What is a BIMI record?

A BIMI record is a DNS TXT record that allows organizations to display their brand's registered logo next to their authenticated emails in supporting inboxes. It provides a visual indicator of authenticity, improving brand recognition and trust.

Why is a TXT record used for BIMI?

TXT records are versatile DNS records used to store arbitrary text information, making them suitable for publishing policies and instructions for email authentication protocols like SPF, DKIM, DMARC, and BIMI. They allow mail servers to easily retrieve the necessary data to validate email and display logos.

Can I set up BIMI without a DMARC policy?

No, BIMI requires a DMARC policy to be enforced at either p=quarantine or p=reject . A p=none policy is insufficient, as it does not instruct receiving mail servers to take action on unauthenticated mail.

What information does the BIMI TXT record contain?

The BIMI TXT record contains tags such as v= (BIMI version), l= (URL to the SVG logo), and optionally a= (URL to the Verified Mark Certificate), and h= (hashes for verification). These tags guide email clients on how to retrieve and display your brand logo.

What is the specific format for the BIMI TXT record name?

The specific format for the BIMI TXT record name is typically selector._bimi.yourdomain.com . The selector part is often default but can be customized. This structure ensures email clients correctly identify and fetch your BIMI record.

What DNS record type is used for BIMI? - BIMI - Email authentication - Knowledge base

Email is a primary communication channel for businesses, yet it often lacks immediate visual brand recognition in the inbox. This is where BIMI, or Brand Indicators for Message Identification, comes into play. BIMI allows your brand's registered logo to appear directly in the recipient's inbox next to your email's subject line, provided the email passes authentication checks.

This visual verification helps recipients instantly recognize legitimate messages from your domain, building trust and improving engagement. For companies, this means enhanced brand visibility and a stronger defense against phishing attempts. It's an important step in improving email security and user confidence.

However, implementing BIMI isn't just about having a logo. It relies heavily on proper email authentication protocols and a specific type of DNS record to function correctly. Without the right DNS configuration, your logo simply won't appear. Understanding the foundational DNS record is the first step toward successful BIMI deployment.

To learn more about what's involved in setting up BIMI, you can explore the requirements and implementation steps for BIMI to ensure your domain is ready.

The TXT record at the heart of BIMI

The DNS record type used for BIMI is a TXT record. Similar to how Sender Policy Framework (SPF) records (What DNS record type is used for SPF) and DomainKeys Identified Mail (DKIM) records (What DNS record type is used for DKIM) use TXT records to publish their policies, BIMI leverages this versatile record type to publish information about your brand logo and its associated Verified Mark Certificate (VMC).

When an email client receives a message, it performs several checks, including looking up your domain's BIMI TXT record. This record tells the email client where to find your brand's logo and whether it's accompanied by a VMC. If all checks pass, your logo is then displayed, providing a visual confirmation of your brand's authenticity.

It's important to properly format this record to ensure email clients can correctly parse the information. You can find detailed steps for creating a BIMI DNS TXT record at Google's support page on BIMI.

Example BIMI TXT recordDNS

default._bimi.example.com. IN TXT "v=BIMI1;l=https://cdn.example.com/logo.svg;a=https://cdn.example.com/vmc.pem;h=dmarctest.com"

Dissecting the BIMI TXT record

A BIMI TXT record is essentially a text string with various tags that provide specific instructions to email clients. Each tag serves a critical purpose in ensuring your logo is displayed correctly and securely. Understanding these tags is key to proper configuration.

Key BIMI record tags

v=: This indicates the BIMI version. Currently, it should always be BIMI1. You can learn more about the BIMI 'v=' tag value.
l=: This specifies the URL to your brand's logo, which must be in SVG Tiny 1.2 format and hosted securely over HTTPS.
a=: This optional tag points to the URL of your Verified Mark Certificate (VMC), which provides an extra layer of verification. You can learn more about the role of the 'a=' tag.
h=: This is another optional tag, an experimental one that indicates the hashes of the logo and VMC, if present, used for additional integrity checks. The official BIMI Group website provides further details on all BIMI specifications.

Magnifying glass examining a BIMI DNS TXT record string

The record name for a BIMI TXT record typically follows a specific format, often starting with a selector (e.g., default) followed by ._bimi, like default._bimi.yourdomain.com. This specific format is crucial for mail servers to locate and interpret your BIMI record correctly.

The importance of DMARC for BIMI activation

Before you can even consider deploying BIMI, your domain must have a robust DMARC policy enforced. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a critical email authentication protocol that builds upon SPF and DKIM. BIMI will only work if your domain has a DMARC policy set to either p=quarantine or p=reject. A p=none policy will not enable BIMI, as it doesn't enforce any action on unauthenticated mail.

This strict DMARC requirement ensures that only authenticated senders can display a logo, adding a strong layer of security against impersonation and phishing. If your DMARC policy is not sufficiently enforced, even a perfectly configured BIMI TXT record won't result in your logo appearing in the inbox. You can learn more about what DNS record type is used for DMARC.

Without DMARC Enforcement

Logo Visibility: Your brand logo will not display, regardless of BIMI record presence.
Security Posture: Domain remains vulnerable to email spoofing and phishing attacks.
Trust: Recipients lack visual assurance of email authenticity.

With DMARC Enforcement (p=quarantine/reject)

Logo Visibility: Your brand logo can appear in supporting inboxes.
Security Posture: Strong protection against unauthorized use of your domain.
Trust: Increased recipient trust and brand recognition.
DMARC Monitoring: Use a DMARC monitoring platform like Suped to guide your policy transition to enforcement. Our AI-powered recommendations simplify the process of achieving enforcement.

Transitioning your DMARC policy to quarantine or reject is a gradual process that requires careful monitoring. You can learn how to safely transition your DMARC policy to ensure legitimate emails aren't impacted. This journey is crucial for both security and the successful display of your BIMI logo.

Conclusion

In summary, the DNS record type used for BIMI is a TXT record. This record acts as the bridge between your domain and your brand's visual identity in the inbox, containing essential information about your logo and its optional Verified Mark Certificate. However, the functionality of this TXT record is entirely dependent on having a robust DMARC policy enforced at p=quarantine or p=reject.

Properly configuring your BIMI TXT record involves meticulous attention to detail, from the correct URL for your logo to the specific format of the various tags. Any misstep can prevent your logo from appearing, defeating the purpose of BIMI's brand-enhancing and security benefits. It's a technical process that requires precision.

By understanding the role of the TXT record and its reliance on strong DMARC enforcement, organizations can successfully implement BIMI, fortifying their email security, boosting brand visibility, and fostering greater trust with their recipients. This translates into better email deliverability and more effective communication strategies overall.