Brand Indicators for Message Identification (BIMI) sounds great, right? Your logo, right there in the inbox, helping you build trust and making your emails stand out. It promises better brand recognition and maybe even higher open rates.
To better understand BIMI adoption, I conducted a small analysis on a sample of 13,000 domains used in the From header of real emails. Checking for BIMI records revealed that a significant majority (90.85 percent) had no BIMI record, while only 4.57 percent had a valid BIMI record, and 4.58 percent had an invalid BIMI record. In this analysis, I uncovered potential reasons for the observed adoption rate.
These initial adoption numbers reveal that even though BIMI is enticing, most senders have a long way to go. The reality is BIMI implementation can be confusing, technical, and time-consuming. In this blog post, we’ll take a closer look at these challenges, explain some of the common pitfalls, and help you get you properly implement BIMI.
The DMARC hurdle
At its core, BIMI is built upon DMARC (Domain-based Message Authentication, Reporting, and Conformance). For your BIMI logo to appear, your domain must have a valid DMARC record configured for enforcement. Our analysis found that among domains with some BIMI setup, a substantial 89.11 percent also had a valid DMARC record, underscoring this fundamental link.
For BIMI, “enforcement” specifically means your DMARC policy is set to p=quarantine or p=reject. Note that if you use p=quarantine, it must be applied to 100 percent of your emails (pct=100). This enforcement policy is your explicit instruction to email providers on how to handle emails that fail authentication checks.
Examining the DMARC policies of domains with valid BIMI records in our data reveals strong compliance: 69.24 percent are using p=reject and 26.15 percent are using p=quarantine. This shows that over 95 percent of these domains understand the enforcement requirement, though a small 4.60 percent still incorrectly use p=none.
Moving to a DMARC enforcement policy is a critical step, but it’s imperative that every legitimate email source is correctly authenticated with SPF/DKIM first. Failing to authenticate correctly could lead to your legitimate emails not passing the authentication checks. This would trigger your enforcement policy, and consequently, your emails could be quarantined or rejected by the recipient’s inbox.
Completing this essential authentication setup and maintaining ongoing monitoring requires time and technical expertise. For many businesses, particularly smaller ones, this can seem like a monumental task without the appropriate support. This is exactly where Everest’s DMARC reporting becomes invaluable. It offers clear visibility through a straightforward dashboard, speeding up compliance mitigation and freeing you from the burden of manually parsing complex XML reports.
The tricky logo file
Got DMARC sorted? Great! Now for the logo itself. BIMI needs it in a very specific format: SVG Tiny Portable/Secure (SVG P/S), which isn’t your everyday SVG. The rules are strict, requiring that the file:
- Is square in shape
- Is under 32KB in size
- Ideally, has a solid background (as transparent backgrounds might not display correctly)
- Does not contain scripts or external links
Often, you’ll need special tools or manual code editing to get it right. With all these nuances to create one simple file, it’s no surprise that incorrect SVG files are the most common reason BIMI setups fail.
Certificates and potential pitfalls
Following DMARC enforcement, the next requirement for BIMI is obtaining a certificate to authenticate your brand logo. Your options are a Verified Mark Certificate (VMC) for trademarked logos or a Common Mark Certificate (CMC) for non-trademarked logos with over a year of verifiable use.
In short: VMCs are more expensive, requiring trademark registration but the logo is displayed in Gmail (along with a blue verified checkmark), Yahoo, and Apple inboxes. While CMCs are cheaper, more accessible, and need proof of use, and currently supported only by Gmail. Both types require a validation process by a Certificate Authority. Issues with these certificates—such as expiration, invalid data, or mismatches—are frequent problems during BIMI setup.
BIMI without the certificate
Self-asserted BIMI refers to implementing the Brand Indicators for Message Identification standard without obtaining a formal VMC or CMC from a Certificate Authority. Instead of pointing to a certificate file in the DNS record, the domain owner simply asserts their right to use the logo.
The setup process still requires meeting the foundational BIMI prerequisites: achieving DMARC enforcement, creating the logo in the specific SVG Tiny PS format, hosting it securely via HTTPS, and publishing a BIMI TXT record in DNS containing the version (v=BIMI1) and logo location (l=) tags, but omitting the certificate location (a=) tag.
It’s important to note that support for self-asserted BIMI is not universal. Providers like Yahoo/AOL, Fastmail, and La Poste may opt to display logos without a certificate, often taking into account the brand’s sender reputation. However, major providers like Google and Apple Mail mandate a VMC or CMC for logo display.
Hosting & DNS record
So, you’ve navigated DMARC, perfected your SVG logo, and secured your VMC or CMC. The final hurdle? Getting your BIMI record live in the DNS. This is where many setups falter, even after the hard work of getting the certificate. Pay close attention to these two crucial areas:
- Hosting your SVG logo: Host your SVG logo file on a public web server, accessible via HTTPS. The URL is critical for your BIMI DNS record. Common errors include typos, server issues, using HTTP instead of HTTPS, or bot protection blocking access. If providers can’t fetch it securely, BIMI fails.
- Publishing the BIMI DNS record: Publish a TXT record telling providers where to find your logo (and optional cert). Include mandatory tags: v=BIMI1 and l= (logo URL). Frequent mistakes include syntax errors (e.g., I= instead of l=), omitting l=, incorrect URLs, or publishing on the wrong domain. Remember DNS changes take time. Use validation tools after publishing to catch issues quickly.
Our analysis of common error types in BIMI DNS records reveals just how frequently things go wrong:
- The vast majority (84.36 percent) were due to “Invalid record format,” indicating fundamental syntax or structure problems with the record itself (like missing v=BIMI1).
- 15.31 percent were related to an “Invalid ‘a’ tag value,” often specifically because the certificate URL didn’t use the required HTTPS. This is error will always happen when self-asserting since there isn’t any URLsin this tag.
- Other issues, like unknown or extraneous tags, were minimal (0.33 percent). Remember DNS changes take time. Use validation tools after publishing to catch issues quickly.
Is BIMI right for you?
BIMI offers the tempting reward of brand logo visibility in the inbox, potentially boosting recognition and trust. However, achieving this involves significant complexity: navigating DMARC enforcement, mastering SVG, obtaining certificates (VMC/CMC), and perfecting DNS records. This demands time, technical skill, and budget.
It’s crucial to understand that BIMI is an enhancement built upon a solid email security foundation, specifically DMARC at enforcement (p=quarantine/reject), underpinned by proper SPF/DKIM. It’s not the right step if you’re still facing basic deliverability issues. Getting this DMARC enforcement foundation right, across all your sending sources, is the hardest but most essential prerequisite. Prioritize building this strong security foundation first; the BIMI logo comes after.
To learn more about authentication trends and deliverability for different mailbox providers, check out our 2025 Deliverability Benchmark Report.