BIMI Record Checker
Check whether a domain has a valid BIMI record, verify the logo URL, and see if a VMC certificate is present.
Try a known BIMI domain: linkedin.com ยท ebay.com ยท paypal.com ยท verizon.com
Validation results
How this BIMI checker works
BIMI (RFC 9418) is the DNS standard that paints your brand logo next to a message in the inbox. It is a display feature, not a deliverability one. The logo only appears once DMARC, SPF, DKIM, the SVG file and (for Gmail) the certificate are all in place, so a BIMI check is really a stress test of the whole authentication stack. Type a domain in above and the tool fetches the default._bimi.<domain> TXT record, reads the l= and a= tags, and runs through every step a mail client checks before rendering the mark.
Which providers actually render BIMI?
Gmail, Apple Mail (iOS 16+, macOS Ventura+), Yahoo, AOL, Fastmail, La Poste and Onet render BIMI logos. Microsoft Outlook does not, in any of its mainline clients. Every provider that does render BIMI also wants DMARC enforcement on the From-domain at p=quarantine or p=reject with pct=100. A p=none record, or anything weakened by pct<100, is ignored without a peep. The checker reads your DMARC record and flags that prerequisite on its own card, so you can see at a glance whether the rest of the configuration even has a shot.
The SVG is where most BIMI rollouts trip
The file at l= has to be SVG Tiny 1.2 P/S, served over HTTPS, with a square viewBox. No scripts, no foreignObject, no animation, no external href references, no embedded raster images. Most clients also cap the file at roughly 32 KB and crop the logo to a circle in the inbox row, so a wide or tall viewBox will slice off parts of the mark. The checker fetches the file, validates the profile, confirms reachability and Content-Type, measures the bytes, and inspects the viewBox aspect ratio. Failures come back as stable codes like LOGO_NOT_TINY_PS, LOGO_NOT_SQUARE or LOGO_OVERSIZED so the fix is unambiguous.
A working BIMI TXT record looks like this:
default._bimi.example.com TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem;"VMC and CMC: what the a= tag points at
If you hold a paid VMC (Verified Mark Certificate) tied to a registered trademark, or the newer CMC (Common Mark Certificate) issued by an MVA for marks in five years of continuous public use, the a= tag points at it. The checker walks the X.509 chain, verifies SAN coverage for the From-domain, looks at expiry with two warning thresholds, and pulls the SHA-256 of the logotype embedded in the RFC 3709 extension to compare against a fresh hash of the SVG currently published at l=. A mismatch on that comparison means the certificate was issued for a different version of the file, which Gmail and Apple Mail both check server-side.
The accepted public roots are Sectigo and DigiCert. Sectigo took over Entrust's public CA business on 2025-09-18; existing Entrust-issued VMCs stay valid until their own expiry. The chain is verified in-process against a pinned root bundle, not the system store, so a misconfigured intermediate cannot slip through silently.
Three spec-defined extensions on the certificate are also checked: the BIMI Extended Key Usage OID (the spec requires it, plenty of issued VMCs still omit it), the embedded SCT for Certificate Transparency, and the certificatePolicies OID that separates VMC (1.3.6.1.4.1.53087.1.1) from CMC (.1.2). The distinction matters at the receiver. Apple Mail accepts both VMC and CMC. Gmail accepts VMC only.
A SAN mismatch is the quietest failure mode
The most common reason a clean-looking BIMI setup fails to render on Gmail is a SAN that does not cover the From-domain. A VMC issued for example.com while production mail goes out as mail.example.com produces no error, no bounce, no header warning. Gmail just falls back to the initial-letter avatar. The checker flags this case with VMC_SAN_MISMATCH so it stops being invisible.
Why this matters now
BIMI is the visible reward for getting DMARC, SPF and DKIM right. The logo only renders once the rest of the stack is strict, which is the point. If the inbox shows your logo, the authentication stack underneath has held up.
Our take: publish the SVG and the BIMI TXT record first, even without a VMC. Yahoo, Fastmail, La Poste and Onet will render against the file alone, so you get visible value before the certificate spend. Buy the VMC when Gmail rendering is the next thing your stakeholders will ask about.
Where to go next
For the rest of the authentication stack, see the DMARC checker and the SPF checker. If you need to add or rotate a signing key, the DKIM key generator creates a fresh 2048-bit pair in your browser. For the underlying TXT record format, the BIMI DNS record reference has the full tag breakdown.
Frequently Asked Questions
Common questions about BIMI and brand logo display in email.
Do I actually need a VMC?
Depends which providers you care about. Gmail and Apple Mail will not display your logo without one. Yahoo, Fastmail, La Poste and Onet render the SVG on its own, as long as DMARC is enforced.
A VMC is an X.509 certificate that ties your SVG to a registered trademark, signed by a Mark Verifying Authority. It runs roughly USD 1,200โ1,500 per year from DigiCert or Sectigo. Sectigo took over Entrust's public CA business on 2025-09-18, and existing Entrust-issued VMCs stay valid until they expire.
If you do not have a registered trademark, Apple also accepts a Common Mark Certificate (CMC) for marks that have been in continuous public use for five years. Gmail does not. So a CMC is an Apple-only play.
How do I get my logo to actually show up?
In order, the four things that have to be true:
1. DMARC is at p=quarantine or p=reject with pct=100 on the organisational domain.
2. You have an SVG Tiny 1.2 P/S file, square viewBox, under 32 KB, served over HTTPS.
3. If you want Gmail or Apple rendering, a VMC (or CMC for Apple) at a public HTTPS URL.
4. A TXT record at default._bimi.<domain> publishing the two URLs.
The record itself looks like this:
default._bimi.example.com TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem;"Give it up to 24 hours after publication for the first logo to appear. Clients cache the prior absence.
What is the Provider Rendering card doing?
It takes every signal we collected and runs it against the rules each mail client applies on top of the BIMI spec. A green row means that provider's prerequisites are in place. A red row lists the blocker codes.
Gmail is the strictest. It wants a VMC, a SAN that covers the From-domain, an issuer it recognises, and a logotype hash that matches the SVG you are publishing. Apple Mail is the same, plus it accepts CMC. The SVG-only providers (Yahoo, Fastmail, La Poste, Onet) ignore the certificate entirely as long as DMARC is enforced.
What is the SAN match check?
The certificate's subjectAltName extension lists the domains the cert is bound to. For Gmail to render, one of those entries has to cover the From-domain, either as an exact match or as a wildcard whose parent matches.
A SAN mismatch is the quietest failure in BIMI. The chain looks valid in a generic TLS check. The cert is in date. The SVG is fine. Gmail still falls back to the initial-letter avatar, because the VMC is not bound to the sending domain. The usual cause is a cert issued for the apex while production mail goes out from mail.example.com.
What is the "Logotype matches l=" check?
A VMC carries the approved logo embedded inside an RFC 3709 logotype extension, identified by a SHA-256 hash. We pull that hash out of the certificate and compare it to a fresh hash of the SVG currently at l=.
Match: the certificate was issued for the exact file you are publishing today. Mismatch: either the SVG was edited after issuance (whitespace counts) or the cert was issued for a different file. Gmail and Apple Mail check the binding server-side, so a mismatch can break rendering on its own even when everything else is clean.
VMC or CMC?
A VMC proves you own a registered trademark. A CMC, introduced by Apple in 2023, requires only that the mark has been in continuous public use for five years and documented to the MVA's satisfaction.
The two are distinguished inside the certificate by a policy OID: 1.3.6.1.4.1.53087.1.1 for VMC, .1.2 for CMC. Apple Mail accepts both. Gmail accepts VMC only. If your certificate comes back as CMC and you need Gmail rendering, you will have to issue a separate VMC against a registered trademark.
Why does DMARC need pct=100 for BIMI?
The DMARC pct tag tells receivers what fraction of failing messages to apply the policy to. BIMI providers only render the logo for domains that commit to the policy on every message, so under RFC 7489 anything below pct=100 is treated as no enforcement at all.
The checker also calls out sp= on its own. Subdomains inherit p= when sp= is absent. Explicitly weakening sp= breaks BIMI on mail sent from a subdomain, no matter how strict the apex policy is.
DMARCbis changes the tag, not the BIMI rule. RFC 9989 (the 2026 revision covered on the DMARCbis page) drops pct= from the core spec and replaces staged rollouts with the t=y testing flag. Receivers running DMARCbis ignore pct= and read your record as full enforcement regardless. We still flag pct<100 here because Gmail and Apple Mail evaluate BIMI against the RFC 7489 reading today, and that is the receiver behaviour your mail will mostly hit. Once the BIMI providers catch up, this check will quietly drop.
Why square, why 32 KB?
Most inbox layouts crop the logo to a circle. A square viewBox means the crop lands on the centre of your design. A wide or tall viewBox will lop off parts of the mark or leave dead space.
The 32 KB ceiling reflects how Gmail and Apple Mail handle inline rendering. Larger files get dropped from the inbox row, with no error signal back to the sender. If the checker flags LOGO_OVERSIZED, the fix is usually to strip embedded raster fallbacks (often a hidden base64 PNG) and re-export from a vector editor with whitespace minified.
What happens when BIMI cannot render?
The client falls back to its default avatar without comment. Gmail draws the sender's initial in a coloured circle. Apple Mail shows the contact photo or initials. The recipient sees no bounce, no warning header, no UI hint that BIMI was even attempted.
The only way to confirm rendering is to send a test message to a real account on each target provider and read the Authentication-Results header for a bimi=pass entry.