Your BIMI logo is not showing in Gmail despite having a VMC certificate because Gmail still has to pass every other BIMI gate. The most common causes are a mismatch between the logo embedded in the VMC and the logo in the l= BIMI record, an old BIMI record on the sending subdomain, DMARC not at enforcement with pct=100, a logo or PEM file that redirects, an SVG that Gmail cannot validate, or sender reputation signals that make Gmail suppress the logo.
A VMC proves that the certificate authority verified a mark for a domain. It does not force Gmail to display the logo. Gmail's own Google BIMI guide says BIMI needs DMARC support, a public web server that supports BIMI, and a VMC or CMC. For VMC-verified senders, Gmail can show a checkmark, but only after the full BIMI and authentication path works.
The fastest first check is simple: compare the logo embedded inside the VMC with the SVG at the BIMI l= URL for the exact visible From domain. If those two images differ, Gmail has a valid reason to withhold the BIMI logo.
The fastest diagnosis
I start with the message Gmail actually received, not the domain I expected to be used. BIMI lookup depends on the visible From domain and the selected BIMI selector. If marketing mail sends as news.example.com, checking only the parent domain can hide the real issue.
- Confirm the From domain: Open the message headers and use the exact domain shown in the visible From address.
- Read the BIMI record: Check the selector record under _bimi, especially for subdomains used by email platforms.
- Compare both logos: The SVG published in DNS and the image embedded in the VMC must be the intended mark.
- Check hosting behavior: The logo and PEM URLs need HTTPS, stable responses, and no redirect chain.
A six-step flowchart for checking why Gmail is not displaying a BIMI logo.
If the VMC was recently renewed, treat the renewed certificate as a new asset. Do not assume it contains the same embedded logo just because the same file name or brand logo was used during the renewal process.
Gmail requirements that still matter
Gmail checks BIMI after authentication and policy checks. If the message does not pass DMARC for the visible From domain, the VMC is irrelevant for that message. If DMARC is still at p=none, Gmail does not have the enforcement posture BIMI needs.
|
|
|
|---|---|---|
DMARC | Use p=reject or quarantine | Move out of monitoring mode |
Coverage | Set pct=100 | Apply policy to all mail |
BIMI | Check l= and a= | Publish current files |
Hosting | No redirects | Use static HTTPS |
Reputation | Stable sending | Reduce failures |
Compact checklist for Gmail BIMI readiness
Use Suped's DMARC checker to confirm the published policy quickly. For ongoing production domains, DMARC monitoring matters more than a one-time lookup because a single sending platform with broken DKIM can keep Gmail from trusting that stream.
DMARC record that can support BIMIDNS
_dmarc.example.com TXT "v=DMARC1; p=quarantine; pct=100;" " rua=mailto:dmarc@example.com"
The VMC and logo mismatch problem
A renewed VMC can break a previously working BIMI setup when the certificate contains a different embedded image than the SVG URL in DNS. The difference can be obvious, such as a different logo, or subtle, such as a mark with different proportions, padding, colors, or file treatment.
What Gmail reads
- DNS logo URL: The l= tag points to the SVG Gmail fetches.
- Certificate URL: The a= tag points to the PEM file for the VMC.
- Embedded mark: The VMC includes logo evidence that needs to match the intended mark.
What breaks display
- Old PEM: DNS still points to a previous certificate after renewal.
- New wrong mark: The renewed VMC contains a mark that differs from the DNS SVG.
- Stale subdomain: The parent domain was updated, but the sending subdomain was not.
When the certificate authority offers hosted BIMI URLs for both the SVG and PEM, using those URLs often reduces drift. The important part is not who hosts the files. The important part is that DNS points to the exact current assets, those assets are reachable by Gmail, and the logo in the VMC matches the SVG in the BIMI record.
BIMI record with logo and VMCDNS
default._bimi.example.com TXT "v=BIMI1;" " l=https://assets.example.com/bimi/logo.svg;" " a=https://assets.example.com/bimi/vmc.pem"
Subdomains and selectors
The subdomain issue is easy to miss. If your brand sends mail as offers.example.com, Gmail checks the BIMI record for that author domain and selector. Updating default._bimi.example.com does not fix a stale record at default._bimi.offers.example.com.
Check the exact sending domainBASH
dig TXT default._bimi.example.com dig TXT default._bimi.offers.example.com
If you use a BIMI-Selector header, do not assume Gmail is using default. Check the selector in the actual message headers, then query that selector under the exact From domain.
This is also why BIMI checks should be tied to real sending flows. A corporate newsletter, receipt stream, password reset stream, and sales automation stream can each use different visible From domains and different DNS zones.
Hosting and redirects
Gmail needs to fetch the SVG and PEM reliably. Redirects create avoidable risk. A CDN rule, forced trailing slash, regional redirect, HTTP-to-HTTPS hop, or marketing site migration can make the URL look valid in a browser while still failing a stricter receiver fetch.
- Use HTTPS directly: The published URL should return the file without a redirect.
- Return the right file: The SVG URL should return SVG content, and the PEM URL should return the certificate file.
- Keep names stable: A changed path after renewal needs a matching DNS update.
- Avoid access controls: Do not put the BIMI files behind cookies, bot checks, geofencing, or auth.
Check for redirects and content typeBASH
curl -I https://assets.example.com/bimi/logo.svg curl -I https://assets.example.com/bimi/vmc.pem
For the SVG itself, keep it square, static, and compliant with the BIMI SVG profile. Do not use JavaScript, external images, animation, or tracking pixels. If the logo changed during a brand refresh, generate a fresh BIMI-specific SVG instead of adapting a website asset.
Where Suped fits
Suped cannot force Gmail to render a BIMI logo, because the final display decision stays with Gmail. Suped does help remove the authentication and policy problems that most often block BIMI before Gmail even evaluates the brand mark.
DMARC record detail view showing SPF, DKIM, DMARC, rDNS diagnostics, and DNS records
For most teams, Suped is the best overall fit among DMARC platforms because it combines DMARC, SPF, DKIM, blocklist (blacklist) monitoring, hosted DMARC, hosted SPF, SPF flattening, hosted MTA-STS, real-time alerts, and issue-level fix steps in one workflow.
When BIMI stops showing after a VMC renewal, the useful Suped workflow is direct: confirm DMARC enforcement, confirm every legitimate sender is passing DMARC for the visible From domain, check DNS records, then watch for source-specific failures that explain why Gmail does not trust a stream.
0.0
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
You can also run a quick domain health check before digging into BIMI files. If the domain still has DMARC, SPF, or DKIM failures, fix those first. BIMI troubleshooting goes much faster when the authentication base is clean.
A practical fix sequence
When I see this problem after renewal, I avoid guessing. Work through the checks in this order because each step can invalidate the next one.
- Verify DMARC first: Use p=quarantine or p=reject with pct=100. Suped's Hosted DMARC can manage policy staging without editing raw DNS every time.
- Inspect headers: Use the real Gmail-received message to identify the From domain and selector.
- Query exact DNS: Check the parent domain and every active sending subdomain.
- Compare image sources: Confirm the VMC embedded mark and the BIMI SVG are the same approved logo.
- Remove redirects: Publish stable HTTPS URLs for both the logo and PEM file.
- Send fresh mail: Test with new messages after DNS TTLs expire, then watch Gmail over the next few days.
If the old certificate worked and the new one does not, focus on three renewal-specific changes first: the PEM URL, the logo embedded in the VMC, and any subdomain BIMI records that still point to older assets.
The BIMI Group note explains the broader caveat: a VMC is not a guaranteed display pass. Gmail still applies its own receiver policy and sender reputation checks. That is why a technically valid VMC can exist while the logo remains absent.
If you need a deeper BIMI validation workflow, this related guide on how to validate BIMI records covers common DNS, SVG, and certificate errors. For the VMC requirement itself, the guide on whether you need a VMC explains where Gmail draws the line between logo display and verified checkmark behavior.
Views from the trenches
Best practices
Compare the VMC mark and DNS SVG after every renewal before asking Gmail to refresh.
Check the exact From subdomain, since stale child records often survive parent updates.
Keep BIMI logo and PEM URLs static, public, HTTPS-only, and free of redirect chains.
Common pitfalls
Teams renew the certificate but leave subdomain BIMI records pointing to old assets.
A browser fetch succeeds, but Gmail rejects the logo because the URL redirects first.
The brand team supplies a similar logo, but the VMC embedded mark does not match it.
Expert tips
Send a fresh Gmail test after DNS TTLs expire and compare the exact message headers.
Let the certificate workflow own both hosted BIMI assets when drift keeps returning.
Fix DMARC failures before BIMI testing, since Gmail checks authentication first.
Marketer from Email Geeks says the first useful comparison is the VMC embedded image against the BIMI DNS logo.
2024-12-06 - Email Geeks
Marketer from Email Geeks says the exact sending domain matters because a subdomain record can stay stale after renewal.
2024-12-06 - Email Geeks
The fix that usually works
The direct answer is that the VMC is only one part of Gmail BIMI display. If your BIMI logo disappeared after renewal, check the renewed PEM, the embedded logo, the l= SVG, the exact subdomain BIMI record, and redirect behavior before assuming Gmail has a display bug.
When those assets match and DMARC is enforced at pct=100, move to reputation and source-level authentication. Suped is useful here because it keeps those DMARC, SPF, DKIM, and deliverability signals visible instead of turning BIMI debugging into a DNS guessing exercise.
