Yes, it absolutely does. For BIMI (Brand Indicators for Message Identification) to work correctly, your brand's logo, which must be in SVG format, needs to be hosted on a server that is publicly accessible via a secure HTTPS URL. This is a non-negotiable requirement.
Without HTTPS, mailbox providers like Gmail and Apple Mail will not fetch or display your logo. This is a fundamental security and validation step in the BIMI process. Failing to use an SSL certificate for your logo's domain is a common reason for BIMI compliance failure.
Why HTTPS is a strict requirement for BIMI
The entire BIMI standard is built upon a foundation of security and authentication. It's designed to give recipients confidence that an email is genuinely from the brand it claims to be from. Requiring the logo to be served over HTTPS is a critical part of this security chain.
When a mailbox provider receives an email from your domain, it checks for a BIMI DNS record. This record contains a URL pointing to your SVG logo file. The provider then attempts to retrieve this file. If the URL is not HTTPS, the connection is considered insecure, and the process stops there. An encrypted HTTPS connection ensures two things:
- Authentication: It verifies that the server hosting the logo is the one it claims to be, preventing impersonation.
- Integrity: It protects the logo file from being altered in transit by a malicious actor in what is known as a "man-in-the-middle" attack. Imagine if someone could intercept the request and replace your logo with something inappropriate; HTTPS prevents this.
Other key BIMI logo and DNS requirements
While making your SVG accessible via HTTPS is crucial, it's just one piece of the puzzle. Getting BIMI set up correctly involves several interconnected steps. As noted by Tower Marketing, you need to upload your logo to a "public, web-accessible directory" after it's correctly formatted.
- A strict DMARC policy: Your domain must have a DMARC record with a policy set to p=quarantine or p=reject. A policy of p=none is not sufficient for BIMI.
- Specific SVG format: Your logo cannot be just any SVG. It must conform to the SVG Portable/Secure (SVG P/S) profile, a more restricted version of the standard.
- Publicly hosted file: As we've discussed, the final SVG file needs to live at a permanent, public HTTPS URL. This is also highlighted in guides from providers like OneSignal.
- Verified Mark Certificate (VMC): While not technically required by the BIMI standard itself, most major mailbox providers, including Gmail, require you to have a VMC. A VMC is a digital certificate that proves your ownership of the trademarked logo.
In short, the requirement for a publicly accessible HTTPS URL for your BIMI logo is fundamental. It is a security measure that underpins the trust BIMI aims to build. Without it, your logo simply will not be displayed, and your efforts to implement this standard will fall short. Ensuring your server is correctly configured with an SSL/TLS certificate is a prerequisite for any successful BIMI implementation.
