What happens if my BIMI SVG is hosted over HTTP instead of HTTPS?

If your BIMI SVG is hosted over HTTP, email clients that support BIMI will typically refuse to fetch and display your logo. This is due to security protocols that require all BIMI assets to be served securely via HTTPS to prevent tampering and ensure brand authenticity.

Can I host my BIMI SVG on any server?

You can host your BIMI SVG on any server, as long as it's publicly accessible, uses HTTPS, and provides a static URL. Cloud storage services like Amazon S3 are often used for this purpose because they meet these requirements reliably. Ensure the URL is stable and doesn't change.

What role does DMARC play in BIMI SVG accessibility?

DMARC is fundamental to BIMI. For your SVG logo to display, your domain must have a DMARC policy enforced at p=quarantine or p=reject . A weaker p=none policy will prevent BIMI logos from being shown, as it doesn't provide sufficient authentication enforcement.

How do I ensure my BIMI SVG remains publicly accessible and secure?

To ensure public accessibility and security, host your SVG on a reliable service that guarantees uptime and HTTPS. Regularly check the URL in your BIMI DNS record to confirm it's still correct and resolves securely. Monitoring your DMARC reports can also alert you to any issues that might impact BIMI display.

Does BIMI require the SVG to be publicly accessible via HTTPS? - BIMI - Email authentication - Knowledge base

Brand Indicators for Message Identification (BIMI) offers a powerful way to enhance your email's visual presence by displaying your brand's logo next to your messages in the inbox. This visible branding helps build trust and recognition with recipients, making your emails stand out in a crowded inbox. However, successfully implementing BIMI involves several technical requirements, and one of the most common questions revolves around the hosting of your SVG logo file.

The straightforward answer is yes, BIMI absolutely requires your SVG logo to be publicly accessible via HTTPS. This isn't merely a suggestion but a fundamental requirement mandated by the BIMI standard and enforced by participating email service providers like

Gmail and

Yahoo. Adhering to this ensures the security and integrity of your brand's visual representation.

Without proper HTTPS hosting, your BIMI logo simply won't display. This requirement is in place to protect both senders and recipients from potential security vulnerabilities and brand impersonation. It assures that the logo being displayed is indeed coming from a verified, secure source, reinforcing the trust that BIMI aims to establish.

Why secure hosting is critical for BIMI

The imperative of secure hosting

The demand for HTTPS hosting stems from the core principles of internet security. HTTPS, which stands for Hypertext Transfer Protocol Secure, encrypts communication between a user's browser (or email client) and the website hosting the file. This encryption prevents eavesdropping, tampering, and message forgery, ensuring that the SVG logo file is delivered securely and has not been altered in transit.

Email clients that support BIMI, such as

Apple Mail and

Google Workspace (Gmail), perform strict checks to validate the authenticity and security of the BIMI configuration. If the SVG URL isn't secure, it immediately raises a flag, leading to the logo not being displayed. This protects their users from potentially malicious or misleading branding attempts.

Security and trust

Hosting your BIMI SVG over HTTPS is non-negotiable. It's not just a technicality, it's a critical security measure that builds sender trust and prevents your brand's image from being compromised. Email clients prioritize user safety, and an unsecured logo is a direct violation of that principle, hindering adoption and display.

Furthermore, many BIMI implementations, particularly those requiring a Verified Mark Certificate (VMC), inherently rely on HTTPS. The VMC itself is tied to your domain's security and serves as an additional layer of verification for your logo. You can read more about VMC, PEM file and SVG location requirements.

Understanding the BIMI record and SVG location

Locating your SVG in the BIMI record

The BIMI standard specifies that the location of your SVG file is indicated within your domain's BIMI DNS TXT record. Specifically, this is done using the l= tag, which must contain the full HTTPS URL to your logo file. This URL must be static and consistently accessible. For a deeper dive, check how BIMI specifies the SVG file location.

When an email client receives a message, it checks the sender's domain for a BIMI record. Upon finding one, it extracts the URL from the l= tag and attempts to fetch the SVG logo from that address. If the URL uses HTTP instead of HTTPS, or if there are any security certificate issues, the fetch will fail, and the logo will not be displayed.

Example BIMI DNS TXT RecordDNS

default._bimi.yourdomain.com IN TXT "v=BIMI1; l=https://yourdomain.com/path/to/your/logo.svg; a=https://yourdomain.com/path/to/your/vmc.pem;"

HTTP hosting pitfalls

Security risk: Data transmitted insecurely, vulnerable to tampering.
No logo display: Email clients will refuse to fetch and display the logo.
Brand erosion: Fails to deliver the intended visual branding benefit.

HTTPS hosting benefits

Secure connection: Encrypts data, ensuring integrity and authenticity.
Logo display: Enables successful retrieval and display of your brand logo.
Brand trust: Bolsters recipient confidence in your messages and brand.

Choosing a reliable hosting provider that supports HTTPS is vital. Many cloud storage services like

Amazon S3 can host your SVG file securely and make it publicly accessible via HTTPS, as highlighted by Amazon Simple Email Service documentation. Just ensure the URL is static and publicly readable.

Technical requirements for your SVG file

Beyond HTTPS, the SVG file itself has specific technical requirements to be BIMI compliant. It must be an SVG Tiny P/S version (SVG P/S stands for Portable/Secure). This particular SVG profile is designed for security and ensures that no malicious scripts or external references can be embedded within the logo. You can find more on the specific requirements for an SVG image.

The SVG file must also be square in dimension and designed to look good at various sizes, as email clients may render it differently depending on the display environment. It should not contain any animations, interactivity, or external file references that could compromise its integrity or load time. For guidance on recommended SVG dimensions and creation, you can consult our detailed guide.

Requirement	Description
File format	SVG Tiny P/S (Portable/Secure) version
Accessibility	Publicly accessible and continuously available
Protocol	Hosted exclusively over HTTPS
Content	No animations, interactivity, or external scripts
URL	Static URL in your BIMI DNS record

The role of DMARC in BIMI success

It's crucial to remember that BIMI doesn't operate in a vacuum. It relies heavily on a robust email authentication foundation, specifically DMARC. For your BIMI logo to display, your domain must have an active DMARC policy set to either p=quarantine or p=reject. A p=none policy will not allow BIMI logos to appear, as it doesn't enforce email authentication strictly enough.

To ensure your BIMI implementation is working correctly and your emails are consistently authenticating, DMARC monitoring is indispensable. Regular monitoring helps you identify authentication failures, pinpoint sources of unauthorized email, and maintain a healthy email sending reputation. This directly impacts whether your BIMI logo will be displayed by various email providers.

Suped provides the most comprehensive DMARC monitoring platform on the market, offering AI-powered recommendations to help you easily analyze your DMARC reports and fix any issues. Our platform also delivers real-time alerts, unifies DMARC, SPF, and DKIM monitoring, and supports SPF flattening. With its generous free plan and dedicated features for MSPs, Suped makes managing your email security and BIMI efforts straightforward and effective.

Next steps for BIMI implementation

Successfully implementing BIMI to display your brand's logo involves a meticulous approach to several technical requirements. While the visual appeal is the goal, the underlying security infrastructure, particularly the HTTPS hosting of your SVG, is the bedrock upon which BIMI stands. Neglecting this crucial detail will inevitably lead to your logo not appearing in recipient inboxes.

I recommend validating your BIMI SVG and certificate thoroughly before deployment. Ongoing vigilance through DMARC reporting and monitoring tools will ensure that your BIMI implementation remains robust and continues to deliver its brand-building benefits over time. Adhering to these standards helps protect your brand and improve your email engagement.