What DNS record type is used for BIMI?

The short answer is that Brand Indicators for Message Identification, or BIMI, uses a TXT record. While it's a specific format, it is published within your domain's DNS as a standard text (TXT) record.

BIMI is a powerful standard that allows you to display your company's logo directly in your recipients' inboxes, but getting it right means understanding how this DNS record works and what its prerequisites are.

Mailgun says:

Visit website

BIMI is a DNS TXT record. When you have BIMI set up correctly, you should see your brand's logo appearing in the inbox next to messages that you send.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

While it's fundamentally a TXT record, a BIMI record has a very specific format. It lives at a particular location in your DNS and contains key-value pairs that provide mailbox providers with the information they need. A typical BIMI record looks like this:

default._bimi.yourdomain.com. IN TXT "v=BIMI1; l=https://media.yourdomain.com/logo.svg; a=https://media.yourdomain.com/vmc.pem;"

AutoSPF says:

Visit website

Create a BIMI DNS record. Next up, create a BIMI record in TXT format. It should look something like: default._bimi.example.com IN TXT “v=BIMI1…”

Let's examine the parts:

• Record Name/Host: default._bimi. The record isn't placed at the root of your domain (like an SPF record might be). Instead, it's at a specific subdomain. The 'default' part is the selector, which allows for different logos if needed in the future, although 'default' is the only one currently used.
• Version Tag (v=): v=BIMI1 is the only valid version tag right now. It must be the first part of the record's value.
• Logo URL (l=): This is a direct, secure HTTPS link to your logo file. The logo must be in a specific SVG Tiny 1.2 format.
• Verified Mark Certificate URL (a=): This is an optional but highly recommended field. It points to your Verified Mark Certificate (VMC), which is a digital certificate that proves your ownership of the logo. Most major mailbox providers, like Gmail, require a VMC to display the BIMI logo.

You cannot implement BIMI without first having a solid DMARC policy in place. BIMI is built on top of the DMARC email authentication standard. It acts as a reward for senders who have properly secured their domain against phishing and spoofing.

Openprovider says:

Visit website

For BIMI to work, you must have a valid DMARC record set up in your domain's DNS zone. If you don't have a DMARC record or if it is not set up at an enforcement policy (p=quarantine or p=reject), BIMI will not work.

Specifically, your DMARC policy (p=) must be set to an enforcement policy of either quarantine or reject. A policy of p=none is not sufficient for BIMI to work. This enforcement is how mailbox providers verify that you are serious about authenticating your mail and protecting your recipients.

So, while BIMI is technically a small TXT record file that you add to your domain's DNS, it's part of a larger ecosystem of email authentication. Getting it right involves more than just publishing a single record; it requires a commitment to DMARC enforcement and careful preparation of your logo assets. When done correctly, this simple TXT record can significantly enhance your brand's visibility and trustworthiness in the inbox.