Do I need a VMC to use BIMI?

For Gmail and Yahoo display, yes — both require a Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) from an authorised CA. Apple Mail accepts self-asserted BIMI without a certificate, but its display is more limited.

What does a VMC cost?

VMCs are issued by DigiCert and Entrust and run roughly $1,200-$1,500 per year, plus a one-time trademark registration cost if you don't already hold one. CMCs (which display in Gmail since 2024) are cheaper but require a 1+ year domain history of enforced DMARC.

What is the trademark requirement for BIMI?

A VMC requires that your logo is a registered trademark in a supported jurisdiction (USPTO, EUIPO, UK IPO, JPO, IP Australia, and a few others). The trademark must be the exact logo, not just the wordmark. CMCs relax this in exchange for the DMARC history requirement.

What DMARC policy does BIMI require?

p=quarantine or p=reject, with pct=100 if pct is specified at all. A p=none policy is explicitly not accepted by BIMI-supporting mailbox providers. This is why deploying DMARC enforcement is a hard prerequisite, not a recommendation.

Why must the BIMI logo be SVG Tiny PS?

SVG Tiny Portable/Secure is a constrained SVG profile that forbids scripts, external references, and animation — anything that could be a security or rendering risk in an inbox. Standard SVG exports from design tools do not conform; you need to convert and validate.

Which mailbox providers actually display BIMI?

Gmail, Yahoo, AOL, Apple Mail (iOS 16+ and macOS Ventura+), Fastmail, and La Poste display BIMI logos when the prerequisites are met. Outlook.com and Microsoft 365 do not currently display BIMI in the inbox.

How long does BIMI take to appear?

Once DNS, DMARC, and the VMC are correct, the logo typically appears within 24-72 hours at Gmail and Yahoo. Some providers require a minimum sending volume to your recipients before they display it, and good sender reputation is implicitly required.

How to Set Up BIMI: VMC Requirements and DNS

BIMI is the only authentication standard that produces a visible signal in the inbox: a verified logo next to your messages. That signal only ever appears for senders who have already done the work — enforced DMARC, an aligned authentication trail, and (for the major providers) a certificate proving the logo is your registered trademark. Skipping any prerequisite produces silent non-display, not an error.

What BIMI actually is

BIMI (Brand Indicators for Message Identification) is a DNS TXT record that tells receivers where to fetch your brand logo and, optionally, the certificate proving you own it. Receivers that support BIMI fetch the logo and render it in their inbox UI alongside messages that pass DMARC with an enforcement policy.

default._bimi.yourdomain.com  TXT  "v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/vmc.pem"

l= — HTTPS URL of the SVG Tiny PS logo file.
a= — HTTPS URL of the VMC/CMC PEM bundle. Optional in the spec, required by Gmail and Yahoo for display.

The prerequisites, in order

1. Enforced DMARC

BIMI explicitly requires p=quarantine or p=reject at your organisational domain, with pct=100 if pct is specified. A record at p=none is rejected by every BIMI-supporting receiver. If you are not yet there, the DMARC lesson walks through the ramp from p=none to enforcement.

The underlying SPF and DKIM also need to be solid — DMARC enforcement is useless if legitimate mail keeps failing alignment. See the SPF lesson and DKIM lesson for the failure modes that bite here.

2. A trademark-registered logo

A VMC binds your logo to a registered trademark held in a supported jurisdiction (USPTO, EUIPO, UK IPO, JPO, IP Australia, and a few others). The exact logo design must be the registered mark — a wordmark trademark does not cover a separate logo. Registration takes 6-18 months from filing in most jurisdictions, which is usually the longest pole in any BIMI project.

CMCs (Common Mark Certificates) were introduced in 2024 as a lower-bar alternative. They do not require a registered trademark but require 12+ months of continuous DMARC enforcement history at your domain. They display in Gmail but with a subtly different UI treatment than VMC-backed logos.

3. SVG Tiny PS logo file

The logo must be in SVG Tiny Portable/Secure format — a constrained SVG profile that forbids scripts, external references, animation, raster images, and arbitrary namespaces. Most SVG exports from Figma, Illustrator, or Sketch will fail validation. You'll need to either hand-edit or use a dedicated converter, then validate the result before publishing.

Hard requirements for the file:

SVG Tiny 1.2 baseline with the PS profile constraints.
A square viewport — viewBox with equal width and height.
Solid background (transparency is rendered inconsistently across clients).
Under 32 KB.
Served over HTTPS with a valid certificate.

4. A VMC or CMC certificate

Issued by DigiCert or Entrust today. The CA verifies your trademark registration (for VMC) or DMARC enforcement history (for CMC), confirms domain control, and issues a PEM-encoded certificate bundle you serve from the URL in a=. Pricing is roughly $1,200-$1,500/year for VMC; CMCs are cheaper.

5. DNS record published

Once the file and the certificate are hosted, publish the default._bimi.yourdomain.com TXT record. The selector default applies to all mail; you can use other selectors and reference them in your messages via the BIMI-Selector header, but most senders run a single default record.

Why BIMI silently fails to display

BIMI failure modes are quiet — the logo just doesn't show up. The usual suspects:

DMARC is at p=none. No receiver will display BIMI under p=none, even if every other piece is correct.
SVG fails strict validation. Receivers re-parse the file with their own validator, not the one you used. Hidden elements like xml:space attributes or external font references break this silently.
Certificate doesn't chain. The PEM file at a= must contain the full chain, not just the leaf. Without the chain, the certificate fails validation and the logo is suppressed.
Reputation is poor. Some receivers require a minimum sending reputation before displaying BIMI even when the technical setup is correct.
Inconsistent organisational domain. The DMARC record, the BIMI record, and the From header must all be on the same organisational domain.

How to check your BIMI setup

For DMARC enforcement, run the DMARC checker to confirm the policy is quarantine or reject. Validate the SVG with a BIMI-aware validator (BIMI Group maintains one) and confirm the file is reachable over HTTPS without a redirect. Send a test message to a Gmail account that has had your domain whitelisted for at least a few days, and check whether the logo appears in the message list.

When you're ready to deploy

BIMI does not have per-ESP setup variations the way SPF, DKIM, and DMARC do — the record lives at your organisational domain and points at assets you host yourself. The per-ESP work is upstream: getting Google Workspace, Microsoft 365, SendGrid, Mailgun, or Amazon SES to a state where DMARC alignment is reliable across every sender. Once that is true, BIMI is a single TXT record and a hosted file away.