BIMI
BIMI (Brand Indicators for Message Identification) displays your brand’s logo next to your messages in supporting inboxes. It’s a trust and branding signal — not a security control. BIMI doesn’t stop spoofing; DMARC enforcement does that, and BIMI only switches on after you’ve reached enforcement. Think of it as the visible badge you earn for doing the security work, not the work itself. That distinction is why the honest question with BIMI isn’t “how do I set it up?” — it’s “is it worth what it costs?”
The prerequisite you can’t skip
BIMI requires your domain to be at DMARC enforcement — p=quarantine or p=reject — before any inbox will show your logo. At p=none (monitoring), BIMI stays dark, and most providers also want you to hold enforcement for around 30 days before they’ll pull and display the logo. So BIMI is genuinely a reward at the end of the enforcement journey, not a parallel task — there’s no point setting it up until you’re enforcing.
What it actually costs: the certificate
This is where BIMI gets expensive, and where most of the honesty lives. For most inboxes, BIMI needs a mark certificate proving you own the logo — and the bar differs by provider:
| Inbox | What it needs | What you get |
|---|---|---|
| Yahoo Mail | DMARC enforcement + record + logo — no certificate | Logo displays |
| Gmail | A CMC or VMC | Logo (CMC), or logo + blue checkmark (VMC only) |
| Apple Mail | A VMC (CMC not accepted) | Logo displays |
Two certificate types, very different bars:
- VMC (Verified Mark Certificate) — requires a registered trademark for your logo. Runs roughly $750–$1,700/year, plus the cost and months of registering a trademark if you don’t already have one. Widest support (Gmail with the blue checkmark, Apple Mail, Yahoo). Issued by CAs like DigiCert, Entrust, Sectigo, GlobalSign, and SSL.com.
- CMC (Common Mark Certificate) — no registered trademark required; instead you prove 12+ months of public use of the logo. Cheaper (roughly $600–$1,100/year), accepted by Gmail (logo, but no checkmark). Not accepted by Apple Mail.
So the real cost depends entirely on which inboxes you care about: Yahoo-only is nearly free; a Gmail logo via CMC is a few hundred dollars a year and needs no trademark; the Gmail checkmark and Apple Mail both require a VMC and a registered trademark.
The record
Once you’ve cleared enforcement and have a certificate, the record itself is simple — a TXT record at default._bimi.example.com:
| Field | Value |
|---|---|
| Name / Host | default._bimi.example.com |
| Type | TXT |
| Value | v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/cert.pem |
v=BIMI1— the version tag.l=— the URL of your logo, which must be an SVG Tiny PS file served over HTTPS. An emptyl=deliberately declines BIMI.a=— the URL of your VMC or CMC certificate (a.pemfile). Omit it and Gmail and Apple won’t show the logo (Yahoo still will).
Is it worth it?
Honest answer: for many domains, no — at least not yet. BIMI is branding, not protection. All of the security value came from the DMARC enforcement you had to reach first; the logo adds visible polish, not defense. It’s worth pursuing if you’re already enforcing, you have a recognizable logo, and inbox brand presence genuinely matters to you — typically consumer-facing senders, marketing-heavy brands, and anyone fighting impersonation where a visible logo reassures recipients. It’s reasonable to skip if you’re a small B2B shop with no registered trademark and a logo most recipients won’t consciously notice — the certificate cost buys little there. What you should not do is treat BIMI as a security milestone, or let chasing it distract from the one that actually matters.
Check your own
The checker reads your default._bimi record, confirms it references a logo and a certificate, and tells you whether your DMARC policy is strong enough for the logo to display: