deliverability

BIMI Without a VMC: How Self-Asserted BIMI and CMCs Actually Work

You can publish BIMI without a VMC. Self-asserted BIMI shows your logo in Yahoo, AOL and Fastmail with no certificate at all. A Common Mark Certificate adds Gmail logo display without a registered trademark. A Verified Mark Certificate is the only path to the Gmail blue checkmark. This guide gives you a clear decision map, the record syntax, and the DMARC prerequisites every path shares.

Jul 3, 20267 min read

Yes, you can publish BIMI without a VMC. A self-asserted BIMI record shows your logo in Yahoo, AOL and Fastmail with no certificate and no cost, a Common Mark Certificate (CMC) unlocks logo display in Gmail without a registered trademark, and a Verified Mark Certificate (VMC) is the only thing that earns the Gmail blue verified checkmark. The honest catch is that Gmail ignores a self-asserted record entirely, so the free path stops at Yahoo-family and Fastmail inboxes.

Before you spend a dollar or an hour on any logo, confirm the prerequisites are actually in place. BIMI does nothing until your domain enforces DMARC and passes authentication, so run the check first.

Reads public DNS only. Nothing is stored unless you save the domain to an account.

What "self-asserted BIMI" really means

BIMI (Brand Indicators for Message Identification) is a DNS TXT record that points mailbox providers to a logo they can display next to your authenticated mail. The record lives at a fixed hostname and looks like this:

default._bimi.yourdomain.com. IN TXT "v=BIMI1; l=https://yourdomain.com/logo.svg;"

The l= tag is the URL of your logo. The a= tag, which points to a certificate, is optional in the spec. When you publish a record with l= and leave a= empty, you have a self-asserted BIMI record. You are asserting the logo is yours without a third party verifying it.

Self-asserted works today in Yahoo Mail, AOL and Fastmail. These providers will fetch your SVG and render it as the avatar for mail that passes DMARC at an enforced policy. There is no application, no vetting, and no annual fee. If your audience is heavy on Yahoo and AOL consumer addresses, this alone is worth doing.

The logo file has strict rules. It must be SVG Tiny Portable/Secure (SVG P/S) profile, square, with a solid background, and it should be small. A typical rejection reason is exporting a normal SVG from a design tool instead of the Tiny P/S profile, which strips scripts, external references and animation. Host it over HTTPS on a stable URL.

The Gmail problem: why self-asserted is not enough there

Gmail is the reason this topic causes confusion. Google displays BIMI logos, but it does not honor a self-asserted record. Gmail requires the a= tag to point to a valid certificate issued by an authorized certificate authority. No certificate, no logo in Gmail, full stop.

That leaves two certificate options, and the difference between them is what evidence the CA checks.

Common Mark Certificate (CMC)

A CMC lets you display a logo in Gmail without owning a registered trademark. It covers marks that are not trademarked, including prior-use logos and certain government or public-interest marks. The CA validates that you control the domain and that the logo belongs to your organization, but it does not require a trademark registration number.

For a business that never trademarked its logo, the CMC is the practical route to Gmail logo display. Your BIMI record then carries both tags:

default._bimi.yourdomain.com. IN TXT "v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/cmc.pem;"

The a= value is the URL of the PEM certificate file, hosted over HTTPS alongside your logo.

Verified Mark Certificate (VMC)

A VMC requires a trademark registered with a recognized trademark office (USPTO, EUIPO, and other participating registries). It costs more and takes longer, because the CA verifies the registration. In return, Gmail shows your logo plus the blue verified checkmark, the visual signal that Google trusts the sender identity. A CMC gets the logo but not the checkmark.

So the mental model is simple. Logo in Yahoo/AOL/Fastmail is free. Logo in Gmail needs a CMC or VMC. The Gmail blue checkmark needs a VMC specifically.

The decision map

Pick the path that matches your reality, not the most expensive one.

  • You want the cheapest visible win and your users are on Yahoo/AOL/Fastmail: publish self-asserted BIMI only. No certificate.
  • You want Gmail logo display and you do not have a registered trademark: get a CMC. This is bimi no trademark territory and it is a legitimate path, not a workaround.
  • You want the Gmail blue checkmark and you own or will register a trademark: get a VMC. Budget for the trademark process if you have not started it.
  • You are not enforcing DMARC yet: do none of the above. Fix DMARC first, because every BIMI path fails without it.

A useful sequence is to publish self-asserted BIMI on day one, then layer a CMC or VMC on top later by adding the a= tag. The same default._bimi record evolves. You do not tear anything down.

The prerequisites every path shares

BIMI is a reward for good authentication, not a substitute for it. Providers will not even look at your logo until these are true.

DMARC at an enforced policy

Your domain must publish a DMARC record with a policy of p=quarantine or p=reject. A policy of p=none does not qualify for BIMI at Yahoo or Gmail. Many providers also expect sp= handled correctly for subdomains and, for the strongest treatment, a policy that is not diluted by a low pct value. If you are still on p=none, work through how to move DMARC from none to reject before touching BIMI.

_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=reject; rua=mailto:reports@yourdomain.com;"

SPF and DKIM that pass and align

DMARC enforcement is only meaningful if your legitimate mail passes SPF or DKIM with alignment. If your mail is failing alignment, enforcing p=reject will block your own messages, and BIMI will never trigger because the mail is not passing DMARC in the first place. Confirm alignment is healthy first, and if you see DKIM passing but SPF failing or the reverse, read why DKIM fails when SPF passes and fix DKIM alignment.

The record at the right hostname

BIMI uses the selector-based hostname selector._bimi.yourdomain.com, where the default selector is default. If you set a BIMI-Selector: header in your mail, it must match a published record. Most senders use default and never touch the header.

You can confirm the DMARC enforcement level, the SPF and DKIM alignment, and the presence of a syntactically valid BIMI record in one pass with the free checker above. That is the cheapest way to avoid paying for a certificate on a domain that will never display a logo because DMARC is stuck at none.

What BIMI does and does not buy you

Set expectations honestly. BIMI does not directly improve deliverability the way people hope. It does not push mail out of spam by itself, and it is not an anti-phishing control on its own. What it does is make authenticated mail more recognizable and harder to visually impersonate, which supports brand trust and can lift engagement once your authentication is already solid. The real spoofing protection comes from DMARC enforcement underneath it, covered in how to stop email spoofing of your domain.

If you are chasing inbox placement rather than a logo, the higher-leverage work is meeting the Google and Yahoo sender requirements and fixing the reasons emails go to spam. BIMI is the finishing touch after those are done, and the full logo-plus-certificate walkthrough lives in how to set up BIMI and VMC.

Frequently asked questions

Can I get a BIMI logo in Gmail without a VMC?

Yes, with a CMC. A Common Mark Certificate lets Gmail display your logo without a registered trademark. You only need a VMC if you want the blue verified checkmark next to the logo. What you cannot do is show a logo in Gmail with a self-asserted record and no certificate at all.

Which providers support self-asserted BIMI?

Yahoo Mail, AOL and Fastmail render self-asserted logos today, with no certificate required. Gmail does not, because it requires the a= certificate tag. Apple Mail's BIMI support is tied to certificate-backed records as well, so treat self-asserted as a Yahoo-family and Fastmail feature.

Do I need DMARC at reject for BIMI?

You need at least p=quarantine, and p=reject is safest for full support. A policy of p=none does not qualify. Confirm your live policy and your SPF/DKIM alignment before buying any certificate, because BIMI never triggers on mail that is not passing DMARC at enforcement.

Is a CMC cheaper than a VMC?

Generally the certificates are priced similarly, but a CMC avoids the cost and multi-month timeline of registering a trademark, which is the expensive part of the VMC path. If you have no trademark and do not need the Gmail checkmark, a CMC is the lower total cost to reach Gmail logo display.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Related guides

BIMI Without a VMC: Self-Asserted BIMI and CMCs