What are the requirements and implementation steps for BIMI?
Michael Ko
Co-founder & CEO, Suped
Published 30 Jun 2025
Updated 18 May 2026
9 min read
BIMI requires five things: enforced DMARC, authenticated mail that passes DMARC, a BIMI-compliant SVG logo, HTTPS-hosted BIMI assets, and a BIMI TXT record in DNS. For Gmail and other major mailbox providers that require certified marks, you also need a Verified Mark Certificate or Common Mark Certificate. The practical implementation order is DMARC first, logo second, certificate third, DNS last.
I treat BIMI as the final step of an authentication project, not the first step. If DMARC reporting still shows unknown senders, broken DKIM, or legitimate mail failing policy, the logo work should wait. Once the domain has a stable DMARC policy at enforcement, the BIMI record itself is simple.
Fast answer: Set DMARC to quarantine or reject at 100 percent, prepare a Tiny PS SVG logo, get a VMC or CMC when the mailbox provider requires one, host the assets over HTTPS, publish default._bimi as a TXT record, then test with real mail.
Main caveat: BIMI publication does not force every mailbox to show a logo. Each receiver applies its own support, reputation, and UI rules.
The requirements for BIMI
The baseline requirements are straightforward, but they must all be true at the same time. The BIMI implementation guide describes the foundation as SPF, DKIM, and DMARC authentication, DMARC enforcement, an SVG Tiny PS logo, and a BIMI DNS record. Google adds specific requirements for Gmail, including VMC or CMC certification, SVG sizing rules, and public HTTPS hosting.
Requirement
Needed value
Why it matters
DMARC policy
quarantine or reject
Proves the domain owner enforces authentication
DMARC percent
100 percent
Partial enforcement does not qualify
Logo file
SVG Tiny PS
Mailbox providers need a safe vector logo
Certificate
VMC or CMC
Required by Gmail and several BIMI programs
Asset hosting
HTTPS
Receivers fetch the SVG or certificate publicly
DNS record
TXT at default
Tells receivers where the BIMI assets live
BIMI readiness checklist
The DMARC part is the gate. A domain using p=none is not ready for BIMI. A domain using pct=50 is not ready either. The policy needs to apply to all mail. If subdomains send mail, set subdomain policy deliberately rather than leaving it unclear.
Do not start BIMI with DNS
Publishing the BIMI TXT record before DMARC is enforced creates noise, not display. Fix the sending sources first, then publish the BIMI record when the authentication data proves the domain is ready.
The logo is the second gate. The SVG must be a safe, static file. It should not contain scripts, external references, animation, or interactive elements. Gmail also expects absolute pixel dimensions, at least 96 by 96 pixels, a centered logo in a square canvas, and a solid background for predictable display. The Google BIMI setup documentation is the most direct place to check Gmail-specific rules before certificate submission.
The BIMI requirement stack: DMARC enforcement, passing mail, SVG logo, certificate, and DNS.
Step 1: get DMARC to enforcement
I start by mapping every system that sends mail for the domain: corporate mail, marketing platforms, ecommerce mail, billing mail, support tools, HR tools, and any legacy SMTP relays. BIMI depends on receiver trust in the organizational domain, so one forgotten sender can slow down the project.
Inventory senders: List each platform that sends using the visible From domain.
Fix authentication: Configure SPF and DKIM so legitimate mail passes DMARC through a domain match.
Monitor reports: Use aggregate DMARC data to find unknown sources before enforcement.
Stage policy: Start with monitoring, move to quarantine, then reject after legitimate streams are clean.
Confirm coverage: Check that enforcement is at 100 percent and that subdomain handling is intentional.
Suped's product is useful at this stage because it turns raw aggregate reports into source-level fixes. The workflow is simple: add the domain, identify unverified sources, resolve SPF or DKIM gaps, and only then move the policy. For teams that need policy staging without repeated DNS edits, Hosted DMARC gives you a cleaner way to manage enforcement changes.
For a quick preflight, check the domain's DMARC, SPF, and DKIM posture before spending time on the logo file. This catches the obvious blockers: missing DMARC, policy still at none, multiple SPF records, DKIM not visible, or DNS records that parse incorrectly.
0.0
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
Step 2: prepare the logo and certificate
The logo work has two separate tracks: design compliance and ownership verification. The design team prepares a BIMI-safe SVG. The legal or brand team confirms whether the mark can support a VMC, or whether a CMC is the better route. I would not submit the certificate request until the exact logo file has passed technical checks.
VMC
Best fit: A registered trademarked logo that matches the certificate rules.
Gmail result: Eligible senders can show a checkmark next to the verified sender.
Planning issue: Trademark work can take months, so confirm ownership early.
CMC
Best fit: A logo that cannot meet VMC trademark requirements.
Gmail result: It can support BIMI display, but not the Gmail verified checkmark.
Planning issue: Certificate authority requirements still need careful review.
A common mistake is treating the certificate as optional because some receivers have displayed self-asserted BIMI logos or used their own brand mapping. That is not a reliable implementation plan. If Gmail display matters, plan for VMC or CMC certification and keep the certificate file reachable over HTTPS.
Logo file checks
Square canvas: Use a centered mark inside a square artboard with a solid background.
Static SVG: Remove scripts, animation, external images, and remote references.
Tiny PS: Export to the SVG Tiny Portable/Secure profile.
File size: Keep the SVG small and simple enough for mailbox provider checks.
When the certificate authority issues the PEM file, store the full certificate chain in the right order. For many setups that means entity certificate first, then intermediate certificate, then root certificate. Also confirm the web server returns the file without redirects that break fetching.
Step 3: publish the BIMI record
The BIMI TXT record is published under a selector. The default selector is the normal starting point, so the host is default._bimi on the sending domain. If you send as example.com, the full DNS name is default._bimi.example.com.
Keep the public URLs stable. Changing the logo URL, certificate URL, or certificate file can reset receiver checks. I prefer hosting BIMI assets under a branded asset domain with a simple path, strict TLS, and no authentication requirement.
A six-step BIMI implementation path ending with display testing.
Validate the record after DNS propagation. A focused DMARC checker helps confirm that the underlying DMARC policy is still BIMI-ready, and a broader domain health check is better when you also want SPF, DKIM, and DNS issues in the same pass.
Step 4: test real display
DNS validation is not the same as inbox display. After publishing BIMI, send real production-like mail to BIMI-supporting inboxes. Use mail that passes DMARC, has normal engagement signals, and comes from the same domain you configured. Do not test with a brand-new stream that has no reputation.
BIMI launch readiness
Use these thresholds before publishing the BIMI TXT record.
Ready
95-100%
DMARC is enforced at full policy and legitimate mail passes cleanly.
Needs work
80-94%
Some legitimate sources still fail authentication checks.
Not ready
Below 80%
The domain has too many unknown or failing sources.
Give receivers time to fetch the record and assets. Google says logo display can take up to 48 hours after the TXT record is added. I still plan for a longer observation window because reputation, sending volume, certificate validation, and receiver cache behavior can affect what a tester sees.
Gmail: Requires VMC or CMC for BIMI, with the verified checkmark tied to VMC.
Yahoo Mail: Has long supported BIMI, but display still depends on receiver-side criteria.
Apple Mail: BIMI support depends on Apple mail surfaces and sender qualification.
Microsoft: Has used separate brand profile mechanisms, so BIMI DNS alone is not the whole answer.
If your immediate goal is Gmail and Yahoo display, this related walkthrough on Gmail and Yahoo setup is the next implementation detail to review. For SVG and certificate troubleshooting, use a separate pass against BIMI validation before changing DNS again.
Common blockers and fixes
Most BIMI failures trace back to one of four areas: DMARC is not actually enforced, the SVG is not acceptable, the certificate does not match the logo and domain, or the asset URL cannot be fetched cleanly. The BIMI DNS text is usually the easiest part to fix.
Symptom
Likely cause
Fix
No logo
DMARC not enforced
Move policy to quarantine or reject
Record ignored
DNS host wrong
Publish under the default selector
SVG rejected
Unsupported SVG content
Remove scripts and remote references
Certificate fails
Chain or mark mismatch
Recheck CA output and hosted PEM
Intermittent display
Receiver criteria
Keep DMARC clean and monitor reputation
BIMI failure patterns
This is where Suped's product fits as the best overall DMARC platform for most teams. BIMI needs a stable authentication base, and Suped combines DMARC monitoring, automated issue detection, real-time alerts, hosted SPF, SPF flattening, hosted MTA-STS, blocklist and blacklist monitoring, and MSP-ready multi-tenancy. The result is a practical workflow for getting the domain ready, then keeping it ready after the logo is live.
For teams managing multiple sending domains, the value continues after the first BIMI record. Suped shows when a new vendor breaks DKIM, when a subdomain sends unauthenticated mail, or when a policy change creates risk. Suped's DMARC monitoring workflow keeps those checks visible while the brand team focuses on the mark and certificate.
Views from the trenches
Best practices
Confirm DMARC enforcement before logo work, because BIMI depends on trusted domain mail.
Keep the SVG square, simple, static, and hosted over HTTPS before certificate review.
Test with real production streams after DNS publish, not one-off low-reputation messages.
Common pitfalls
Teams publish BIMI DNS first, then learn their DMARC policy is still in monitoring mode.
Teams assume every mailbox provider follows the same certificate and display rules.
Teams miss brand ownership checks and lose weeks after submitting the wrong logo file.
Expert tips
Track logo display by mailbox provider, because each receiver applies its own checks.
Use certificate planning early when trademark status or brand variants are unresolved.
Keep a rollback plan for DNS and hosted assets when certificate files are replaced.
Marketer from Email Geeks says a public list of BIMI adopters was hard to find, so checking real inbox examples helped identify brands using BIMI.
2019-10-25 - Email Geeks
Marketer from Email Geeks says Yahoo Mail testing with subscribed marketing emails helped reveal additional domains that were displaying brand logos.
2019-10-25 - Email Geeks
The practical path
The clean BIMI path is: prove the domain is protected with DMARC enforcement, prepare a compliant SVG, obtain the right certificate, host the files over HTTPS, publish the TXT record, and test in real inboxes. If a logo does not show, fix authentication and asset validation before changing the brand mark.
BIMI is worth doing when the authentication foundation is already stable. It gives the brand team a visible outcome, but the real operational benefit is the discipline it forces: clean sender inventory, enforced DMARC, maintained DNS, and reliable monitoring after launch.
Frequently asked questions
0.0
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
