You have probably noticed a brand logo sitting next to an email in Gmail before you even open it. That is BIMI in action. Brand Indicators for Message Identification (BIMI) is an email standard that lets organizations display a verified logo next to their authenticated emails in supported inboxes. Recipients get a visual signal that the message is genuinely from that brand, before they open it.
For security teams, this matters beyond branding. Phishing attacks succeed partly because spoofed sender names look identical to legitimate ones. BIMI ties a verified logo to the sending domain, and for organizations using a Verified Mark Certificate, Gmail adds a blue checkmark that recipients can recognize as a third-party trust signal. This guide walks through the complete implementation process, from understanding your certificate options to publishing your DNS record and testing the result.
What Are VMC and CMC?
To display a verified logo in Gmail, you need one of two types of mark certificates. Both act as digital proof that your organization owns the logo and is authorized to display it next to emails sent from your domain.
A Verified Mark Certificate (VMC) is the original certificate type. It requires a trademark registered with a recognized intellectual property office, such as the USPTO in the United States or the EUIPO in the European Union. In Gmail, a VMC enables both the brand logo and the blue verified checkmark. Apple Mail also requires a VMC for logo display.
A Common Mark Certificate (CMC) is the newer option, announced by the AuthIndicators Working Group in September 2024. It removes the trademark requirement but replaces it with proof that your logo has been in continuous public use on your domain for at least 12 months. Certificate authorities verify this using web archive records. In Gmail, a CMC gives you the brand logo without the blue checkmark. Apple Mail does not currently accept CMCs.
Quick Comparison
| Feature | VMC | CMC |
|---|---|---|
| Trademark required | Yes | No |
| Logo eligibility proof | Trademark registration with IPO | 12 months continuous public use |
| Gmail blue checkmark | Yes | No, logo avatar only |
| Apple Mail support | Yes | No (as of 2026) |
| Yahoo Mail | Yes | Yes |
| Annual cost (approx., as of mid-2026) | USD 749 to 1,688 + trademark fee | USD 650 to 1,100 |
| Validation time | 2 to 4 weeks | 1 to 3 weeks |
| Certificate validity | 397 days max | 397 days max |
One practical note: if your trademark registration is still in progress, you can start with a CMC and upgrade to a VMC once the trademark is confirmed. Both use the same DNS record format, the same hosting requirements, and the same PEM file structure, so the transition is mostly a certificate swap rather than a full rebuild.
How to Implement BIMI
Every step in this process depends on the one before it. A gap at any stage causes a silent failure where the logo simply does not appear and no error is sent to the domain owner. The only reliable approach is to complete each step fully before moving to the next.
Step 1: Set Up and Enforce DMARC
DMARC is the foundation that BIMI sits on. Without it at full enforcement, BIMI will not activate in Gmail or any other major provider. Begin by confirming that SPF and DKIM are configured and passing for every system that sends email from your domain. SPF authorizes the IP addresses permitted to send on behalf of your domain. DKIM adds a cryptographic signature to each outbound message so receiving servers can verify it has not been altered. Both must be aligned with the domain shown in the email From header.
Once SPF and DKIM are in place, publish a DMARC TXT record starting in monitoring mode (p=none). In a DMARC record, the p tag is the policy: it tells receiving servers what to do with mail that fails authentication. It has three values: p=none only monitors and takes no action, p=quarantine sends failing mail to the spam or junk folder, and p=reject blocks failing mail outright. The pct tag is the percentage of failing mail the policy is enforced on, where pct=100 covers every message. This lets you collect aggregate reports showing which senders are passing or failing alignment, without affecting mail delivery.
A gradual rollout matters because it shows you exactly who sends mail for your domain before you start blocking anything. Jumping directly to p=reject is risky. Any legitimate sender that is not yet aligned, such as a marketing tool or an internal app, will have its mail silently rejected, and you may not notice until customers do.
Reviewing the aggregate reports at each stage is what prevents this, because the reports reveal every sending source and whether it passes SPF and DKIM alignment. Only after every legitimate sender is passing, you should move the policy from p=none to p=quarantine, and then to p=reject. Crucially, you must also set pct=100, which applies the policy to all outbound mail, not just a percentage. Gmail requires pct=100 before it will process BIMI. A policy at p=quarantine with pct=25 will not qualify, even though it is technically an enforcement policy.
v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]
NIST Special Publication 800-177 Rev. 1, Trustworthy Email, is the federal reference for SPF, DKIM, and DMARC as the foundational mechanisms for trustworthy email infrastructure.
Step 2: Prepare a BIMI-Compliant SVG Logo
The logo file must conform to the SVG Tiny Portable and Secure profile, commonly called SVG Tiny PS. This is a restricted version of the SVG standard that prohibits JavaScript, external file references, and certain rendering features that mailbox providers cannot safely process. A standard SVG exported from a design tool will almost always need to be converted to this profile before it will pass BIMI validation.
Gmail requires the image dimensions to be specified as absolute pixel values with a minimum size of 96 by 96 pixels. Relative values like width=”100%” will cause rejection even if everything else is correctly configured. The logo should be square and centered within the image frame. Once the file meets the specification, host it at a stable HTTPS URL. Mailbox providers fetch this file every time they validate a BIMI record, so the hosting location should be treated as production infrastructure with consistent uptime.
Step 3: Apply for Your Certificate
With DMARC enforced and your logo hosted, you are ready to apply for a VMC or CMC from a BIMI-recognized certificate authority (CA) . If you are applying for a VMC, you will need to submit your SVG logo file and proof of trademark registration from the relevant intellectual property office. The certificate authority will verify your organization identity, confirm domain control, and validate the trademark against the official registry. Expect the process to take two to four weeks, with trademark verification typically being the longest step.
For a CMC, you will submit your SVG logo and evidence that it has been continuously displayed on your domain for at least 12 months. Certificate authorities use web archive records to verify this, so the logo must be findable in publicly accessible archive snapshots going back at least 12 months from the date of application. CMC issuance typically takes one to three weeks.
When the certificate is issued, you receive a PEM file containing your entity certificate. You then need to append the intermediate CA certificates and the root CA certificate to this file, in that exact order: entity certificate first, intermediates next, root last. An incomplete or misordered chain is one of the most common causes of silent BIMI failure at the certificate validation stage.
Step 4: Host the PEM File and Publish the BIMI DNS Record
Upload the complete PEM file to a public HTTPS endpoint. The URL must be stable and reliably reachable by external servers, since mailbox providers will fetch it as part of every BIMI verification. Treat this URL the same way you would treat a production TLS certificate endpoint. Once the file is hosted, publish your BIMI TXT record in DNS:
Host: default._bimi.yourdomain.com Record type: TXT
v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/certificate.pem
The l= field is the URL of your hosted SVG logo. The a= field is the URL of your hosted PEM certificate file. Both must use HTTPS. According to Google’s official BIMI documentation, DNS changes can take up to 48 hours to propagate fully.
Step 5: Validate and Test
After DNS propagation, use a BIMI validator to confirm that the TXT record resolves correctly, the SVG meets the Tiny PS specification, the PEM chain is in the correct order, and DMARC is properly enforced. A few free tools to cover a different part of this check. The BIMI Inspector from the BIMI Group checks that your BIMI record is well formed and that DMARC is at enforcement. The URIports BIMI validator inspects the DNS record, the SVG logo, and the certificate together. The Google Admin Toolbox lets you open a real message header and see the SPF, DKIM, and DMARC results Gmail actually applied. A DMARC analyzer helps you read your aggregate reports and confirm every sender is aligned.
Then send a test email from your domain to a Gmail account and check whether the logo appears. If the logo is not showing, start by reviewing DMARC aggregate reports for alignment failures, verifying the PEM chain order, and confirming both hosted file URLs are publicly reachable over HTTPS. Give the setup up to 48 hours after DNS propagation before treating a missing logo as a confirmed failure.
Completing all five steps gets the logo live, but a working setup is not a permanent one. The same chain of dependencies that makes BIMI succeed also makes it fragile, and most failures are silent. The logo simply can stop appearing with no error sent to you. The mistakes below are the ones that most often break an otherwise correct configuration, both during initial rollout and months later.
Common Mistakes to Avoid
- Setting pct below 100 in DMARC prevents BIMI from activating in Gmail, even if p=reject is set. Organizations ramping DMARC enforcement gradually must complete the full ramp to pct=100 before enabling BIMI.
- Third-party sending platforms such as marketing automation tools, HR systems, and customer support software each need to be DKIM-signed and DMARC-aligned. A single high-volume misaligned sender disrupts BIMI display for that entire mail stream.
- Submitting a standard SVG file instead of one conforming to the SVG Tiny PS profile will result in CA rejection. Verify the logo profile before beginning the certificate application.
- An incomplete or misordered PEM chain causes silent certificate validation failure. Always verify the assembly order after building the file: entity certificate, then intermediates, then root.
- Certificate expiry removes logo display immediately with no grace period. Set renewal reminders at 90, 60, and 30 days before the expiry date and treat this like any production certificate renewal.
- Subdomains do not inherit the parent domain BIMI record. If your organization sends email from a subdomain, publish a separate BIMI TXT record for that subdomain.
- Not all certificate authorities are accepted by all mailbox providers. Confirm that your chosen CA is on the accepted list for your most important target providers before purchasing.
What these pitfalls have in common is that they treat BIMI as a one-time DNS change rather than ongoing certificate and PKI infrastructure. Avoiding them reliably takes the same discipline you apply to any production cryptographic asset which is exactly where dedicated PKI support makes the difference.
How Encryption Consulting Can Help
Encryption Consulting provides the PKI expertise that a reliable BIMI program depends on. Our PKI Services cover assessment, design, and implementation of the certificate infrastructure behind DKIM signing and VMC or CMC deployment, including HSM integration for private key protection and certificate authority selection. If you would rather not run this infrastructure in-house, our PKI-as-a-Service can host and manage the CA and HSMs that protect your DKIM and mark-certificate keys, while ownership of the CA and keys stays with you.
CertSecure Manager, our certificate lifecycle management platform, gives you a single, automated view of every certificate across your environment, from TLS/SSL and code signing to client and device certificates. It is vendor-neutral, connects public and private certificate authorities in a single view, automates discovery, enrollment, and renewal, and generates audit and high-risk certificate reports that prevent the expiry-driven outages most organizations discover only after the fact.
Watch our video on Understanding Digital Certificates to learn more about the certificate infrastructure that powers BIMI, PKI, and enterprise email security.
Conclusion
BIMI is one of the more practical wins available in enterprise email security right now. A verified logo in the inbox, and a blue checkmark for VMC senders in Gmail, gives recipients a clear and immediate trust signal before they open the message. The implementation process is methodical: enforce DMARC fully at p=reject with pct=100, prepare your logo in SVG Tiny PS format, apply for the right certificate type from an authorized CA, assemble the PEM in the correct chain order, host both files over HTTPS, and publish the BIMI DNS record.
Every step depends on the one before it, and every failure is silent. The organizations that maintain BIMI reliably are the ones that treat the certificate and the hosting infrastructure with the same discipline they apply to any other production cryptographic asset. If your team needs support with any part of the certificate management, PKI design, or DMARC enforcement process, Encryption Consulting is a best place to start.
