Back to Validator

Help Topics

Quick Actions

→ Back to Validator

BIMI Validation and Diagnostic Guide

What is BIMI?

Brand Indicators for Message Identification (BIMI) enables brands to display their logo next to authenticated emails in supported inboxes. To be eligible for BIMI, a domain must pass email authentication standards and may require a Verified Mark Certificate (VMC) depending on the mailbox provider.

📋 Prerequisites for BIMI

To qualify for BIMI, the following DNS records and policies must be properly configured:

1. SPF (Sender Policy Framework)

  • Purpose: Authorizes sending servers
  • Location: TXT record at domain root (e.g., example.com)
v=spf1 include:_spf.example.com -all

2. DKIM (DomainKeys Identified Mail)

  • Purpose: Signs email with a private key to verify authenticity
  • Location: TXT record at <selector>._domainkey.example.com
v=DKIM1; k=rsa; p=MIGf...IDAQAB

3. DMARC (Domain-based Message Authentication)

  • Purpose: Specifies how receivers should handle failing SPF/DKIM checks
  • Location: TXT record at _dmarc.example.com
  • Required Policy: p=quarantine or p=reject

⚠️ BIMI does NOT work with p=none

v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com

4. BIMI Record

  • Location: default._bimi.example.com
v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem
  • l= points to the SVG Tiny PS logo
  • a= points to the Verified Mark Certificate (optional)

🏛️ Verified Mark Certificate (VMC) Creation Process

A Verified Mark Certificate (VMC) is a digital certificate that cryptographically verifies your brand's logo and trademark ownership. Certificate Authorities like DigiCert follow a rigorous validation process before issuing a VMC:

1. Trademark Verification

  • Registered Trademark Required: Your logo must be a registered trademark with a national or regional trademark office
  • Trademark Classes: The trademark must cover relevant classes for email/digital communications
  • Active Status: The trademark must be active and in good standing

2. Organization Validation

  • Legal Entity Verification: The CA verifies your organization's legal existence through government databases
  • Domain Ownership: Proof of ownership for the domain(s) where BIMI will be implemented
  • Authorized Representative: Verification that the certificate requestor is authorized to act on behalf of the organization

3. Logo Compliance Check

  • Trademark Match: The SVG logo must exactly match the registered trademark
  • Format Compliance: Logo must be in SVG Tiny Portable/Secure (PS) format
  • No Modifications: The logo cannot contain text, taglines, or elements not part of the registered mark

4. Certificate Issuance

  • PEM Format: The VMC is issued as a PEM-encoded certificate containing the logo and validation data
  • Certificate Chain: Includes the full certificate chain back to a trusted root CA
  • Validity Period: Typically valid for 1-2 years, requiring renewal

💡 Pro Tip: The VMC validation process typically takes 3-7 business days. DigiCert and other approved CAs provide dedicated support to help navigate trademark requirements and ensure your logo meets all technical specifications.

🔷 Google/Gmail Specific Requirements

Gmail has additional requirements beyond the BIMI standard that must be met for proper logo display:

Certificate Requirements

Street Address Field Required

Gmail requires the street address field in BIMI certificates. Contact your CA to reissue with street address included.

Logo Requirements

⚠️

ViewBox Format

Gmail requires space-delimited ViewBox values (not comma-delimited):

❌ BAD: viewBox="0, 0, 400, 400"

✅ GOOD: viewBox="0 0 400 400"

⚠️

Square Logo Required

Gmail displays logos in circular avatar slots. Logos must be square (1:1 aspect ratio) or corners will be cropped.

Minimum Size: 96x96 pixels

Gmail requires logos to be at least 96x96 pixels. Smaller logos will not display.

✅ What Can Be Verified Without Sending an Email

You can validate the following via DNS lookups and file accessibility checks:

DNS Record Checks

  • • Presence of SPF, DKIM, and DMARC records
  • • BIMI record existence at default._bimi
  • • DMARC policy level (quarantine or reject)

File Accessibility

  • • SVG logo accessible via HTTPS
  • • SVG in Tiny PS format
  • • VMC certificate accessibility
  • • VMC validation against CA

💡 Tools to use: dig, nslookup, BIMI validators, or this web interface

📧 What Can Be Verified After Receiving an Email

Once an email is received, the following can be checked:

Authentication Results

Check Authentication-Results header:

  • spf=pass
  • dkim=pass
  • dmarc=pass
  • bimi=pass

Visual Verification

  • • Logo rendering in inbox
  • • Domain alignment verification
  • • VMC validation traces
  • • Blue checkmark (Gmail with VMC)

🎯 BIMI Logo vs Verified Checkmark

FeatureRequires VMC?Gmail SupportNotes
BIMI Logo DisplaySometimesConditionalDepends on provider policies
Blue CheckmarkAlwaysYesVMC from approved CA required

📊 Validation Summary

Check TypeDNS OnlyRequires Email
SPF/DKIM/DMARC records
BIMI TXT record
SVG logo validation
VMC certificate
Authentication results
BIMI pass/fail status
Logo rendering

💡 Best Practices

  1. 1

    Validate DNS Configuration First

    Use DNS tools to ensure all authentication records are properly configured before proceeding.

  2. 2

    Check Logo and VMC Accessibility

    Ensure SVG is properly formatted (Tiny PS) and VMC is from an approved certificate authority.

  3. 3

    Send Test Emails

    Send to BIMI-capable mailboxes (Gmail, Yahoo) to verify actual rendering and authentication.

  4. 4

    Monitor DMARC Reports

    Regularly review DMARC aggregate reports to ensure authentication is working correctly.

For ongoing BIMI diagnostics, establish monitoring of DMARC reports and periodically validate BIMI configuration via test emails and header inspection.