BIMI: how to set it up, and why you probably shouldn't bother yet

Someone in marketing saw a competitor's logo sitting next to their name in Gmail, and now it's your problem. They want the badge. That little round logo that says "this brand is verified."

BIMI is how you get it. It's also, for most organisations, a project that buys you a logo and not much else. Here's the honest version of both halves.

What is BIMI, really?

BIMI stands for Brand Indicators for Message Identification. It's a DNS record that points mailbox providers at your logo. When a provider supports it and trusts you, your logo shows up next to your messages.

That's the whole feature. A picture in the inbox.

The important word is trust. BIMI does not make your mail more trustworthy. It rides on trust you've already built with DMARC. The logo is the reward for authentication you've already done, not a thing that improves it.

default._bimi.yourdomain.com.  IN  TXT  "v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem"

Two parts. l= is your logo. a= is an optional certificate that proves you own the logo. Hold onto that second one. It's where the money goes.

What does it actually take to set up?

There's a ladder, and you can't skip a rung.

The first rung is enforced DMARC. Your domain must publish a DMARC policy of p=quarantine or p=reject. Not p=none. This is the real gate, and for a lot of domains it's months of work on its own. You have to fix SPF and DKIM for every legitimate sender before you can safely enforce. If you're not at enforcement yet, BIMI isn't your next step. DMARC is.

The second rung is a logo in the right format. Not your PNG. BIMI wants SVG Tiny PS, a stripped-down SVG profile, square, with a solid background and no scripting. Most brand SVGs fail validation on the first try. Budget an afternoon.

The third rung is optional: a certificate. Gmail and Apple Mail won't show your logo on the strength of the DNS record alone. They want a Verified Mark Certificate (VMC), or for some logos a Common Mark Certificate (CMC). It's a paid certificate from a handful of issuers that verifies you have a legal right to the mark, usually a registered trademark.

That last rung is where BIMI stops being a DNS exercise and becomes a procurement one.

So why is it mostly vanity?

Three reasons, in order of how much they'll annoy you.

The VMC tax is real, and it recurs. A Verified Mark Certificate runs roughly a thousand US dollars a year, and it usually requires a registered trademark, which is its own cost and its own months of waiting if you don't already have one. You are paying, every year, for a logo to appear in some inboxes. It is the most expensive image hosting on earth.

Client support is patchy. Gmail shows it. Apple Mail shows it. Yahoo shows it. Outlook's support has been "coming" for years, roughly the same "soon" energy as a perpetually-delayed sequel, and the picture across desktop Outlook, the web client, and the mobile apps is inconsistent enough that you can't promise marketing the badge will appear for half your recipients.

And it does nothing for deliverability. This is the one people don't want to hear. BIMI sits downstream of authentication. A message that lands in spam without BIMI lands in spam with BIMI. The logo appears because you already pass DMARC at enforcement, and it's that enforcement, not the picture, that protects your domain and your inbox placement. You get the entire deliverability benefit at rung one. The logo on rung three is decoration.

If a vendor pitches BIMI as a way to "improve inbox placement", they're selling you the cake by describing the icing. The placement came from DMARC. You already had it.

When is it actually worth it?

It's not never. There's a real case.

It works when you're a consumer-facing brand sending high volumes to Gmail, Apple, and Yahoo audiences: retail, banking, big SaaS. At that scale the logo is a recognised anti-phishing signal and a genuine brand-recall win.

It works when you already have a registered trademark and an enforced DMARC policy, because then the marginal cost is a certificate and an afternoon, not a year-long programme.

And it helps when you have a phishing problem and want every legitimate-sender signal you can get in front of consumers who've been targeted.

If that's you, BIMI is a reasonable line item. For a B2B firm sending mostly to other businesses on Microsoft 365, where the badge may not even render, it's much harder to justify the annual cheque.

Our take

BIMI is the reward at the top of a ladder that most of the value sits at the bottom of. Climb the ladder for the right reason. Get to DMARC enforcement because it stops people spoofing you, and treat the logo as a small, optional flourish at the end if your audience and budget line up.

Don't let the badge become the reason you do DMARC. Let stopping spoofing be the reason. The badge is what you might add afterwards, not the goal.

What to do

1. Check where your DMARC policy actually is. If it's p=none, that's the whole project right now. Run your domain through the DMARC checker and read the policy line.
2. Get to p=quarantine, then p=reject, by fixing every legitimate sender first. This is the work that protects you.
3. Only then weigh BIMI. If you're a consumer brand with a trademark, get the SVG Tiny PS logo and a VMC. If you're not, publish the record without the cert if you like the idea, and accept the logo will only show in a few clients. Or skip it and spend the money elsewhere.
4. Verify what you publish. Once a BIMI record is live, check it renders and validates with the BIMI checker before you tell anyone it's done.

The logo is nice. The authentication underneath it is the point.