security

How to Set Up BIMI and Get a VMC So Your Logo Shows in Gmail

BIMI puts your brand logo next to your emails in Gmail, Apple Mail and Yahoo, but only after DMARC is at enforcement and, for Gmail, only with a verified mark certificate. This guide covers the full pipeline: the DMARC prerequisite, prepping an SVG Tiny P/S logo, choosing a VMC versus the cheaper CMC, publishing the v/l/a record, and a troubleshooting checklist for when the logo still will not show.

Jul 3, 20267 min read

BIMI (Brand Indicators for Message Identification) is a DNS record that tells inbox providers to display your verified logo next to the messages you send. It is not a spam filter or an authentication method on its own. It sits on top of DMARC, and for Gmail it also requires a signed certificate that proves you own the logo. Get the order wrong and nothing appears, which is why most people who "set up BIMI" still see a blank avatar.

Here is the honest version of the pipeline: fix DMARC first, prepare a very specific SVG file, buy a certificate, then publish one TXT record. Miss any step and the logo silently fails. Check where your domain stands right now before you start.

Reads public DNS only. Nothing is stored unless you save the domain to an account.

The DMARC prerequisite comes first, not last

BIMI does nothing until DMARC is authenticating your mail and is set to an enforcement policy. Inbox providers use your existing DMARC pass as the trust signal that lets them show a logo, so a domain sitting at p=none will never qualify no matter how perfect the BIMI record is.

Enforcement means your DMARC policy is p=quarantine or p=reject. For Gmail specifically, the policy must apply to your whole mail stream, so a partial rollout using pct below 100 disqualifies you. Your published record needs to look like this before BIMI has any chance:

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com

Reaching enforcement safely is its own project. You move from monitoring to quarantine to reject only after confirming every legitimate sending source passes SPF or DKIM alignment. If you are not there yet, work through how to set up DMARC and the staged rollout in DMARC policy: none vs quarantine vs reject before you spend a cent on a certificate. BIMI is a reward for finishing DMARC, not a shortcut around it.

A second, easy-to-miss rule: the DMARC record for BIMI purposes must not use sp=none to exempt subdomains you actually send from, and it should not carry pct values under 100 if you want Gmail. Yahoo and Apple Mail are more forgiving on the certificate, but they still expect real enforcement.

Prepare the logo as SVG Tiny P/S

BIMI does not accept PNG, JPG, or an ordinary SVG exported from your design tool. The format is a tightly constrained profile called SVG Tiny Portable/Secure (SVG Tiny P/S). It strips out anything interactive or external so the file cannot carry a tracking pixel or script into the inbox.

The core constraints:

  • The root element must declare baseProfile="tiny-ps" and version 1.2.
  • It must include a <title> element with your brand name.
  • Square aspect ratio, because clients render the mark inside a circle. Center the artwork with generous padding so nothing clips.
  • A single solid background fill. Transparent backgrounds get rejected or render badly.
  • No raster images, no external references, no scripts, no animation, no gradients that rely on external definitions, and no embedded fonts. Convert all text to paths.
  • Keep the file small, ideally well under 32 KB.

Most brands take their existing SVG, run it through a BIMI conversion tool, then hand-edit the output to add the profile attribute and title. Validate the result before publishing, because a certificate authority will later check that the logo in your DNS matches the logo in the certificate byte for a close visual match. Host the finished file on HTTPS with a valid TLS certificate. A logo served over plain HTTP will be ignored.

VMC versus CMC: which certificate you actually need

For Gmail and Apple Mail, the logo alone is not enough. They require a Verified Mark Certificate (VMC), a certificate that binds your logo to your domain and, critically, proves the logo is a registered trademark. Only two certificate authorities issue them today, DigiCert and Entrust, and the process resembles an extended-validation TLS order: business verification plus proof of an active trademark registration for the exact logo.

A VMC is the expensive path. Expect roughly 1,000 to 1,500 US dollars per year, plus the cost and lead time of registering the trademark if you do not already hold one. Trademark examination can take months, so start there if the mark is not registered.

The cheaper route is a Common Mark Certificate (CMC). A CMC drops the trademark requirement, which lets brands with an unregistered logo, or a government or nonprofit mark, still get verified. The trade-off is coverage: as of this writing Gmail supports CMCs in a more limited way than VMCs, and support varies by provider, so confirm current mailbox support before you buy. Both certificate types are delivered as a PEM file that you host next to your SVG.

If you cannot justify either certificate yet, you can still publish a BIMI record with only the logo. Yahoo has historically shown logos without a certificate, so you may get partial coverage there while you sort out the VMC for Gmail. Just do not expect the Gmail avatar.

Publish the v/l/a BIMI record

BIMI lives in a TXT record at a fixed subdomain: default._bimi.yourdomain.com. The default selector is what receivers look for unless a message specifies another selector in its BIMI-Selector header, which almost nobody does.

The record has three tags. v is the version and is always BIMI1. l is the HTTPS URL of your SVG. a is the HTTPS URL of your certificate PEM file. A complete record looks like this:

v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/vmc.pem

If you are publishing without a certificate, you leave a empty but keep the tag present:

v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=

Publish it, then give DNS time to propagate. Gmail also needs to see sustained DMARC-authenticated volume from your domain before it starts rendering the mark, so a brand-new domain or a cold sending IP will not light up on day one. This is normal reputation gating, not a broken record.

When the logo still will not show in Gmail

Most "BIMI not showing in Gmail" problems trace back to a short list of causes. Work through them in order:

  • DMARC is not at enforcement. The single most common failure. p=none, or pct under 100, disqualifies you. Confirm the record is quarantine or reject at 100 percent.
  • The message itself failed DMARC. BIMI only shows on mail that passes DMARC for that specific message. A forwarded message that broke alignment will not show the logo even though your domain is fully set up. See why email forwarding breaks SPF.
  • l= logo does not match the VMC logo. The SVG in your DNS must match the logo embedded in the certificate. If you updated the logo after the certificate was issued, reissue the certificate.
  • Missing or invalid certificate for Gmail. Gmail requires a VMC (or supported CMC). A record with an empty a= tag will show in Yahoo but not Gmail.
  • Broken PEM chain. The hosted PEM must contain the full certificate chain in the correct order. A partial chain fails validation silently.
  • HTTPS problems. Both the SVG and PEM must be served over HTTPS with a valid, trusted TLS certificate and no redirects. Many clients refuse to follow a 301 or 302 on the l= or a= URL, so publish the final URL directly.
  • SVG profile errors. A file that is not valid SVG Tiny P/S, or that has a transparent background or embedded raster, gets rejected.
  • Reputation and volume. New domains, or domains with thin sending history, wait until Gmail trusts the stream. Give it consistent authenticated volume over days, not minutes.

If you are also chasing inbox placement generally, note that BIMI is a trust and brand signal, not a deliverability fix. The underlying authentication is what keeps you out of spam, so pair this with why emails go to spam and the Google and Yahoo sender requirements.

Frequently asked questions

Do I really need a VMC to show my logo in Gmail?

Yes, for Gmail today you need a VMC or a supported CMC. Gmail treats the certificate as proof that you own the logo, so it will not render the mark from the DNS record alone. Yahoo has shown logos without a certificate, but Gmail and Apple Mail want one.

Why does my BIMI logo work in Yahoo but not Gmail?

Almost always because you published the logo without a certificate, or the certificate failed validation. Yahoo has been willing to display a logo from a valid SVG and enforced DMARC alone, while Gmail additionally requires the VMC or CMC and a matching, correctly chained PEM file.

Can I use a PNG or a regular SVG for BIMI?

No. BIMI only accepts the SVG Tiny P/S profile with a square canvas, a solid background, a title element, and no scripts, external references, or raster images. Convert any text to paths and validate the file before publishing.

How long until the logo appears after I publish the record?

Allow for DNS propagation plus Gmail's reputation gating. Even with a perfect record and a valid VMC, Gmail waits for sustained DMARC-authenticated volume before it starts showing the mark, so it can take days rather than minutes on a newer domain.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Related guides

How to Set Up a BIMI Record and Get a VMC