What are the requirements for BIMI, and how do I troubleshoot authentication failures?

Key findings

• DMARC enforcement: A DMARC policy set to p=quarantine or p=reject is a non-negotiable requirement for BIMI.
• VMC necessity: For prominent providers like Google, a Verified Mark Certificate (VMC) is mandatory for BIMI logo display.
• Trademarked logo: A VMC requires your brand's logo to be legally trademarked in an accepted jurisdiction.
• Underlying authentication: BIMI relies heavily on correct SPF and DKIM authentication and DMARC alignment; failures in these areas will prevent BIMI from working.
• Volume considerations: Some mailbox providers may not display BIMI logos for low sending volumes, irrespective of perfect configuration.

Key considerations

• DMARC policy rollout: Transitioning your DMARC policy from p=none to p=quarantine or p=reject should only occur after thorough monitoring of DMARC reports to ensure legitimate emails are not failing authentication. Our guide on safely transitioning your DMARC policy can help.
• Identifying failures: Use DMARC reports to distinguish between spoofed emails (which should fail) and legitimate emails that are failing authentication due to misconfiguration.
• Vendor specific settings: If using third-party sending services (e.g., Hubspot), ensure their SPF and DKIM settings are correctly configured and aligned with your domain.
• SVG logo format: The BIMI logo must be in SVG format and meet specific technical requirements to render correctly. This includes being square, using the tiny 1.2 profile, and potentially hosted on a secure server (HTTPS). Refer to Mailgun's technical tips for DNS record setup.

Key opinions

• VMC is crucial: Many marketers learn that a VMC (and a trademarked logo) is a non-negotiable requirement for BIMI display, especially with major providers like Google.
• Deliverability impact: While not a direct deliverability improver, BIMI can enhance engagement and brand trust, contributing indirectly to positive sender reputation.
• DMARC policy fear: There's often apprehension among marketers about moving their DMARC policy to quarantine, fearing legitimate emails might be affected.
• Low volume challenges: Marketers observe that even with proper setup, BIMI logos may not appear for low-volume senders.
• Authentication comes first: The primary focus should always be on establishing solid SPF, DKIM, and DMARC authentication before pursuing BIMI.

Key considerations

• DMARC monitoring period: A monitoring period of at least 30 days for DMARC reports is recommended to capture all legitimate sending sources before moving to an enforcement policy.
• Authentication troubleshooting: Marketers need to actively use DMARC reports to identify why legitimate emails might be failing SPF or DKIM, and address these issues with their sending platforms.
• VMC cost and process: Be aware of the cost (around $1,000 USD) and the process of acquiring a VMC from recognized Certificate Authorities like Entrust or DigiCert. For costs and steps, see our article on BIMI implementation costs.
• Seeking expert help: For complex DMARC and BIMI setups, engaging a DMARC consultant can be a worthwhile investment to ensure proper configuration and avoid deliverability issues.
• New authentication requirements: Stay informed about evolving email authentication requirements from major mailbox providers like Yahoo and Gmail, as these can impact BIMI display and overall deliverability. For more on this, check out avoiding common BIMI pitfalls.

Key opinions

• BIMI's role: BIMI gives you the deliverability you deserve, meaning it enables a trusted visual experience for senders who already have strong authentication, rather than directly improving deliverability.
• VMC for google: A VMC is indeed mandatory for BIMI logo display with Google Workspace (Gmail).
• DMARC enforcement: DMARC must be set to an enforcement policy (either p=quarantine or p=reject) for BIMI to work.
• Minimal risk with strong authentication: Moving to an enforcement DMARC policy is only risky if both SPF and DKIM authentication consistently fail for legitimate emails.
• DMARC tools for readiness: The primary purpose of DMARC monitoring tools is to inform you when your domain is ready for an enforcement policy.
• Beware of spoofing: Do not attempt to authenticate spoofed emails, as this can severely damage your domain's reputation.

Key considerations

• Continuous DMARC monitoring: Monitor DMARC reports for at least 30 days, or a full monthly cycle, to identify all legitimate email streams and address any authentication failures before moving to a stricter DMARC policy.
• Prefer reject over quarantine: For maximum protection and detailed failure insights, p=reject is often preferred over p=quarantine, except for very high sending volumes where p=quarantine might be a safer intermediate step.
• Trademarking and VMC purchase: Ensure your logo is trademarked exactly as it will appear, and be prepared to purchase a VMC from an accredited Certificate Authority (CA) such as Entrust or DigiCert. Learn more about BIMI accredited certificate providers.
• Addressing failed legitimate emails: If legitimate emails from services like Hubspot show SPF/DKIM failures, you must adjust the settings within those platforms to ensure proper authentication before implementing stricter DMARC policies. For help, consider Google's prerequisites for BIMI and VMC certificates.

Key findings

• DMARC policy enforcement: BIMI explicitly requires a DMARC policy of p=quarantine or p=reject to ensure strong authentication.
• VMC requirement for major clients: Providers like Gmail and Yahoo have made a Verified Mark Certificate (VMC) essential for BIMI logo display.
• Prerequisite email authentication: Proper setup and alignment of SPF, DKIM, and DMARC are fundamental steps before attempting BIMI implementation.
• Logo specifications: The BIMI logo must be trademarked and provided in a specific SVG format (SVG Tiny 1.2 profile) with a secure hosting URL.
• BIMI DNS record: A correctly formatted BIMI TXT record must be published in the domain's DNS, pointing to the VMC and SVG logo.

Key considerations

• Missing or malformed records: A BIMI logo will not display if the BIMI record is missing, malformed, or if the associated SPF, DKIM, or DMARC authentication fails.
• DMARC percentage: Some documentation suggests ensuring your DMARC policy is set to pct=100 for maximum enforcement, although this is not always explicitly stated as a hard requirement for BIMI itself.
• Troubleshooting tools: Utilize BIMI lookup and validation tools to check your record configuration and identify potential errors before widespread deployment.
• Alignment verification: Confirm that your email authentication protocols (SPF, DKIM) are correctly set up and are achieving alignment with your DMARC record. For specific Yahoo issues, see BIMI logo display on Yahoo.