BIMI (Brand Indicators for Message Identification) is an email-authentication-adjacent standard that lets a domain owner publish a brand logo via DNS TXT record so participating mailbox providers display the verified logo next to authenticated mail in the inbox. The DNS record sits at default._bimi.example.com and contains the URL of an SVG-formatted logo and (for the Verified Mark variant) a Verified Mark Certificate URL. Mailbox providers that display BIMI logos in 2026 include Gmail (since 2021), Yahoo (since 2020), Apple Mail (macOS 14 / iOS 17 since 2023, with VMC required from 2024) and several smaller providers.

What is a Verified Mark Certificate (VMC) and how much does it cost?

A VMC is an X.509 certificate issued by a Mark Verifying Authority that cryptographically attests the domain owner has the legal right to use the trademarked logo being displayed via BIMI. DigiCert and Entrust are the two MVAs operating at scale in 2026. VMC cost typically runs $1,200-$2,000 per year per logo. The trademark must be registered (USPTO in the US, EUIPO in the EU, etc.); some MVAs accept government-trademark equivalents in jurisdictions without a registration system. Apple Mail requires VMC for logo display; Gmail and Yahoo display self-asserted SVG without VMC.

What does a BIMI DNS record look like?

A TXT record at default._bimi.yourdomain.com with two key fields: l= (the URL of the SVG-formatted logo, hosted on infrastructure you control) and a= (the URL of the Verified Mark Certificate, optional but required for Apple Mail). Example: v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/vmc.pem. The SVG must conform to the SVG Tiny Portable/Secure (SVG Tiny PS) profile - a constrained subset that disallows scripts and external references for security reasons.

How long does BIMI deployment take?

Assuming DMARC is already at p=quarantine or p=reject, BIMI deployment is days to a week of work for the technical setup (SVG conversion, DNS publication) plus 4-8 weeks for VMC issuance through DigiCert or Entrust including trademark verification. If DMARC is still at p=none, add the 60-120 days for proper DMARC enforcement progression first. End-to-end from a typical p=none starting point to live Apple Mail logo display: 90-180 days.

BIMI Deployment Playbook: VMC, DNS Setup, Mailbox Provider Verification

Q: Does BIMI stop phishing?

Indirectly. BIMI itself is a display feature, not a phishing-detection control. The phishing-defense value comes from two effects. First, BIMI requires DMARC enforcement, so adopting BIMI completes the DMARC progression that materially reduces direct domain-spoofing. Second, when BIMI logos are displayed in the inbox for legitimate mail, the absence of a logo on impersonation mail becomes a weak but real recognition cue users can train against. BIMI does not stop AiTM phishing, consent phishing, lookalike-domain phishing, smishing or vishing - it is one piece of the broader email-authentication and brand-protection layer.

BIMI Deployment Playbook: VMC, DNS Setup, Mailbox Provider Verification

BIMI (Brand Indicators for Message Identification) is the standard that lets your verified brand logo appear next to authenticated mail in supporting inbox clients. Adoption accelerated through 2024-2025 as Apple Mail added support and required Verified Mark Certificate (VMC) for logo display, joining Gmail and Yahoo which had supported BIMI since 2021 and 2020 respectively. By 2026 BIMI is a normal expectation in cyber-insurance underwriting questionnaires, brand-protection programs and large-customer due-diligence reviews.

This post is the practical deployment playbook: what BIMI requires, how to procure a VMC, how to publish the DNS record, how to verify across the major mailbox providers and where it sits in the broader phishing-defense stack. It assumes you have already deployed DMARC, DKIM and SPF; if you have not, do that first.

What BIMI does and what it does not do

BIMI is a display feature, not a phishing-detection control. The mailbox provider fetches the BIMI record at message delivery time, verifies the domain has DMARC at p=quarantine or stricter, and renders the configured logo next to the message in inbox UI that supports it. The receiving user sees the brand logo on legitimate authenticated mail.

The phishing-defense value comes from two adjacent effects. First, BIMI requires DMARC at p=quarantine or p=reject. Mailbox providers will not display the BIMI logo for domains stuck at p=none. This is the single most consequential design property of BIMI: it functions as a forcing function that incentivizes domain owners to complete the DMARC enforcement progression they may have stalled at p=none. Reaching p=quarantine itself materially reduces direct domain-spoofing phishing.

Second, when BIMI logos are displayed in the inbox for legitimate mail, the absence of a logo on impersonation mail becomes a weak but real recognition cue. Users get visual reinforcement that mail from your brand has the brand logo. Mail that claims to come from your brand without the logo is statistically more likely to be impersonation. The cue is not load-bearing on its own but compounds with other recognition signals over time.

BIMI does not stop AiTM phishing, OAuth consent phishing, lookalike-domain attacks, smishing or vishing. It does not protect against attackers who register a typosquatted domain that has no BIMI record - those domains simply will not display a logo, but the absence of a logo on a never-seen-before sender is not a clear signal to most users.

The DMARC prerequisite

Before any BIMI work, verify DMARC is at p=quarantine or p=reject. Run a DNS lookup against the _dmarc TXT record at your apex domain:

dig TXT _dmarc.yourdomain.com +short
"v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"

If the policy reads p=none, BIMI deployment is blocked. The full DMARC enforcement progression - none to quarantine to reject - typically takes 60-120 days for a real-world organization with multiple sending sources. Skip past this prerequisite at your peril; mailbox providers do verify DMARC enforcement before displaying BIMI logos and will not retry on misconfiguration.

Verified Mark Certificate procurement

Apple Mail requires a VMC for logo display. Gmail and Yahoo display self-asserted SVG without a VMC. If your audience includes meaningful Apple Mail traffic - which in most consumer-facing programs it does - procure a VMC.

The two Mark Verifying Authorities operating at scale in 2026 are DigiCert and Entrust. The procurement process:

Trademark registration: the brand mark must be registered with a recognized trademark office (USPTO in the US, EUIPO in the EU, JPO in Japan, etc.). Some MVAs accept government-trademark equivalents in jurisdictions without a registration system; check current MVA policy because this changes.
Domain control verification: standard DNS-based or HTTP-based proof that you control the domain.
Trademark verification: the MVA verifies the registered mark matches the SVG you intend to display. Mismatches are the most common rejection reason.
Issuance: 4-8 weeks end-to-end including any verification back-and-forth. DigiCert and Entrust pricing in 2026 typically runs $1,200-$2,000 per year per logo.

The MVA delivers a PEM-formatted X.509 certificate. Host it on infrastructure you control alongside the SVG.

SVG conversion to SVG Tiny PS

BIMI requires the logo in the SVG Tiny Portable/Secure (SVG Tiny PS) profile - a constrained subset of SVG that disallows scripts, external references and animations for security reasons. Most brand logos in standard SVG format need a one-time conversion.

Free tools include the BIMI Group's SVG Converter (bimigroup.org/svg-converter) and command-line svgcleaner. The output should:

Have only one root SVG element with proper baseProfile and version attributes.
Use a square viewBox (recommended 1:1 aspect ratio).
Strip scripts, foreignObject elements, external references and animations.
Include the brand color in solid fills (gradients allowed but limited).

Validate the output with the BIMI Group's SVG Tiny PS validator before publishing. SVG profile failures are a common BIMI deployment error and produce silent non-display rather than visible error messages.

Publishing the BIMI DNS record

Add a TXT record at default._bimi.yourdomain.com with content:

v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/vmc.pem

The l= field is the SVG URL. The a= field is the VMC URL (optional but required for Apple Mail). The default selector handles all mail; selector-specific records like marketing._bimi.yourdomain.com are supported but uncommon. DNS propagation is typically minutes.

Verifying display

Send a DMARC-passing test email from the configured domain to test accounts you control on Gmail, Yahoo and iCloud (Apple Mail). Logo display takes hours to days as the providers verify the BIMI record on first authenticated mail. Use a BIMI inspector tool (bimi.network/inspector or similar) to check record validity statically before relying on send-and-check.

If the logo doesn't display after 7 days:

Verify DMARC is at p=quarantine or p=reject and the test email is passing DMARC alignment (look at the Authentication-Results header in the received message).
Verify the SVG conforms to SVG Tiny PS - run it through a validator.
Verify the VMC chain is valid and matches the trademark in the SVG.
For Apple Mail specifically: confirm the VMC is the Apple-required tier (some early-period VMCs were not Apple-recognized).

Where BIMI sits in a phishing-defense program

BIMI is one piece of the broader email-authentication and brand-protection layer. It does not replace any other control. The 2026 mature program reads:

SPF, DKIM, DMARC at p=reject - the foundation that BIMI sits on.
BIMI for brand display and the forcing-function effect on DMARC.
Brand-protection monitoring (CSC, MarkMonitor, BrandShield, ZeroFox) for typosquatted and lookalike-domain detection.
Phishing-resistant MFA (FIDO2, passkeys) at the credential layer.
Continuous simulated phishing and security awareness training for the human-recognition layer.

If you are pursuing BIMI primarily because cyber-insurance underwriters now ask about it, the answer that holds premiums down is "yes, deployed, here is the DMARC enforcement evidence and the VMC PEM." If you are pursuing it because your CMO wants the logo display in customer inboxes, the answer that closes that conversation is "rolled out, displaying in Gmail, Yahoo and Apple Mail, here is a screenshot from the test accounts."

Pulling it together

BIMI deployment is a forcing function more than it is an independent control. Organizations that adopt it complete DMARC enforcement, harden their brand-protection layer, and gain a small but real visual recognition cue for legitimate authenticated mail. The cost is moderate (VMC fees plus a few weeks of engineering work) and the path is well-defined; the prerequisite is taking DMARC seriously, which most organizations should be doing for independent reasons.

If you are running a phishing simulation program and want to add the BIMI deployment as part of the broader email-authentication maturity work, start a free trial up to 25 users to see how the platform handles DMARC-aware sending alongside continuous simulation campaigns. For full deployment scoping see pricing or contact us.

Blog

BIMI Deployment Playbook: VMC, DNS Setup, Mailbox Provider Verification

What BIMI does and what it does not do

The DMARC prerequisite

Verified Mark Certificate procurement

SVG conversion to SVG Tiny PS

Publishing the BIMI DNS record

Verifying display

Where BIMI sits in a phishing-defense program

Pulling it together

Related reading