Is the 'h=' tag mandatory for BIMI?

The 'h=' tag itself isn't strictly mandatory for a basic BIMI record, but it's crucial for gaining the highest level of brand verification through a Verified Mark Certificate (VMC). Many major mailbox providers require the 'h=' tag and a VMC to display your logo consistently, as it provides stronger assurance of your brand's authenticity compared to using the 'l=' tag alone.

What is the difference between the 'l=' and 'h=' tags?

The 'l=' tag points to the HTTPS URL of your SVG logo file . The 'h=' tag, on the other hand, points to the HTTPS URL of your Verified Mark Certificate (VMC), which is a digital certificate that cryptographically verifies your trademarked logo. The 'h=' tag provides an additional layer of trust and verification for the logo specified by the 'l=' tag.

What happens if my VMC expires?

If your Verified Mark Certificate (VMC) expires, mailbox providers will no longer be able to validate your brand logo through the 'h=' tag. This means your logo may stop appearing in recipient inboxes, or its display might become inconsistent. It's essential to monitor your VMC's expiration date and renew it promptly to ensure continuous brand logo display with BIMI.

Do I need DMARC enforcement to use the 'h=' tag?

Yes, an enforced DMARC policy (p=quarantine or p=reject) is a prerequisite for BIMI, including the use of the 'h=' tag and VMC. Mailbox providers require a strong DMARC policy to ensure that your domain is protected against spoofing, which is a foundational security measure for trusting and displaying your brand logo. Suped can help you with your DMARC record setup and monitoring .

Where can I get a Verified Mark Certificate (VMC)?

You can obtain a Verified Mark Certificate (VMC) from a Certificate Authority (CA) that has been accredited by the BIMI Group to issue these certificates. These accredited providers will guide you through the process of verifying your trademarked logo and issuing the VMC file. An example of such a provider is DigiCert .

What is the purpose of the 'h=' tag in a BIMI record? - BIMI - Email authentication - Knowledge base

Brand Indicators for Message Identification (BIMI) is an email specification that allows organizations to display their brand logo next to their authenticated email messages in recipient inboxes. It's a powerful visual signal that builds trust and helps recipients quickly identify legitimate emails. But for BIMI to work, several components must be correctly configured in your DNS, and one of the critical elements is the 'h=' tag.

Unlike other BIMI tags that point to your logo or specify the BIMI version, the 'h=' tag serves a very specific and crucial purpose. It's directly tied to the highest level of brand verification, ensuring that the logo displayed is indeed legitimate and owned by the sending organization. Without it, the full potential of BIMI, especially for brand recognition and trust, cannot be achieved with certain mailbox providers.

Understanding this tag is essential for anyone looking to implement BIMI effectively and secure their email sending reputation. It plays a pivotal role in verifying your brand's authenticity, which is a cornerstone of modern email security. Properly configuring your BIMI record involves more than just pointing to a logo, it's about establishing verifiable trust.

The 'h=' tag and VMC

The primary role of the 'h=' tag

The 'h=' tag in a BIMI record is used to specify the HTTPS URL of your Verified Mark Certificate (VMC). A VMC is a digital certificate that verifies your brand's logo is registered with a trademark office. This certificate is issued by a Certificate Authority (CA) that has been approved to issue VMCs. Its primary function is to cryptographically bind your authenticated domain to your official trademarked logo, providing a high level of assurance to mailbox providers.

When a mailbox provider receives an email from your domain, it looks up your BIMI DNS record. If an 'h=' tag is present, it will attempt to retrieve and validate the VMC at the specified URL. This validation process confirms that your organization has gone through a rigorous verification process, proving ownership of the trademarked logo. This additional layer of security is what gives mailbox providers the confidence to display your logo in the inbox.

Without the 'h=' tag, some mailbox providers might still display your logo if you are using the 'l=' tag to point to an unverified logo, but it's not guaranteed. The VMC, indicated by the 'h=' tag, is what elevates your brand's visibility and trust to the highest level, making the logo display more consistent and widely accepted across supporting email clients. It acts as a trusted credential for your brand's visual identity.

Example of a BIMI record with 'h=' tagDNS TXT

default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/alternate.svg; h=https://example.com/vmc.pem;"

Importance of verification

Verified Mark Certificates (VMC) explained

A VMC is a specialized digital certificate issued by an accredited certificate provider. It contains information about your organization and, most importantly, cryptographically binds your trademarked logo to your domain. This ensures that only verified brands can display their logos through BIMI, preventing unauthorized use and phishing attempts where bad actors might try to impersonate your brand visually. The VMC's role is to confirm the authenticity of the logo specified by the 'l=' tag.

The process of obtaining a VMC involves proving that your logo is a registered trademark with a recognized intellectual property office. This rigorous verification process is what makes VMCs such a strong indicator of trust. Once you have a VMC, you host it on a secure server (accessible via HTTPS) and then reference its location using the 'h=' tag in your BIMI record. Mailbox providers like

Gmail and

Yahoo rely on this certificate to display your logo, enhancing your brand's presence in the inbox.

Choosing between a VMC or CMC depends on your specific needs and the trademark status of your logo. However, the 'h=' tag specifically points to a VMC. For a more comprehensive understanding of BIMI, including its specification, you can refer to the official BIMI Group website which provides detailed information about this standard.

BIMI record configuration

Setting up the 'h=' tag correctly

Implementing the 'h=' tag requires careful attention to detail. First, ensure you have a valid VMC for your trademarked logo. This certificate must be accessible via HTTPS, typically a PEM-encoded file (e.g., vmc.pem). The URL you provide in the 'h=' tag must point directly to this file.

The BIMI record itself is a TXT record added to your DNS. The 'h=' tag is just one component within this record, alongside the BIMI version ('v=') and the logo URL ('l='). If you're using an alternate logo, that would also be specified. Once published, it can take some time for DNS changes to propagate globally, so patience is key. Validating your BIMI SVG and certificate is also an important step.

For BIMI to truly work, your domain must also have a DMARC policy set to quarantine or reject. This DMARC enforcement policy tells receiving mail servers how to handle emails that fail authentication (SPF or DKIM). The 'h=' tag and VMC rely on a strong DMARC policy to ensure that the brand identity being displayed is secure and cannot be easily spoofed.

Key BIMI record tags

v: Specifies the BIMI version. Always v=BIMI1.
l: Points to the HTTPS URL of your SVG logo file.
a: Optional tag for an alternate logo URL, if specified.
h: Specifies the HTTPS URL of your Verified Mark Certificate.
s: Defines the selector for the BIMI record.

Enhanced brand visibility

The impact on email deliverability and security

While the 'h=' tag doesn't directly affect email deliverability in terms of getting your email to the inbox, it significantly impacts the visual deliverability of your brand logo. A correctly implemented 'h=' tag, coupled with a valid VMC, provides an undeniable visual cue of authenticity. This can lead to increased open rates, higher engagement, and a stronger sense of trust among your recipients. In a landscape rife with phishing and spoofing, any measure that clearly authenticates your brand is invaluable.

The security aspect is paramount. By mandating a VMC, the 'h=' tag ensures that only legitimate, trademark-owning organizations can display their logos. This helps protect against brand impersonation, where malicious actors might use fake logos to deceive recipients. It complements other email authentication standards like DMARC, SPF, and DKIM to create a robust defense against email-based fraud. For a deeper dive into the technical details, the BIMI specification is available.

Monitoring your DMARC reports is crucial for maintaining an enforced DMARC policy, which is a prerequisite for BIMI. Suped offers robust DMARC monitoring and reporting tools, providing AI-powered recommendations to help you fix issues and strengthen your policy. This ensures your email authentication is solid, laying the groundwork for a successful BIMI implementation with the 'h=' tag.

Before BIMI and 'h='

Email inboxes often appeared generic, without visual brand recognition. This led to a lack of trust from recipients and made it harder for legitimate emails to stand out in a crowded inbox. Phishing attempts were also more difficult to detect visually, as even authenticated emails lacked a distinct brand identifier.

Low brand visibility: Senders relied solely on sender name and email address.
Increased phishing risk: Easier for imposters to mimic legitimate senders without visual cues.

With BIMI and 'h='

Emails display verified brand logos directly in the inbox, boosting brand recognition and recipient trust. This visual assurance helps combat phishing and improves email engagement, providing a consistent brand experience even before an email is opened. It signifies a higher level of email security posture.

Enhanced brand trust: Visual confirmation of sender identity builds confidence.
Reduced impersonation: VMCs make it difficult for phishers to use your logo.

Final thoughts

The 'h=' tag is a small but mighty component of your BIMI record, directly enabling the display of your verified brand logo in supporting inboxes. It’s a testament to your commitment to email security and brand authenticity. Properly implementing this tag, along with a robust DMARC policy, sets your brand apart and builds trust with your audience. Remember that maintaining proper email authentication, including SPF flattening for complex setups, is fundamental to BIMI success.