Benefits of implementing BIMI: protection against spoofing and phishing

BIMI (Brand Indicators for Message Identification) is a visual identification standard that allows a verified sender logo to be displayed next to email messages that have successfully passed DMARC authentication.

It’s important to note that BIMI is not a security standard in itself. It is a visual standard that, to function, requires the implementation of strong authentication mechanisms (SPF, DKIM, and a strict DMARC policy), which indirectly raises the domain’s security level.

BIMI increases the visibility of a brand’s messages in the inboxes of providers who participate in the program. Initial studies indicate an increase in open rates (OR) and conversion rates. The ability to display a logo encourages senders to adopt a stronger DMARC policy for email authentication.

The BIMI process is as follows:

• The domain owner (brand) publishes a special BIMI record in their DNS zone, which points to the logo file (and optionally to a VMC/CMC certificate).
• When a mailbox provider (e.g., Gmail) receives an email, it first authenticates it (checks for SPF, DKIM, and DMARC compliance).
• If the email passes authentication, the provider queries the DNS for the sender’s domain’s BIMI record.
• If the record exists and is valid, the provider can retrieve the logo and display it in the inbox next to the message.

• Authenticating messages with SPF and DKIM
• Securing the domain with a strict DMARC (quarantine or reject policy)
• Creating a logo in SVG Tiny PS format
• If required (e.g., by Gmail), obtaining a VMC (Verified Mark Certificate) or CMC (Common Mark Certificate)
• Publishing the BIMI record in the domain’s DNS

A BIMI record is a TXT record with three attributes:

• v=BIMI1 – the declaration that it is a BIMI record.
• l= – the location (URL) of the SVG logo file.
• a= – the location (URL) of the VMC or CMC certificate (this attribute is optional for providers who do not require it, but essential for e.g., Gmail).

Example of a full record (with a VMC): 

default._bimi.yourdomain.com IN TXT “v=BIMI1; l=https://path/to/logo.svg; a=https://path/to/certificate.pem”

• Apple Mail
• Onet
• Verizon Media Group (Yahoo, AOL etc.)
• Gmail
• Fastmail
• Zone

The current list of providers supporting BIMI is available on the AuthIndicators Working Group website.

It depends on the mailbox client. Most often, the BIMI logo appears directly next to the sender’s address in the open message view. Increasingly, (e.g., in Gmail or Apple Mail), the logo is also visible in the main message list (in the inbox view), even before the email is opened, which significantly increases brand visibility.

SPF (Sender Policy Framework) is a security measure used to authenticate the sender of an email message. It allows providers to verify whether a mail server is authorized to send emails on behalf of a specific domain.

More information can be found in our article: What is SPF record and how to configure it for a domain?

DKIM (DomainKeys Identified Mail) is a digital key used to verify that email messages are authentic and have not been tampered with (phished) during transmission.

Learn how to authorize a domain with a DKIM key in this article on our blog.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication method based on SPF and DKIM. It checks the above protocols and tells mailbox providers what action to take with messages that fail authentication, giving domain owners control over their use and preventing spoofing.

BIMI implementation requires a strict DMARC policy (so-called enforcement). This means the policy for the domain must be set to:

• p=reject (reject)
• or p=quarantine (quarantine)

Crucially, if p=quarantine is chosen, the percentage tag (pct) must be explicitly set to pct=100. This policy must apply to the organizational domain and cannot be weakened by tags like sp=none (which would set a different policy for subdomains).

Our platform is fully ready and compatible with sending BIMI-standard messages. This means that if your domain is correctly configured, your logo will be displayed.

It is worth noting that while EmailLabs does not currently offer active support for the entire BIMI implementation process (which includes purchasing a VMC/CMC certificate or final DMARC configuration), we make it easier to start thanks to our Sender Authorization feature. This tool helps generate the appropriate entries (SPF, DKIM) necessary for correct authentication of sending from our platform.

Nevertheless, the entire configuration process – including independently placing the generated entries in your DNS zone, setting the DMARC policy, generating the SVG logo, purchasing the VMC/CMC certificate, and publishing the BIMI record – lies entirely with the domain owner.

The BIMI record (as a TXT record) should, by default, be published in the DNS zone of the organizational domain (e.g., yourdomain.com), at the default selector’s location, which is default._bimi.yourdomain.com.

According to the standard’s specification, this record is inherited by all subdomains that do not have their own published BIMI record.

However, the administrator has the option to publish a separate BIMI record for a specific subdomain (e.g., default._bimi.newsletter.yourdomain.com). If such a record exists, it will be used with priority (overriding the main domain’s record) and can point to a different logo, for example.

It depends on the type of certificate you want to obtain.

• YES, if you are applying for a VMC (Verified Mark Certificate). This certificate, required by providers like Gmail to display the logo with a blue verification checkmark, strictly requires the logo to be a registered trademark. It must be registered in advance with a relevant patent office, e.g., the European Union Intellectual Property Office (EUIPO) or the United States Patent and Trademark Office (USPTO).
• NO, if you opt for a CMC (Common Mark Certificate). This is a newer, alternative path. A CMC certificate does not require a registered trademark, making it more accessible for smaller companies. It allows the logo itself to be displayed in the inbox, but without the additional blue verification checkmark.

Yes, graphics that only include the text version (brand/institution name) without a symbol (logo) or graphic marks are acceptable.

The BIMI logo should be:

• on a solid background – opaque backgrounds are recommended,
• centered, in a 1:1 aspect ratio – to be optimally displayed in a square, rounded square, or circle,

The BIMI logo cannot be animated or interactive.

The logo referenced by the BIMI record must be in a specific format, based on SVG (Scalable Vector Graphic) Tiny 1.2, but with fewer allowed elements. The version supported by BIMI is defined as SVG Tiny Portable/Secure (SVG P/S).

This means the file cannot contain, among other things:

• any <script> tags,
• external links,
• or references to other files (it must be self-contained).

Detailed guidelines for its preparation are available on the AuthIndicators Working Group website.

The logo should be placed on any public domain (it doesn’t have to be the same domain for which the standard is being implemented). The “l=” tag in the BIMI record refers to its location (URL).

Important: The server hosting the SVG file (and the .PEM certificate) must be publicly accessible via HTTPS. If the server has anti-bot protections (e.g., CAPTCHA), mailbox providers’ automated systems will not be able to retrieve the file, which will prevent the logo from being displayed.

It depends on the configuration. This was previously not possible, but the BIMI standard has introduced a new avp (Avatar Preference) tag, which gives brands control over what is displayed.

• avp=brand: This value forces the brand logo to display, even if the user (e.g., John Smith) has their own profile picture set up.
• avp=personal: This value gives priority to the employee’s personal profile picture (avatar). The brand’s BIMI logo is used only as a fallback if the employee does not have a picture.

This gives companies strategic control over whether their communication should build the corporate brand (logo) or a personal relationship (employee’s photo).

It is worth noting, however, that in practice, the BIMI logo appears less frequently with “personal” addresses. This is because the main purpose of BIMI is to build trust in mass or corporate communications (newsletters, notifications, invoices, marketing mailings). However, this is not a formal technological limitation.

No, the final decision to display the logo rests with the mailbox provider and depends on the sender’s reputation, user settings, and other factors.

It is a digital certificate that authenticates ownership of the brand logo and confirms domain verification. It ensures that only the verified logo (associated with a registered trademark) appears in authenticated email messages, which prevents misuse and increases the credibility of the communication.

A CMC (Common Mark Certificate) is a newer, simplified type of certificate introduced by the BIMIGroup. It was designed to facilitate and lower the cost of BIMI implementation, making the standard more accessible for organizations (especially smaller ones) that do not have a registered trademark.

Key differences:

• VMC (Verified Mark Certificate) is a more rigorous certificate. It requires detailed validation, including verification of a registered trademark. Obtaining it is typically more complex and costly.
• CMC (Common Mark Certificate) is a simplified alternative. It streamlines the validation process, does not require a trademark, and reduces the cost and complexity of implementation.

Both certificates ensure the authenticity of the logo in emails. The main difference for the recipient is that a VMC allows for the display of a blue verification checkmark (e.g., in Gmail), while a CMC displays only the logo itself.

Not always. Mailbox providers (like Gmail) require a certificate (VMC or CMC) to display the logo at all.

• If you want to display the logo along with the blue verification checkmark (which builds the most trust), a VMC certificate is necessary.
• If you only want to display the logo (without the blue checkmark) and do not have a registered trademark, a CMC certificate is sufficient.

• Have a logo that is a registered trademark
• DMARC set to a policy of quarantine at 100% or reject

• Organization and domain verification: checking the rights to use the domain
• A direct interview between a company representative and a representative of the certifying organization, e.g., DigiCert
• Verification of correct DMARC authentication
• Notarization of certification
• Delivery of the certificate in .PEM format to be published in the BIMI record

VMC and CMC certificates are issued by so-called Mark Verifying Authorities (MVAs), which are specialized Certificate Authorities (CAs). The decision to accept a certificate from a given MVA is up to the individual mailbox provider (e.g., Gmail, Yahoo).

According to the official BIMI Group list, the MVAs currently issuing VMC certificates include:

• DigiCert
• GlobalSign
• SSL.com

CMC certificates are new – they are currently offered by DigiCert, and this list is likely to expand.

The cost depends on the chosen Certificate Authority (MVA – Mark Verifying Authority). Prices can vary between providers.

For example, based on pricing from DigiCert, annual subscription costs are:

• VMC (Verified Mark Certificate): Starts at $1,668.00 USD (approx. €1,585).
• CMC (Common Mark Certificate): Starts at $1,236.00 USD (approx. €1,175).

This price typically covers one domain and one logo version.

Implementing the BIMI certificate takes approx. 6-7 weeks.

The validity of a VMC (and CMC) certificate is typically one year, after which it must be renewed.

After your VMC is approved by the certificate authority, you will receive a .PEM (Privacy Enhanced Mail) file. The file must be uploaded to your public server. The URL (path to the file) should be placed in the BIMI TXT record.

According to information on the Yahoo Sender Hub website, the BIMI logo will be displayed in the inbox if the following conditions are met:

• A BIMI record is published in DNS that points to the logo’s location in the correct SVG format
• DMARC has a policy of quarantine or reject
• The mailing is sent to a large number of recipients (bulk). The logo will not be displayed in personal correspondence
• Verizon Media notes a sufficiently good reputation and engagement from recipients

If the requirements are met but the logo is still not displayed, you should consult the Yahoo documentation for developers.

There are several alternative ways to display a graphic mark: Boost from Interia, logo in Google Workspace (formerly G Suite), Avatar in the Postmaster Mail.ru tool, Bing for Microsoft. However, it should be noted that a logo uploaded this way may be unconfirmed and does not attest to the proper security of the domain with DMARC.