Can BIMI SVG files be hosted by a Certificate Authority, and does it work for Gmail?
Michael Ko
Co-founder & CEO, Suped
Published 15 Nov 2025
Updated 15 Nov 2025
8 min read
When implementing Brand Indicators for Message Identification (BIMI), a common question arises regarding the hosting of your SVG logo file. Many email service providers, including Gmail, require the BIMI SVG file to be publicly accessible via HTTPS. However, there's often confusion about where this file must reside. Specifically, can a Certificate Authority (CA) host your SVG file, and will this configuration work with Gmail? I've seen this question come up frequently, and the official documentation can sometimes be a bit unclear.
The core of the BIMI standard relies on your domain's DNS TXT record, which points to the location of your SVG logo. For mailbox providers that require a Verified Mark Certificate (VMC) or Common Mark Certificate (CMC), such as Gmail, the SVG file is typically embedded within that certificate. This certification process adds an extra layer of trust and verification to your brand logo, ensuring that only authorized entities can display it next to their emails.
Understanding how this all fits together is crucial for successful BIMI implementation and ensuring your brand logo appears as intended in recipients' inboxes. The requirements can sometimes feel contradictory, but with a clear understanding of the roles of your domain, the CA, and the email client, you can navigate the setup smoothly. Let's delve into the specifics of SVG hosting and its compatibility with Gmail.
The role of Certificate Authorities in BIMI SVG hosting
The question of where to host your BIMI SVG file often stems from different interpretations of guidelines from various providers. Google's Workspace Admin Help documentation suggests uploading the SVG file to your domain's public web server, ideally in the same domain as your outgoing email server. This can lead to confusion when Certificate Authorities (CAs) like Digicert offer to host the SVG file themselves. It appears to contradict Google's suggestion, making some wonder if their self-hosted efforts were unnecessary.
The key distinction here is the purpose of the SVG file hosting. While some mailbox providers might look directly at the SVG URL specified in your BIMI record, Gmail and other email clients that support BIMI with VMCs primarily use the SVG file embedded within the VMC itself. This means that if you have a VMC, the CA's role in verifying and issuing that certificate, which includes the embedded logo, is what truly matters for display in Gmail. Therefore, having your CA host the SVG as part of the VMC issuance process is generally acceptable and indeed common practice.
The recommendation from Google's support page might be more geared towards domains hosted on Google Workspace, or for simpler BIMI implementations that don't yet involve a VMC. The critical point for VMC-based BIMI is the integrity and authenticity of the logo as verified by the CA, not necessarily where the raw SVG file lives after that verification. This means that if your CA offers hosting as part of their VMC service, you can confidently use it.
Self-hosting vs. CA hosting for BIMI SVG files
This involves placing the SVG file directly on your domain's web server, such as yourdomain.com/bimi/logo.svg. This approach is straightforward but requires you to manage the hosting and ensure its HTTPS accessibility. The BIMI TXT record would then point directly to this URL.
Control: You have full control over the file and its accessibility.
When obtaining a VMC or CMC, the Certificate Authority (CA) will often embed your BIMI-compliant SVG logo directly into the certificate file. The CA may also provide a hosted URL for this SVG file as part of the service, or it might be referenced within the certificate itself. Gmail specifically looks for the SVG embedded in the VMC. Google requires certified logos (PEM files) for BIMI to work effectively in their environment.
Security: Enhanced security as the logo is verified by a trusted CA.
So, to directly answer the question, yes, BIMI SVG files can be hosted by a Certificate Authority, and this setup does work for Gmail. Gmail's requirement is for the logo to be verified by a CA, and the SVG embedded in the VMC fulfills this requirement. The CA hosting the SVG file is a natural extension of their VMC service, streamlining the process for brands. This removes the need for organizations to host the SVG themselves if the CA offers this service.
It’s important to remember that for BIMI to work with Google and Gmail, you need to ensure all other components are correctly configured, including a valid DMARC policy at quarantine or reject, and proper SPF and DKIM alignment. Without these foundational email authentication protocols, your BIMI logo won't display, regardless of where your SVG is hosted.
For the best BIMI visibility and security, ensure your organization has:
BIMI TXT record: Correctly configured BIMI DNS TXT record pointing to your logo's URL.
The flexibility in SVG hosting options allows organizations to choose the method that best suits their infrastructure and security policies. Whether you self-host or rely on your CA, the ultimate goal is to present a verified brand logo, enhancing email trust and engagement. Monitoring your DMARC reports, which provide feedback on BIMI status, is essential for confirming your logo's display.
For email clients like Gmail that mandate VMCs for BIMI, the process is slightly different than for those that accept self-asserted BIMI records. When Gmail supports BIMI only with PEM files, it indicates a preference for the enhanced security offered by CA-verified logos. These PEM files contain the certified SVG logo, which has undergone a rigorous validation process by the CA.
This means that even if you have an SVG file hosted on your own server, Gmail will prioritize the SVG embedded in your VMC. The BIMI TXT record still needs to point to the URL of your SVG file, whether it's self-hosted or CA-hosted. However, for Gmail, the verification tied to the VMC (or CMC) is the primary signal for displaying your brand logo. This approach helps prevent unauthorized parties from displaying logos next to emails, further bolstering email security and brand trust.
Ensuring your VMC is correctly configured and pointing to an accessible SVG is paramount. Any discrepancies can lead to your BIMI logo not showing up in Gmail, even if your DMARC policy is at enforcement. Therefore, understanding the interplay between your BIMI record, your VMC, and Gmail's specific requirements is crucial for a successful implementation.
Key takeaways for BIMI SVG hosting
Setting up BIMI correctly can sometimes feel like navigating a maze of technical requirements, but the benefits of displaying your brand logo in the inbox are significant. It boosts brand recognition, enhances trust, and can even improve email engagement. The good news is that whether your CA hosts your BIMI SVG file or you choose to self-host, both options can work, provided all other BIMI and DMARC requirements are met.
The key takeaway is that for Gmail, the verification provided by a Verified Mark Certificate (VMC) is paramount, and the SVG logo embedded within this certificate is what Gmail primarily uses. Choosing a CA that offers SVG hosting as part of their VMC service simplifies the process and ensures compliance with these critical requirements. Remember to keep an eye on your DMARC reports to confirm everything is working as expected.
For ongoing monitoring and to quickly address any issues, consider using Suped’s DMARC monitoring platform. Our unified platform provides AI-powered recommendations for DMARC, SPF, DKIM, and BIMI, giving you actionable insights to protect your domain and boost deliverability.
Views from the trenches
Best practices
Always secure your SVG file with an SSL certificate, ensuring its URL starts with HTTPS.
Prioritize acquiring a VMC or CMC from a BIMI-accredited CA for Gmail compatibility.
Regularly monitor your DMARC reports to verify BIMI logo display and address any authentication failures.
Ensure your DMARC policy is set to p=quarantine or p=reject for BIMI to function correctly.
Common pitfalls
Overlooking Gmail’s specific requirement for VMC-embedded SVG files, even if self-hosting.
Assuming self-hosting of the SVG file is sufficient without a VMC for major mailbox providers.
Failing to maintain DMARC at an enforcement policy, which is critical for BIMI display.
Not verifying the SVG image against BIMI's specific formatting and size limitations.
Expert tips
Utilize a CA's SVG hosting service when available, as it streamlines compliance and security for VMCs.
Confirm that your BIMI TXT record accurately points to the SVG file's public HTTPS URL.
Be aware that Google's documentation sometimes targets Google Workspace domains, which may differ from general BIMI spec.
Automate DMARC monitoring to proactively identify and fix issues impacting BIMI logo display.
Expert view
Expert from Email Geeks says that CA hosting of VMCs is perfectly acceptable and they haven't encountered any issues with this setup.
2024-09-27 - Email Geeks
Marketer view
Marketer from Email Geeks says that Gmail does not use a standalone SVG file; instead, it uses the one embedded within the VMC certificate.
When implementing Brand Indicators for Message Identification (BIMI), a common question arises regarding the hosting of your SVG logo file. Many email service providers, including Gmail, require the BIMI SVG file to be publicly accessible via HTTPS. However, there's often confusion about where this file must reside. Specifically, can a Certificate Authority (CA) host your SVG file, and will this configuration work with Gmail? I've seen this question come up frequently, and the official documentation can sometimes be a bit unclear.
The recommendation from Google's support page might be more geared towards domains hosted on Google Workspace, or for simpler BIMI implementations that don't yet involve a VMC. The critical point for VMC-based BIMI is the integrity and authenticity of the logo as verified by the CA, not necessarily where the raw SVG file lives after that verification. This means that if your CA offers hosting as part of their VMC service, you can confidently use it.
For ongoing monitoring and to quickly address any issues, consider using Suped’s DMARC monitoring platform. Our unified platform provides AI-powered recommendations for DMARC, SPF, DKIM, and BIMI, giving you actionable insights to protect your domain and boost deliverability.
