Why isn't my BIMI logo showing in Gmail, despite correct implementation and a VMC?

Key findings

• DMARC enforcement: Gmail, unlike some other providers like Yahoo, strictly requires a DMARC policy of quarantine or reject (with pct=100) for *both* the organizational domain and the RFC5322.From domain to display a BIMI logo. For example, if your sending domain is email.yourbrand.com, your root domain yourbrand.com must also have an enforcement policy.
• VMC is not enough: A Validated Mark Certificate (VMC) is a prerequisite for Gmail BIMI display, but it does not bypass the DMARC enforcement requirement on the root domain. A VMC is merely one component of the overall BIMI standard.
• SVG logo validation: Mailbox Providers (MBPs) may compare the SVG logo referenced in your BIMI DNS record to a hash embedded in your VMC. Discrepancies can prevent logo display.
• Sender reputation: While a strong DMARC policy is critical, an excellent sender reputation with the recipient's Mailbox Provider (MBP) (e.g., Gmail) is also often a factor in whether the logo is displayed.

Key considerations

• Root domain DMARC adjustment: If your organizational domain's DMARC policy is currently p=none, you will need to migrate it to p=quarantine or p=reject. This should be done gradually, starting with a low percentage for quarantine and monitoring DMARC reports to identify legitimate email sources that might fail authentication.
• Vendor communication: Ensure your VMC provider (e.g., DigiCert) provides accurate information about all BIMI requirements, including the root domain DMARC policy. You may also consult the official BIMI Group FAQs for senders.
• Internal alignment: Collaborate closely with IT and security teams to manage DNS records and DMARC policies. For comprehensive guidance, you can explore how to implement BIMI.
• Ongoing monitoring: Regularly monitor your DMARC reports to ensure all legitimate email sources are authenticated and compliant. This helps prevent unintended email delivery issues as your DMARC policy is enforced. For more on this, read our guide to the benefits of implementing DMARC.

Key opinions

• Complexity and surprises: Many marketers express surprise and frustration when learning about the root domain DMARC enforcement requirement, indicating that VMC providers often fail to communicate this crucial detail.
• Organizational hurdles: Large companies face significant internal resistance and perceived high costs in moving their organizational domains to DMARC enforcement, even when evidence of spoofing exists.
• VMC provider reliability: There is a perceived lack of diligence from some VMC providers (e.g., DigiCert) in ensuring all technical prerequisites are met or accurately communicated, including correct logo file uploads.
• Misaligned expectations: Marketers often view the VMC as the final step for BIMI, leading to confusion when logos don't appear despite apparent compliance, highlighting a gap in understanding comprehensive BIMI requirements.

Key considerations

• Advocate for DMARC enforcement: Marketers must clearly articulate the security benefits of DMARC enforcement to their IT and management teams, emphasizing fraud prevention over perceived implementation costs. This includes understanding the VMC requirements for Google and Gmail.
• Prepare for resistance: Expect an uphill battle in convincing large organizations to adjust root domain DNS records and DMARC policies, even if it leads to better brand recognition and security through BIMI.
• Leverage DMARC reports: Use DMARC aggregate reports to demonstrate the extent of spoofing and the need for stricter policies. Although many marketers read their DMARC reports, they may be unaware of why their emails are going to spam.
• Self-service for BIMI assets: Consider managing your SVG logo and .pem certificate files directly from your website rather than relying solely on VMC providers, as this offers more control and reduces potential errors. For more information, read this article on how to set up BIMI.

Key opinions

• DMARC policy necessity: Experts unanimously agree that a DMARC policy of quarantine or reject is essential for BIMI logos to display in Gmail, extending to the organizational (root) domain, not just the sending subdomain.
• Gradual enforcement: A recommended strategy for achieving DMARC enforcement is a phased rollout, starting with a low pct value for quarantine and gradually increasing it to 100% and then reject.
• SVG hash verification: Some MBPs (like Yahoo) verify that the hash of the SVG logo referenced in the BIMI record matches the hash embedded in the VMC. Discrepancies can lead to non-display, underscoring the need for careful management of BIMI assets.
• Organizational size is not a barrier: Larger companies are not inherently too big for BIMI or DMARC enforcement. The challenges are typically due to complex legacy systems and internal processes, which can be overcome with proper planning and communication.

Key considerations

• Clean up DNS records: Implementing DMARC enforcement can be an opportunity to audit and clean up existing DNS records, removing unused platforms that might be contributing to SPF lookup limits or other authentication issues.
• Prioritize security: Allowing domain spoofing poses a greater risk and headache than the effort required to move to DMARC enforcement. Frame DMARC as a critical security measure to gain internal buy-in. To understand this better, check out our simple guide to DMARC, SPF, and DKIM.
• Address internal resistance: The perceived cost or difficulty of DMARC enforcement often stems from a lack of understanding or an assumption that fraud won't happen to us. Presenting clear evidence from DMARC reports and emphasizing fraud prevention can help overcome this inertia. You can also explore our article on how to improve domain reputation.
• Verify VMC and SVG alignment: Always double-check that the SVG logo file provided to the VMC issuer is the exact one being referenced in your BIMI DNS record, and that its hash matches the one embedded in the VMC. Ensure your SVG is formatted correctly, as outlined by BIMI Group guidelines.

Key findings

• DMARC enforcement mandate: The BIMI specification (IETF draft) states that domain owners MUST have a DMARC policy of quarantine or reject on *both* the organizational domain and the RFC5322.From domain, with pct=100 for quarantine.
• Organizational domain definition: Official FAQs (e.g., BIMI Group) clarify that if a sending domain is a subdomain (e.g., email.example.com), the root or organizational domain (example.com) must also meet the DMARC enforcement criteria.
• SVG and VMC integrity: The BIMI standard requires the SVG logo file to be embedded within the VMC and linked in the BIMI record. Mailbox providers often perform a digest (hash) check to ensure consistency between these two, and any mismatch will prevent logo display.
• Mailbox provider discretion: While BIMI defines the technical standards, mailbox providers ultimately decide whether to display the logo based on their own policies and sender reputation algorithms.

Key considerations

• Adherence to IETF draft: Ensure your DMARC setup strictly adheres to the requirements outlined in the BIMI IETF draft, particularly concerning DMARC policy on both the sending and organizational domains.
• SVG validation: Use dedicated BIMI validation tools to check your SVG logo for compliance with the strict format requirements (e.g., square aspect ratio, no embedded external resources, correct XML structure).
• Certificate authority role: Understand that while Certificate Authorities (CAs) issue VMCs, they may not always provide comprehensive guidance on all Mailbox Provider (MBP) specific requirements or operational nuances beyond the basic issuance. For more information, you can read our guide to validating your BIMI SVG and certificate.
• Monitor specific MBP behavior: Be aware that BIMI display can vary between different email clients and Mailbox Providers (MBPs). While some may display a logo with a p=none policy, Gmail requires enforcement. Our article on which email clients actually support BIMI offers more insights.