What are the essential requirements for BIMI?

BIMI requires that your domain has SPF and DKIM correctly configured and passing DMARC alignment. Your DMARC policy must be set to p=quarantine or p=reject . Additionally, you need an SVG Tiny 1.2 formatted logo and, for major providers like Google and Yahoo , a Verified Mark Certificate (VMC) for your trademarked logo. Finally, a BIMI DNS TXT record must be published for your domain.

Why isn't my BIMI logo showing up even after setting it up?

The most common reasons are DMARC policy not being at an enforcement level (still p=none ), SPF or DKIM authentication failures preventing DMARC alignment, an invalid or expired Verified Mark Certificate (VMC), or an improperly formatted SVG logo file .

How can I troubleshoot DMARC authentication failures impacting BIMI?

Begin by reviewing your DMARC aggregate reports to pinpoint any SPF or DKIM authentication failures. Ensure all legitimate sending sources (like your email service provider) are properly configured. Validate your BIMI DNS TXT record, check your SVG file for errors , and confirm your VMC is active and correctly linked. Tools for validating BIMI records can help identify specific issues.

What are the requirements for BIMI, and how do I troubleshoot authentication failures? - Troubleshooting - Email deliverability - Knowledge base

Brand Indicators for Message Identification (BIMI) is a powerful email standard designed to enhance brand recognition and trust by displaying your logo next to your sender name in the inbox. While its benefits are clear, successfully implementing BIMI can involve navigating specific technical requirements and troubleshooting authentication failures.

Understanding these requirements and having a clear troubleshooting process is essential to ensure your logo appears consistently. I will walk through what BIMI needs to work and how to address common issues that might prevent your logo from showing up in recipients' inboxes.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

What are the core BIMI requirements?

The foundation of BIMI rests squarely on robust email authentication protocols. For your BIMI logo to display, your domain must successfully pass SPF, DKIM, and DMARC checks. DMARC, in particular, is critical because it dictates how receiving mail servers should handle emails that fail authentication. For BIMI, your DMARC policy (the p= tag in your DMARC record) must be set to either quarantine or reject, not none. This signals to mailbox providers that your domain actively enforces its authentication policies, which is a prerequisite for BIMI adoption.

Beyond authentication, your logo itself has specific requirements. It must be in SVG Tiny 1.2 format, a constrained version of the SVG standard. This ensures proper rendering and security across different email clients. Crucially, for major mailbox providers like

Google and

Yahoo, your logo must be accompanied by a Verified Mark Certificate (VMC). A VMC is a digital certificate that proves your ownership of the logo and that it is a registered trademark. You can find more details on VMC requirements and accredited certificate authorities from the BIMI Group FAQs.

Finally, all these elements—your SVG logo and VMC—are referenced in a BIMI DNS TXT record published for your domain. This record acts as the bridge, telling participating mail servers where to find your authenticated logo. Properly configuring this record is a key part of the BIMI implementation process.

The critical role of email authentication

BIMI's very existence depends on the successful authentication of your emails. Without proper SPF, DKIM, and DMARC alignment, your BIMI logo will not appear, regardless of whether you have a valid VMC or correctly formatted SVG. This is because BIMI builds upon the trust established by these underlying protocols.

SPF and DKIM failures are common culprits when a BIMI logo doesn't show up. An SPF failure can occur if your sending server's IP address isn't authorized in your SPF record, or if you exceed the 10 DNS lookup limit. DKIM failures often stem from incorrect private keys, modifications to the email content in transit, or issues with the DKIM selector in your DNS. When either SPF or DKIM fails to align with your DMARC policy, the DMARC check fails, and with it, your BIMI eligibility.

Successful authentication

Logo display: Your Gmail, Outlook, and AOL logos will display, increasing brand visibility.
Enhanced trust: Recipients quickly recognize your brand, reducing phishing risks and improving perception.
Deliverability impact: While BIMI itself doesn't directly improve deliverability, the underlying strong authentication (DMARC at enforcement) ensures your legitimate emails reach the inbox.

Failed authentication

No logo display: Your logo will not appear, even if other BIMI requirements are met.
Reduced trust: The absence of your logo can make emails look less legitimate, potentially leading to lower engagement.
Deliverability impact: Failed authentication, particularly DMARC, significantly increases the risk of emails landing in the spam folder or being rejected entirely.

It is crucial to resolve all underlying authentication failures before expecting your BIMI logo to consistently appear.

Common BIMI authentication failures and troubleshooting

Even with a seemingly correct setup, your BIMI logo might not display due to subtle authentication failures or misconfigurations. Common issues include DMARC policy not being at enforcement (i.e., p=none), incorrect SVG format, or an invalid VMC.

Initial troubleshooting checklist

Verify DMARC policy: Ensure your DMARC record is set to p=quarantine or p=reject. Some providers might not display the logo if the policy is at p=none, particularly Gmail.
Check SVG file validity: Use a BIMI SVG validator to ensure your logo adheres to the SVG Tiny 1.2 specification, including base64 encoding and specific security attributes.
Validate VMC: Confirm your Verified Mark Certificate is current, issued by a recognized certificate authority (CA), and properly referenced in your BIMI record. Google's support documentation provides additional details.
Check DMARC alignment: Ensure your From domain aligns with either your SPF or DKIM domains. This is fundamental for DMARC to pass.
Review BIMI DNS record: Double-check the syntax and values in your BIMI TXT record, including the v= and l= tags.

A common scenario involves multiple sending services, like a marketing platform (e.g., HubSpot) and an internal email system (e.g., Google Workspace). Each service needs to be properly configured for SPF and DKIM, and critically, achieve DMARC alignment. If one service fails to align, it can cause authentication failures for a portion of your email traffic, impacting BIMI display. For instance, if HubSpot sends emails but isn't correctly configured to sign with your domain's DKIM keys, those emails will likely fail DMARC.

Example BIMI DNS TXT Record

v=BIMI1;l=https://yourdomain.com/bimi/logo.svg;a=https://yourdomain.com/bimi/vmc.pem;

Another area for troubleshooting is the logo itself or the VMC. The SVG file might have hidden errors, unsupported elements, or incorrect XML declarations, even if it looks fine in a browser. Likewise, an expired VMC, or one issued by a non-recognized CA, will prevent BIMI from working. Always ensure your VMC is active and from an approved provider.

Advanced troubleshooting and ongoing monitoring

The key to successful BIMI deployment and troubleshooting is diligent, ongoing monitoring of your DMARC reports. These reports provide invaluable insights into your email authentication performance, detailing which emails passed or failed SPF and DKIM, and why. By analyzing these reports, you can identify legitimate sending sources that might be misconfigured and distinguish them from malicious spoofing attempts.

Moving to an enforcement policy (quarantine or reject) for DMARC should be an iterative process, typically after at least 30 days of monitoring at p=none. This allows you to identify and resolve any authentication issues with your legitimate sending sources. Tools and services that parse DMARC aggregate reports are invaluable for this stage, providing clear, actionable data. You might encounter a small percentage of unauthenticated emails due to factors outside your control, and that's generally acceptable as long as your primary sending volume is compliant.

DMARC policy	Impact on email authentication	BIMI support
p=none	Monitors email authentication without enforcing any action on failed messages.	Not sufficient for BIMI display, as it lacks enforcement.
p=quarantine	Instructs receiving servers to move emails that fail DMARC to the recipient's spam or junk folder.	Required for BIMI display by most major providers, including Google.
p=reject	Instructs receiving servers to completely block emails that fail DMARC authentication.	Also sufficient for BIMI display and provides the highest level of brand protection against spoofing. More information on avoiding BIMI pitfalls is available.

By addressing these authentication challenges, you lay the groundwork for a successful BIMI implementation and ensure your brand's visual identity is consistently displayed in the inbox.

Views from the trenches

Best practices

Monitor your DMARC reports for a minimum of 30 days to capture a full cycle of email campaigns and identify all legitimate sending sources.

Ensure your DMARC policy is set to at least 'quarantine' (p=quarantine) for your organizational domain before expecting BIMI to display.

Verify that your logo is trademarked in an accepted jurisdiction and obtain a Verified Mark Certificate (VMC) from an accredited Certificate Authority.

Regularly validate your BIMI SVG file to ensure it complies with the SVG Tiny 1.2 specification and does not contain any unsupported elements or errors.

Common pitfalls

Expect your BIMI logo to display without having your DMARC policy at 'quarantine' or 'reject' for your domain.

Underestimate the importance of comprehensive DMARC monitoring; insufficient data can lead to legitimate emails being quarantined or rejected.

Using a logo that is not trademarked or obtaining a VMC from a non-accredited Certificate Authority, as this will prevent BIMI from working with major providers.

Having misconfigured SPF or DKIM records for any of your sending services, leading to DMARC failures and preventing BIMI display.

Expert tips

DMARC monitoring tools are essential for accurately assessing your domain's readiness for an enforcement policy and ensuring all legitimate traffic is authenticated.

Authentication, not BIMI itself, is what truly enhances your email deliverability, ensuring your messages reach the inbox reliably.

While BIMI doesn't directly improve deliverability, studies consistently show that having a prominent brand logo in the inbox significantly increases email engagement and recipient trust.

Consider engaging DMARC consulting experts if you are unsure about moving your policy to enforcement, especially for complex sending environments.

Expert view

Expert from Email Geeks says that Google requires a Verified Mark Certificate, which necessitates a trademarked logo.

November 3, 2023 - Email Geeks

Marketer view

Marketer from Email Geeks notes that low email volume might prevent the BIMI logo from displaying, as mailbox providers often have minimum sending thresholds.

November 3, 2023 - Email Geeks

Ensuring your brand's visibility

Implementing BIMI is a strategic step for enhancing brand trust and visibility in the email ecosystem. It requires a meticulous approach to email authentication, including proper SPF, DKIM, and a DMARC policy enforced at quarantine or reject. While setting it up can be complex, the journey toward BIMI compliance is also a journey toward stronger email security for your brand.

By understanding the core requirements and employing systematic troubleshooting methods, you can overcome authentication failures and ensure your brand logo proudly shines in the inbox, building greater trust with your recipients.