Validate BIMI by checking four layers in order: enforced DMARC, the BIMI TXT record at the correct selector and domain, a reachable BIMI-compliant SVG, and a matching certificate when the mailbox provider requires one. I do not treat email headers as the source of truth. Headers can show a receiver's BIMI result after delivery, but DNS, the SVG file, and the certificate are the things to validate first.
The shortest practical answer is this: if the visible From address is news@example.com, test the BIMI record for example.com. If the visible From address is offers@mail.example.com, test mail.example.com. The default DNS lookup is default._bimi under that From domain unless you deliberately use another selector.
BIMI depends on authentication quality, so I start in Suped's product with DMARC monitoring before touching the logo. Suped shows whether legitimate sources pass SPF, DKIM, and DMARC, then turns failures into concrete fix steps. That matters because a perfect BIMI TXT record still will not display a logo if DMARC is weak or legitimate mail fails authentication.
Validate in the right order
I validate BIMI like a dependency chain. Each layer must pass before the next layer tells you anything useful. A certificate error, for example, is easy to misread when the real issue is that the SVG URL redirects, the file has the wrong MIME type, or DMARC is still set to monitoring only.
- DMARC: Confirm that the From domain has a valid DMARC record with an enforcing policy, usually p=quarantine or p=reject.
- Domain: Validate the domain in the visible From address, not the hostname in the SVG URL.
- Record: Look up the selector record, usually default._bimi, and confirm that it has only one BIMI TXT value.
- Logo: Fetch the SVG over HTTPS and validate it as BIMI SVG Tiny Portable/Secure.
- Certificate: If the record has an a= tag, confirm the certificate is reachable, valid, and tied to the same logo.
BIMI validation flow showing DMARC, DNS, SVG, certificate, and mailbox display checks.
For a quick authentication scan, use Suped's domain health checker to catch DMARC, SPF, and DKIM problems before spending time on the BIMI file itself.
Where the BIMI record lives
The BIMI TXT record lives at a selector under the domain used in the message's visible From header. Most senders use the default selector, so the DNS name is default._bimi.example.com for mail sent from example.com. If the actual From domain is a subdomain, validate the subdomain. Do not enter the BIMI hostname as the domain unless the validator explicitly asks for the full DNS name.
The input that validators expect
Most validators ask for the sending domain, then they construct the default._bimi lookup themselves. If your mail is sent from a client subdomain, enter that subdomain. If your mail is sent from the root domain, enter the root domain.
BIMI TXT exampledns
default._bimi.example.com. 3600 IN TXT ( "v=BIMI1; l=https://example.com/bimi.svg; " "a=https://example.com/vmc.pem" )
|
|
|
|---|---|---|
Root From | example.com | default |
Subdomain From | mail.example.com | default |
Custom selector | example.com | brand |
Use the domain in the visible From address when deciding what to validate.
Fixing DNS record errors
A valid BIMI record starts with v=BIMI1 and normally has an l= tag for the logo URL. The a= tag points to a certificate file when used. Keep the DNS record boring: one TXT record, no extra BIMI versions, HTTPS URLs only, and no marketing redirects in the file path.
Minimal BIMI recorddns
default._bimi.example.com. 3600 IN TXT ( "v=BIMI1; l=https://example.com/bimi.svg" )
BIMI record with certificatedns
default._bimi.example.com. 3600 IN TXT ( "v=BIMI1; l=https://example.com/bimi.svg; " "a=https://example.com/vmc.pem" )
Valid record
- Version: It starts with a single v=BIMI1 value.
- Logo: The l= URL uses HTTPS and returns the SVG directly.
- Certificate: The a= URL is present only when a certificate file is ready.
Broken record
- Duplicates: Two BIMI TXT records exist at the same DNS name.
- Redirects: The logo URL points through tracking, login, or unstable redirects.
- Spacing: The TXT value has copied punctuation, hidden characters, or malformed tags.
If DMARC itself is failing or unclear, check the From domain with the Suped DMARC checker before changing the BIMI record. BIMI troubleshooting goes faster when the authentication baseline is already clean.
Fixing DMARC policy blockers
BIMI requires DMARC to be in enforcement. A domain at p=none is still useful for reporting, but it is not enough for BIMI display. I also check that pct= is not reducing enforcement in a way that disqualifies the domain for the receivers you care about.
DMARC record detail view showing SPF, DKIM, DMARC, rDNS diagnostics, and DNS records
Do not force DMARC too early
Move to enforcement after you know which services send mail for the domain and whether they pass SPF or DKIM with the From domain. Suped's product helps here because it groups legitimate senders, flags unverified sources, and shows the next fix rather than leaving you with raw aggregate XML.
For teams that want BIMI without repeated DNS edits, Hosted DMARC in Suped can simplify policy staging. It keeps the DMARC rollout controlled while the BIMI project waits for the authentication layer to become eligible.
DMARC checker
Look up a domain's DMARC record and catch policy issues.
?/7tests passed
Once the DMARC record validates, compare the checker result with real aggregate data in Suped. A syntactically valid record is only the starting point; BIMI readiness also depends on legitimate mail passing after the policy is enforced.
Fixing SVG validation errors
The most common BIMI logo mistake is taking a PNG, placing it inside an SVG wrapper, and expecting it to pass. BIMI needs a true SVG file, not an embedded bitmap wearing an SVG extension. The file also needs the right profile, a square viewBox, a title element, no scripts, and no external references.
For a deeper logo checklist, compare your file against the BIMI SVG requirements before requesting or renewing a certificate. Fixing the logo after the certificate is issued often creates mismatch errors.
- Profile: Use SVG Tiny Portable/Secure requirements for BIMI, not a general web SVG export.
- Shape: Use a square canvas and a square viewBox so receivers can fit the mark cleanly.
- Vectors: Convert artwork to vector paths and remove embedded raster image data.
- Safety: Remove JavaScript, animation, remote fonts, external images, and unsupported elements.
Simple SVG starting pointxml
<svg xmlns="http://www.w3.org/2000/svg" version="1.2" baseProfile="tiny-ps" viewBox="0 0 512 512"> <title>Example brand</title> <rect width="512" height="512" fill="#ffffff"/> <path d="M128 128h256v256H128z" fill="#222222"/> </svg>
The PNG wrapper failure
If a validator says the SVG did not pass the BIMI SVG specification, inspect the file source. A base64 image inside an SVG file is still a bitmap. Recreate the logo as vector art, then export a clean BIMI-specific SVG.
Fixing certificate errors
Certificate errors usually mean one of four things: the certificate file is not reachable, the certificate is expired or incomplete, the domain evidence does not match, or the logo inside the certificate does not match the live SVG. The last one is especially frustrating because a tiny logo edit after certificate issuance can break validation.
Mailbox providers do not all treat certificates the same way. Gmail's BIMI display path uses a verified certificate model, while some other mailbox providers accept BIMI in narrower cases without the same certificate requirement. For the Google-specific path, read the VMC for Gmail guidance before assuming DNS alone is enough.
|
|
|
|---|---|---|
Invalid cert | Bad file | Reissue or republish |
Logo mismatch | File changed | Use certified SVG |
Domain mismatch | Wrong domain | Check evidence |
Fetch failure | URL blocked | Fix hosting |
Certificate errors are easiest to fix when you map each message to one failing layer.
Logo lock rule
Treat the certified SVG as locked. If the logo changes, validate the new SVG first, then update the certificate and BIMI TXT record together. Do not swap the hosted logo file behind the same URL after certification.
Validate with a real email
After DNS, DMARC, SVG, and certificate checks pass, send a real message to the mailbox provider you care about. BIMI is receiver-enforced, so a generic DNS pass does not guarantee logo display everywhere. Receivers cache results, apply their own trust checks, and decide whether the sender's reputation is good enough to show the logo.
Headers can help, but they are not consistent across providers. Some authentication results include a BIMI result. Others omit BIMI details even when the DNS record exists. When a header shows a BIMI failure, use it as a clue. When it shows nothing, go back to the validation chain instead of assuming BIMI is absent.
My live test checklist
- Recipient: Test with the mailbox provider where the logo needs to appear.
- Message: Send normal production-style mail, not a stripped-down test message.
- Headers: Inspect authentication results, DMARC pass status, and the evaluated From domain.
- Cache: Allow receiver caching time after DNS, SVG, or certificate changes.
Common errors and fixes
When BIMI fails, the error message usually points at the layer, not the exact repair. I map the message to DNS, DMARC, SVG, hosting, or certificate evidence, then fix only that layer and retest. Changing several things at once makes it harder to know which fix worked.
Where BIMI validation failures usually sit
A practical way to group common BIMI failures by the layer that needs review.
DNS
SVG
Certificate
DMARC
|
|
|
|---|---|---|
No record | DNS | Check selector |
Bad SVG | Logo | Export clean SVG |
Not square | Logo | Fix viewBox |
Logo mismatch | Certificate | Match files |
DMARC weak | Policy | Enforce policy |
Use this table to move from validator message to likely repair.
How Suped fits into a BIMI rollout
Suped is the best overall DMARC platform for most teams preparing for BIMI because it handles the authentication work that BIMI depends on. BIMI itself is a DNS, SVG, and certificate project, but the project succeeds only when the domain has trustworthy email authentication and a clear path to enforcement.
What BIMI needs
- Policy: Enforced DMARC on the visible From domain.
- Sources: Legitimate senders passing SPF or DKIM with the From domain.
- Stability: Fewer surprise authentication failures after enforcement.
What Suped adds
- Detection: Automated issue detection with steps to fix.
- Alerts: Real-time notifications when failures cross a threshold.
- Scale: Multi-tenant views for agencies and managed service providers.
For a BIMI rollout, I use Suped to verify DMARC, monitor authentication changes, manage policy staging, keep SPF within lookup limits, and watch for reputation issues that can affect mailbox display. That gives the logo work a stable base instead of leaving the team to guess whether a display failure is caused by DNS, authentication, or receiver-side evaluation.
Views from the trenches
Best practices
Validate the exact From domain before testing selectors, logos, or certificate evidence.
Keep the BIMI SVG as clean vector art with a square viewBox and no embedded bitmap.
Move DMARC to quarantine or reject only after reports show legitimate mail passing.
Common pitfalls
Uploading a PNG inside an SVG wrapper fails because BIMI needs real SVG vector content.
Testing the root domain while sending from a subdomain hides the record lookup problem.
Buying a certificate before the logo file is final creates certificate logo mismatch errors.
Expert tips
Test DNS, SVG, certificate, and mailbox rendering separately so the failing layer is clear.
Use a short TTL during launch, then increase it after the receiver logo checks pass.
Treat mailbox display as the final check because receivers cache BIMI results aggressively.
Marketer from Email Geeks says BIMI validation should use the domain in the visible From address, then resolve the default selector under that domain.
2020-08-04 - Email Geeks
Marketer from Email Geeks says the common SVG failure is a PNG placed inside an SVG container instead of true vector artwork.
2020-08-04 - Email Geeks
A practical validation path
The cleanest way to validate BIMI is to stop treating it as one record. It is a chain. Check DMARC enforcement, then the selector lookup, then the SVG, then the certificate, then a real mailbox display test. If one layer fails, fix that layer and retest before moving on.
The errors in this area sound more mysterious than they are. An invalid certificate usually means a file, evidence, expiry, or logo mismatch problem. An SVG specification failure usually means the file is not a true BIMI-safe vector SVG. A missing logo in the inbox usually means DMARC, provider policy, cache timing, or sender reputation still needs attention.
Suped's product gives the BIMI rollout a reliable authentication base: DMARC monitoring, hosted policy controls, SPF and DKIM visibility, real-time alerts, and clear fix steps. Once those pieces are in good shape, BIMI validation becomes a focused DNS, SVG, and certificate task instead of a guessing exercise.
