BIMI Record: What It Is, How It Works & How to Set It Up
by
Last Updated: Reading Time: 9 min
Key Takeaways
- A BIMI record is a DNS TXT record that allows organizations to display their branded logo alongside emails in recipients’ inboxes, serving as a visual trust signal.
- Before setting up BIMI, you must implement DMARC authentication with a policy set to either ‘quarantine’ or ‘reject’ on your domain.
- Your brand logo must be in SVG format, represent a trademark you control, and be accessible via HTTPS for proper BIMI functionality.
- Some email providers require a Verified Mark Certificate (VMC) to verify ownership of the logo before displaying it.
- After publishing your BIMI record in DNS, propagation can take 24 to 48 hours before your logo starts appearing in inboxes.
- Regular BIMI record auditing is essential to maintain a stable deployment as the email ecosystem evolves.
Every email your brand sends is a chance to build trust and recognition. However, without visual branding in the inbox, your messages can easily get lost in the noise. That’s where BIMI comes in.
BIMI (Brand Indicators for Message Identification) is an email security protocol that lets organizations display their official logo right next to their emails in the recipient’s inbox. It builds on the DMARC authentication protocol to strengthen email security and establish brand credibility with current and potential customers.
In this guide, we’ll break down what a BIMI record is, how it works, and walk you through how to publish a BIMI record on your domain, step by step.
What is a BIMI Record?
A BIMI record is a TXT record that is published on your DNS to implement the BIMI protocol. Once the record is published, it allows organizations to display their unique brand logos alongside emails that are DMARC-compliant.
BIMI centralizes logo display by empowering domain owners to share a single, standard image. This eliminates the need to create proprietary systems for logo display and management, and the frustration associated with brand proliferation. It provides a better user experience across the email inbox.
Key Requirements for Creating a BIMI Record
There are several foundational requirements you need to have in place before your branded logo can start showing up in your recipients’ inboxes. From email authentication to logo formatting and secure hosting, each piece plays a critical role in making BIMI work correctly.
Missing even one of these can prevent your logo from displaying, so it’s worth getting familiar with every requirement before you begin.
BIMI implementation checklist
| Requirement | Status | Details |
|---|---|---|
| DMARC Policy | Required | Must be set to 'quarantine' or 'reject' |
| SVG Logo | Required | BIMI-compliant SVG Tiny 1.2 format |
| VMC Certificate | Recommended | Required by major providers like Google and Apple |
| HTTPS Hosting | Required | Logo must be publicly accessible via HTTPS |
Here are the key BIMI requirements you need to meet before implementation:
Implement DMARC authentication
BIMI is built on top of the DMARC email authentication protocol, so this is a non-negotiable first step.
Your domain must have a DMARC policy set to either p=quarantine or p=reject. A policy of p=none will not work for BIMI. DMARC enforcement helps protect your domain against spoofing and phishing while also ensuring that when an email is authenticated, the receiving server can verify valid SPF, DKIM, and DMARC alignment.
If you haven’t already configured DMARC, work with a DMARC provider to get your policy enforced before moving forward.
Generate a BIMI-compliant logo
Your brand logo must be converted to an SVG file that meets the BIMI standard specifications. Specifically, the file must follow the SVG Tiny 1.2 profile, and the logo must be a trademark that you control.
Keep in mind that not just any SVG will work. The file must be square, centered, and free of scripts or external references. Getting this right is essential because an incorrectly formatted logo is one of the most common errors in BIMI implementation that prevents it from displaying in email clients.
Purchase a VMC
Add a CTA to “Buy VMC Certificate vie PowerDMARC” https://powerdmarc.com/buy-vmc-certficate/
A VMC proves ownership of your branded logo and is required by major email providers including Google Gmail and Apple Mail. You can obtain a VMC by contacting PowerDMARC.
While a VMC was once considered optional, it has become increasingly necessary. If the VMC is not issued or recognized by the receiving mail server, the BIMI logo simply will not display. For most organizations aiming for broad inbox coverage, a VMC is strongly recommended.
BIMI Record Authentication Process
The BIMI authentication process is layered, relying on multiple email security protocols working together to verify your identity before your logo ever reaches a recipient’s inbox. When any step in this chain fails, your BIMI logo simply won’t appear, often without any visible error on the sender’s side.
Here’s what happens behind the scenes every time you send an email from a BIMI-enabled domain:
- SPF, DKIM, and DMARC Check: The receiving mail server first authenticates your email by verifying valid SPF and DKIM alignment against your domain’s DMARC policy. Your DMARC policy must be set to p=quarantine or p=reject for BIMI to function.
- BIMI DNS Lookup: Once the email passes DMARC, the receiving server queries your domain’s DNS for a BIMI TXT record.
- Selector Matching: The selector name in the BIMI-Selector header of your email must match the selector name configured in your BIMI DNS record exactly. A mismatch will cause the lookup to fail silently.
- Certificate Validation: The server checks for a valid VMC or CMC attached to the record. If the certificate is not recognized or has expired, the logo will not display.
- Logo Retrieval and Display: If everything checks out, the server retrieves your branded SVG logo from the URL specified in the record and displays it alongside your email in the recipient’s inbox.
How to Create a BIMI Record?
Creating a BIMI record is straightforward once you have all the prerequisites in place.
The record must include specific tags: v for the BIMI version and l for the logo URL. An optional a tag can be used for your VMC certificate URL. While the a tag can technically be left blank to create a self-asserted BIMI record, this is not ideal for broad inbox coverage.
Here’s how to set it up step by step:
Step 1: Sign up with PowerDMARC for free
Begin your BIMI journey by registering on the PowerDMARC portal. No payment is required to get started, and the team is available to guide you through the process.
Step 2: Convert your logo image to SVG
On the portal menu, go to PowerToolbox > BIMI SVG Converter to convert your logo into a BIMI-compliant SVG Tiny 1.2 file. Make sure the output is square, centered, and meets all BIMI formatting requirements before proceeding.
Step 3: Create your BIMI record
Navigate to PowerToolbox > BIMI Record Generator to create your BIMI DNS record.
The tool will structure the record with the correct syntax and tags, helping you avoid formatting errors that are a common cause of failed BIMI implementations.
Step 4: Upload your logo
Enter the URL of your BIMI-compliant brand logo and your VMC certificate URL (optional but recommended), then click “Generate Record.”
| Note: If you have not created a custom BIMI selector name, the default value will be used. In this case, your host field will be default._bimi.yourdomain.com. The selector name here must match the BIMI-Selector header in your outgoing emails exactly. |
Step 5: Add the BIMI record to your DNS
Access your DNS provider’s management console and publish the generated BIMI TXT record in the advanced DNS editor. Using incorrect syntax in the BIMI record can lead to errors that prevent the logo from displaying, so copy the record exactly as generated.
After publishing, keep in mind that DNS propagation can take 24 to 48 hours. During this time, your BIMI logo may not appear in inboxes right away. Once propagation is complete, you can verify it using PowerDMARC’s BIMI record checker to confirm everything is working correctly.
Regular auditing of your BIMI record is also recommended to maintain a stable deployment as the email ecosystem evolves and mailbox providers update their requirements.
Simplify BIMI record creation with PowerDMARC!
How to Add a BIMI Record to DNS
Once you’ve generated your BIMI record, the next step is publishing it in your domain’s DNS settings. This is what allows receiving mail servers to locate your logo and certificate when authenticating your emails.
Getting the DNS entry right is critical because even minor syntax errors or misconfigurations can silently prevent your logo from displaying. Here’s how to do it:
- Choose a Domain and Selector: Select the domain you want to configure BIMI for and decide on a selector name (e.g., selector1). If you don’t need a custom selector, the default value is used, and your record will be published at default._bimi.yourdomain.com. Keep in mind that the selector name must exactly match the BIMI-Selector header in your outgoing emails.
- Create a TXT Record in Your DNS: Log into your DNS management interface provided by your domain registrar or DNS hosting provider. Navigate to the DNS zone for your domain and create a new TXT record. The record name should follow the format selector._bimi.yourdomain.com, replacing selector with your chosen selector name and yourdomain.com with your actual domain. The record value should include the required BIMI tags: v=BIMI1 for the version, l= followed by the HTTPS URL to your SVG logo, and a= followed by the URL to your VMC or CMC certificate (if applicable).
- Publish and Verify: Save the changes to publish the record. After publishing, DNS propagation can take 24 to 48 hours before the record becomes fully available. Once propagation is complete, use a BIMI record checker to verify that your record is resolving correctly and that the logo and certificate URLs are accessible.
Common BIMI Record Errors and How to Fix Them
Even with all the prerequisites in place, small mistakes during BIMI implementation can prevent your logo from displaying in email clients. Many of these errors are easy to overlook because they often fail silently, meaning you won’t receive an error message when something goes wrong.
Here are the most common issues and how to resolve them:
| Error | Cause | Fix |
|---|---|---|
| Incorrect Record Syntax | Typos in tag names, missing semicolons, or improperly formatted URLs in the BIMI TXT record. | Double-check that your record follows the correct format: v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/certificate.pem;. Copy the output from a BIMI record generator exactly rather than typing it manually. |
| Logo Not Accessible via HTTPS | The SVG file is hosted on HTTP, behind authentication, or on a server with an expired SSL certificate. | Verify that the logo URL uses HTTPS, loads correctly in a browser, and doesn't require any login or redirect. The logo file must be publicly accessible at all times. |
| Non-Compliant SVG Format | The logo file uses standard SVG instead of the required SVG Tiny 1.2 (SVG Tiny PS) profile, or contains scripts, animations, or external references. | Use a dedicated BIMI SVG converter to ensure compliance. The file must be square, under 32KB, and free of gradients, animations, or unsupported elements. |
| DMARC Policy Not at Enforcement | The domain's DMARC policy is still set to p=none instead of p=quarantine or p=reject. | Check your DMARC record and upgrade your policy to enforcement level. BIMI will not function at all under a p=none policy. |
| VMC Not Issued or Recognized | The VMC has expired, been revoked, or was issued by an untrusted certification authority. | Confirm your certificate is valid, current, and issued by a trusted authority. As of 2026, recognized VMC issuers include DigiCert, GlobalSign, and SSL.com. Entrust was removed as a trusted issuer in late 2024. |
| Selector Name Mismatch | The selector in the BIMI-Selector email header doesn't match the selector configured in the DNS record. | Ensure both sides use the exact same selector name, including casing. If no custom selector is set, confirm both default to default._bimi.yourdomain.com. |
| DNS Propagation Delay | The BIMI record was recently published or updated and hasn't fully propagated yet. | Wait 24 to 48 hours for full DNS propagation before troubleshooting. Then use a BIMI record checker to validate the record. |
How to Verify Your BIMI Record
After publishing your BIMI record, verification is essential to confirm everything is resolving correctly. Don’t assume that a successfully saved DNS entry means BIMI is working. There are multiple points of failure between your DNS and the recipient’s inbox, so testing is the only way to be sure.
- Use a BIMI Record Checker: Run your domain through a BIMI lookup tool to verify that your TXT record is published, the syntax is valid, and the logo and certificate URLs are accessible and properly formatted.
- Send Test Emails: Send test messages to accounts on Gmail, Yahoo Mail, and Apple Mail to confirm your logo appears in the inbox. Each provider has different requirements, so your logo may display on one but not another.
- Validate Your SVG and Certificate: Confirm that your SVG loads from the HTTPS URL specified in your record and meets the SVG Tiny PS profile. If you have a VMC or CMC, check that the certificate URL is reachable and hasn’t expired.
Publish Your BIMI Record with PowerDMARC
Now that you know how to publish a BIMI record for stronger email security and brand visibility, it’s time to put it into action. PowerDMARC makes the entire process simple, whether you’re setting up BIMI for the first time or managing it at scale across multiple domains.
Start here:
- Register for your free PowerDMARC account and generate your BIMI record in minutes.
- Convert your logo to a compliant SVG and create your DNS TXT record using built-in PowerToolbox utilities.
- Verify propagation using the PowerDMARC BIMI checker to confirm your record is live and error-free.
- Set up continuous monitoring for DMARC enforcement and BIMI functionality to keep your logo visible across inboxes.
PowerDMARC is trusted by Fortune 500 companies, banks, healthcare organizations, and government agencies worldwide, backed by SOC2 and ISO27001 certification for enterprise-grade security.
With the fastest BIMI record propagation in the industry, seamless integrations with leading DNS and email platforms, and a 24/7 global support team with dedicated specialists, you get everything you need to implement and maintain BIMI with confidence.
“With PowerDMARC, we reduced spoofing attempts by 98% and improved our email deliverability within weeks.” – IT Manager, Global Bank
Contact us to get started!
Frequently Asked Questions (FAQs)
1. How to generate a BIMI record?
To generate a BIMI record, use PowerDMARC’s BIMI record generator tool. Simply upload your BIMI-compliant SVG logo, optionally add your VMC certificate, and the tool will create the proper DNS TXT record format for you to publish.
2. What does a BIMI record look like?
A BIMI record is a DNS TXT record that looks like: “v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/cert.pem” where ‘v’ is the version, ‘l’ is the logo URL, and ‘a’ is the optional VMC certificate URL.
3. What is the difference between DMARC and BIMI?
DMARC is an email authentication protocol that prevents spoofing and phishing, while BIMI is a visual indicator that displays your logo next to authenticated emails. BIMI requires DMARC enforcement to function – they work together to provide both security and brand visibility.
4. What is the BIMI standard?
The BIMI standard is an email specification that allows domain owners to display their brand logos in recipients’ inboxes. It’s maintained by the BIMI Group and requires DMARC authentication, SVG logo format, and optionally a VMC for implementation.
Domain & Email Security Expert at PowerDMARC
Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.
Latest posts by Ahona Rudra (see all)
- 10 Automated Solutions for Email Spoofing Prevention - February 26, 2026
- 10 Encrypted Email Solutions for Healthcare Providers in 2026 - February 26, 2026
- Emails From [email protected]: Is It Legit or a Scam? - February 26, 2026
