How to Set Up BIMI (and Why 28% of Records Break) | DMARCguard Skip to main content<br>16 min read Share
How to Set Up a BIMI Record: DNS, Logo, and Certificate<br>BIMI is the protocol that puts your brand’s logo next to your name in the inbox. Almost nobody runs it, and of the few that do, more than a quarter have it broken. A BIMI (Brand Indicators for Message Identification) record is a DNS TXT record, published at default._bimi.yourdomain.com, that tells supporting mailbox providers where to find your logo — and, optionally, the certificate that proves you own it. This guide on how to set up BIMI is written for the IT admin or founder-operator who already runs DMARC and wants the logo payoff.<br>The catch is that a BIMI record is unforgiving of small mistakes, and most failures are silent: the mail sends fine, the logo just never appears. By the end you will have the exact DNS record, how to prepare a logo that actually renders, whether you need a Verified Mark Certificate (VMC) or a Common Mark Certificate (CMC), and how to fix a record that won’t show. BIMI rides on top of DMARC (RFC 9989), so an enforced DMARC policy is a hard prerequisite — more on that below.<br>What a BIMI record actually is (the 60-second version)<br>A BIMI record is a single DNS TXT record at the host default._bimi whose value names your logo’s URL (l=) and, optionally, a mark certificate (a=). It does not authenticate mail itself — it rides on top of an enforced DMARC policy, and receivers only look at it once DMARC passes.<br>Three core tags do all the work:<br>v=BIMI1 — the version, and it must be the first tag.<br>l= — the HTTPS URL of your SVG logo.<br>a= — the HTTPS URL of your VMC or CMC .pem file. Leave it empty for a self-asserted record (a logo with no certificate).<br>That is the whole anatomy. BIMI is an indicator layer, not an authentication layer, which is why the heavy lifting happens in DMARC. For the protocol-level explainer — how the pieces fit and why the standard works this way — see what a BIMI record is. The rest of this guide stays on the procedural lane: getting a record published that renders, and keeping it from breaking.<br>Which email clients show BIMI logos in 2026?<br>As of 2026, four major providers render BIMI logos — Gmail, Apple Mail, Yahoo Mail (and AOL), and Fastmail. Microsoft (Outlook.com and Microsoft 365) does not display BIMI logos for inbound mail and has announced no date to. Where your logo will actually show determines whether the rest of the project — especially a four-figure certificate — is worth it, so settle this first.<br>ProviderShows BIMI logo?Certificate requiredNotesGmail (web + apps)YesVMC or CMC Blue verified checkmark = VMC only; a CMC shows the logo without the checkmark. A logo-only record is not enough.Apple Mail (iOS 16+ / macOS 13+)YesVMC only (no CMC)No checkmark; a verified logo is labelled “digitally certified.” Verified server-side by the provider.Yahoo Mail / AOLYesNone Renders self-asserted records (valid SVG + DMARC at enforcement + reputation). Bulk mail only, not personal.FastmailYesNone Renders authenticated domains with a valid SVG; VMC optional. Caches the logo at its MX servers.Microsoft 365 / Outlook.comNo n/aSupports BIMI only as a sender (via Dynamics 365), not as a receiver. No rollout date announced.
BIMI display and certificate requirements by provider (verified 2026-06-26) These rules are sourced, not asserted: Gmail’s VMC-or-CMC behaviour is in Google Workspace Admin Help (updated 2026-06-18); Apple’s VMC-only rule and the “digitally certified” label are in Apple Support article 108340; Yahoo’s no-certificate, bulk-only display is documented on the Yahoo Sender Hub; and Microsoft’s sender-only stance was confirmed on Microsoft Q&A (2025-09-29, reaffirmed 2026-05-21).<br>Apple's Branded Mail is not BIMI<br>Apple “Branded Mail,” which shipped with iOS 18.2 through Apple Business Connect, lets verified businesses show an uploaded bitmap logo (PNG/JPEG) with DMARC at enforcement — no VMC, no CMC, and no SVG. It is a separate Apple program, not BIMI, so don’t conflate the two when you scope the project.
BIMI setup requirements: what you need before you start<br>Before a BIMI record can render, you need three things: DMARC at enforcement (p=quarantine or p=reject), a square SVG Tiny PS logo hosted over HTTPS, and — for Gmail or Apple Mail — a VMC or CMC certificate. Skip any one of these and the logo silently fails to appear.<br>The first requirement is non-negotiable and built into the standard. The BIMI specification (draft-brand-indicators-for-message-identification-12) states in its DMARC prerequisite that the From domain MUST publish a DMARC policy of p=quarantine or p=reject, with at least one of SPF or DKIM passing in alignment. A domain still at p=none is the second-most-common reason a record never renders, which is why the requirement — not just “add a record” — leads this guide. A policy at enforcement applies to all of your mail, so there is no partial rollout to configure. If you are...