only internal resource allocation.
  4. Trademark: Trademark registration is often not strictly required, but recommended for future VMC adoption.

BIMI with VMC

  1. Visibility: Logo and verified checkmark displayed by major providers, including google.com logoGoogleapple.com logo and Apple.
  2. Trust: Offers enhanced brand trust and legitimacy due to third-party verification of the logo.
  3. Cost: Involves fees for VMC acquisition from a Certificate Authority (CA).
  4. Trademark: Mandatory requirement for logo to be a registered trademark.

Implementation: DNS record and testing

After establishing DMARC enforcement and acquiring a VMC, the next step is to publish your BIMI DNS record. This record, typically a TXT record, tells email clients where to find your verified logo. It will include information such as the version of BIMI being used, the URL to your SVG logo file, and if applicable, the URL to your VMC file.
Example BIMI DNS TXT RecordDNS
default._bimi TXT "v=BIMI1; l=https://yourdomain.com/your-logo.svg; a=https://yourdomain.com/your-vmc.pem;"
For organizations with multiple brands or subdomains, it's worth noting how BIMI records interact. A BIMI record published at the organizational domain will apply to its subdomains unless a specific subdomain has its own BIMI record. This allows for centralized management but also flexibility if different subdomains require unique logos. For detailed setup instructions, you can refer to how to set up BIMI DNS records for subdomains.
After publishing your BIMI DNS record, it's crucial to test your implementation. Many online tools can validate your BIMI record, SVG file, and VMC. These tools help identify any configuration errors, such as incorrect SVG formatting, invalid VMC links, or DMARC policy issues. Testing ensures that your logo will display as intended across supporting email clients. For more information, please see our guide on validating your BIMI SVG and certificate.

Value of VMCs and choosing a provider

Securing a VMC for your BIMI implementation is an investment, but the benefits often outweigh the costs. The enhanced trust and brand visibility it provides can lead to improved email engagement, higher open rates, and reduced instances of phishing and brand impersonation. While some email clients support BIMI without a VMC, the verified checkmark that accompanies a VMC offers a clear signal of legitimacy to your recipients.
When choosing a Certificate Authority, digicert.com logoDigiCert and entrust.com logoEntrust are two accredited providers. While the core functionality of a VMC from either provider is the same (to verify your logo), differences may exist in their application processes, pricing, and customer support. It is advisable to evaluate both options based on your specific needs and budget. For further insights into which providers are recommended, you can consult our guide to BIMI accredited certificate providers.

Views from the trenches

Best practices
Ensure your DMARC policy is at enforcement (p=quarantine or p=reject) before initiating BIMI.
Obtain a Verified Mark Certificate (VMC) for your trademarked logo to ensure broad display support.
Host your BIMI SVG logo securely on an HTTPS server.
Regularly monitor your DMARC reports to maintain authentication health and identify issues.
Consider a separate, dedicated subdomain for marketing emails, like 'mail.yourdomain.com', for better control.
Common pitfalls
Attempting BIMI with a DMARC policy set to 'p=none' will prevent logo display.
Using a non-trademarked logo will hinder VMC acquisition and limit BIMI adoption.
Incorrect SVG logo format or improper hosting (e.g., HTTP instead of HTTPS) will cause display issues.
Neglecting DMARC reporting can hide underlying email authentication problems.
Not understanding the difference between a domain and a subdomain can lead to incorrect BIMI setup.
Expert tips
Expert from Email Geeks says: "Verify your SVG format strictly; many common issues stem from incorrect SVG Tiny 1.2 compliance."
Expert from Email Geeks says: "Pay attention to your DMARC aggregate reports; they are your best friends for troubleshooting BIMI display issues related to authentication."
Expert from Email Geeks says: "While a VMC is an investment, the brand trust it builds with major mailbox providers like Google and Apple is invaluable for long-term email marketing success."
Expert from Email Geeks says: "Implement BIMI on your organizational domain first to allow inheritance to compliant subdomains, simplifying management."
Expert from Email Geeks says: "Test your BIMI record thoroughly after publication using multiple online validators to catch any discrepancies before launch."
Marketer view
Marketer from Email Geeks says: "I had our IT team add our logo to the Google Group for that domain, but it wasn't displaying in the inbox, leading me to investigate BIMI. I was unsure if enabling BIMI on our parent domain would proliferate to all subdomains, specifically if meetapollo.io, which redirects to apollo.io, was a separate domain or a subdomain."
2024-02-09 - Email Geeks
Expert view
Expert from Email Geeks says: "A VMC at the root will indeed inherit to all compliant subdomains, but your DMARC policy cannot be at p=none; for BIMI to work."
2024-02-09 - Email Geeks

Final thoughts on BIMI and VMC

Implementing BIMI with a VMC is a powerful way to enhance your brand's presence and security in the inbox. It goes beyond mere visual appeal, signaling to both email clients and recipients that your emails are authenticated and trustworthy. While the initial setup requires careful attention to DMARC, trademark registration, SVG formatting, and DNS records, the long-term benefits in brand recognition and email deliverability are substantial.
By following these best practices, you can ensure your BIMI implementation is robust and effective. The journey involves foundational email authentication, strategic VMC acquisition, and meticulous DNS configuration. Investing in BIMI helps protect your brand, improve sender reputation, and ultimately fosters greater recipient trust in your email communications.

Frequently asked questions

DMARC monitoring

Start monitoring your DMARC reports today

Suped DMARC platform dashboard

What you'll get with Suped

Real-time DMARC report monitoring and analysis
Automated alerts for authentication failures
Clear recommendations to improve email deliverability
Protection against phishing and domain spoofing