BIMI + VMC: brand visibility through DMARC
BIMI (Brand Indicators for Message Identification) puts your logo in the avatar slot next to authenticated emails in Gmail, Yahoo, Apple Mail, and Fastmail. Pretty intuitive marketing-driven feature. Underneath: it's a DMARC enforcement gate with a very expensive cert layer on top, and it changes recipients' phishing-resistance heuristics in subtle ways.
The plumbing
BIMI publishes a TXT record at default._bimi.example.com pointing to (a)
an SVG of your logo and (b) a Verified Mark Certificate (VMC) PEM that asserts you own
the trademark for the logo:
default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/bimi-logo.svg; a=https://example.com/bimi-vmc.pem"
The receiving mail server checks: DMARC is in quarantine or
reject mode AND the sender authenticated AND the BIMI record exists AND
(for Gmail and Apple Mail) the VMC chain validates. All four → display the logo.
The DMARC gate
BIMI requires DMARC p=quarantine or p=reject.
Domains with p=none don't qualify. This is the actually-useful part of
BIMI: it's the marketing team's incentive to fix the email auth posture that the
security team has been asking for.
In our experience: 60-70% of teams that successfully deploy BIMI had DMARC enforcement
as a pre-requisite blocker. The marketing team pushes the project; the security team
finishes a long-overdue migration from p=none to p=quarantine pct=100.
Net win for security, regardless of the logo display value.
The VMC cost
| Component | 2026 cost | Notes |
|---|---|---|
| Trademark registration | $1000-$5000 (one-time, varies by jurisdiction) | Required for VMC issuance. USPTO, EUIPO, or equivalent. |
| VMC from Entrust or DigiCert | $1500-$3000/year | Annual renewal. Validation is similar to EV TLS — they verify you own the trademark. |
| SVG logo prep | One-time engineering hour | Strict subset of SVG — flat colors, no scripts, no external refs, square aspect. |
| Common Mark Certificate (CMC) | $700-$1500/year | Cheaper alternative since 2023; allows logos without registered trademark, but signal is weaker. |
The trademark requirement gates BIMI to brands that have legal teams. Independent creators, small SaaS, side projects — practically priced out, unless they go for the CMC pathway.
The SVG you need
BIMI SVG profile (RFC-pending, but the de-facto spec from working group):
- SVG 1.2 Tiny PS profile
- Square aspect ratio (logo is shown in a circular crop)
- No
<script>, no<foreignObject>, no external refs - Solid colors only — no gradients, no images, no text
- Filesize < 32 KB (most are < 4 KB)
baseProfile="tiny-ps"attribute on the root element- Must include a
<title>child of thesvg
Most brands' existing SVG logos fail this profile. Plan for a redesign pass with the brand team — usually a flatter, simplified version of the wordmark.
Implementation order
- DMARC at
p=quarantine pct=100minimum. Watch reports for a month. Fix any failing legitimate sources. - Prepare BIMI-compliant SVG. Validate with the BIMI Group's online tool.
- Apply for VMC. The provider does trademark verification (1-2 weeks for cleanly-registered trademarks, longer for ambiguous ones).
- Publish DNS record. TTL low for the first week to ease iteration.
- Validate via test sends. Send to a Gmail and an Apple Mail account. Logo should appear within ~24h (Gmail) or immediately (Apple).
The phishing dimension
BIMI's user-experience theory: authenticated brand mail is visually distinguishable from spoofed mail. In practice:
- Positive case. Recipients learn to associate your logo with legit mail. Spoofs without the logo become suspicious.
- Phishing case. Attacker registers
example-secure-login.com, sets up DMARC, gets a VMC for their own brand, sends phishing FROM that domain. The phishing mail has a logo too — different logo (theirs), but recipients in a hurry don't compare carefully.
BIMI is a pretty UX. It's not a strong phishing defense on its own. The real phishing
defense is DMARC p=reject stopping spoofing of your domain.
BIMI is the marketing reward for that work.
Who's using it (2026)
Strong adoption among consumer-facing brands with phishing exposure: banks, e-commerce (Amazon, eBay, Etsy), social platforms (LinkedIn, Twitter/X). Mid adoption among SaaS — Stripe, Salesforce, Shopify all ship BIMI. Low adoption in B2B-only SaaS where the recipient is a tech team that doesn't see the avatar slot anyway (most B2B mail is read in tools that don't render BIMI: Slack inbox bots, Front, custom dashboards).
What we report
Our bimi_tlsrpt checker probes default._bimi.<domain>
and reports record presence + the URLs it points to. We don't validate the VMC chain
(would require fetching it). We don't flag absence as a defect — most domains
legitimately don't have BIMI. Presence is shown as INFO, contributing nothing to score.
Audit your email auth posture
Free Basic scan covers SPF/DMARC/DKIM. Extended adds DANE, MTA-STS, BIMI, dkim_key_rotation findings.
Run a scan