When people talk about BIMI (Brand Indicators for Message Identification), the conversation almost always involves DMARC. That’s because BIMI, the standard that allows you to display your logo in a recipient's inbox, is built directly on top of DMARC’s authentication framework. Before a mailbox provider even thinks about displaying your logo, it has to be absolutely sure the email is legitimately from you. DMARC provides that proof.
This means that for BIMI to work, you must have a DMARC policy of at least p=quarantine, with p=reject being the ultimate goal. A non-enforcement policy like p=none simply won't cut it. This strict requirement is what gives BIMI its power; it ensures that logos are only shown for messages that are verified to be from the actual brand, which builds recipient trust.
The connection between DMARC, DKIM, and email headers
So, to the core question: what specific header does BIMI check? The answer is a bit nuanced because BIMI doesn't check a “DMARC header” directly. DMARC itself is a policy published in your DNS; it doesn't add a new header to your emails. Instead, DMARC instructs receiving mail servers on how to handle emails based on the outcomes of SPF and DKIM checks. The critical component for BIMI is the DKIM-Signature header.
When an email arrives, the receiving server initiates a DMARC check. A key part of this process involves locating the DKIM-Signature header in the email's code. This header contains a cryptographic signature that verifies two things: that the message content hasn't been altered in transit, and that the email was authorized by the owner of the domain in the signature. For BIMI to work, the email must pass this DKIM check, and the domain specified in the signature's d= tag must align with the domain in the visible "From" header.
The specific role of the BIMI-Selector header
To provide more granular control, the BIMI standard also specifies a header of its own: the BIMI-Selector header. This is not a separate header you add to the email, but rather an optional tag that you place inside the DKIM-Signature. As the BIMI Group explains, its purpose is to let you use different logos for different email streams. For instance, your marketing emails could display your main brand logo, while transactional emails for receipts could show a different one.
When you use a selector, your DKIM-Signature header will contain a tag that looks something like b=marketing;. The receiving server uses this information to look for a specific BIMI record in your DNS, such as marketing._bimi.yourdomain.com, instead of the default._bimi.yourdomain.com record.
A step-by-step authentication flow
To put it all together, here is the chain of events that connects your DMARC policy to the logo in the inbox:
- Email is sent. The email is signed with a DKIM signature, which is placed in the DKIM-Signature header. This signature may optionally contain a BIMI-Selector tag.
- DMARC check begins. The receiving mail server retrieves your domain's DMARC policy from DNS and begins validating the email against it.
- DKIM is validated. The server verifies the DKIM-Signature and checks for alignment between the signature's domain and the From header's domain.
- BIMI check is initiated. If the DMARC check passes (with an enforcement policy), the server now looks for a BIMI record.
- Logo is retrieved. Using the selector from the DKIM-Signature header (or 'default' if none is present), the server queries the corresponding BIMI record in DNS to find the location of your logo.
- Logo is displayed. If a valid BIMI record and a certified logo file are found, the logo is displayed to the recipient.
In short, the entire BIMI system hinges on the DKIM-Signature header. It's the key piece of information within the email that allows a receiving server to validate your DMARC compliance and, subsequently, find and display your brand logo.
Does DMARC authenticate the 'From' header directly?
What specific header does DMARC use for alignment checks?
Does BIMI authenticate the logo itself?
Does BIMI use a specific DNS subdomain for its TXT record?
Does BIMI require strict DMARC alignment for both SPF and DKIM?
What is the selector for a BIMI record?
