23 years from Stockholm
Free email infrastructure tool

BIMI validator — record, DMARC prerequisite, SVG, and certificate in one pass

Type a domain. The browser queries default._bimi.yourdomain.com for the BIMI TXT record, parses the v/l/a tags, separately verifies that DMARC at _dmarc.yourdomain.com sits at p=quarantine or p=reject (the gating prerequisite — without it, no major receiver displays your logo), fetches the SVG referenced in l= and checks it against the SVG Tiny P/S profile, and validates that the certificate URL in a= resolves to a PEM file. You see exactly which gate is in the way of your logo showing in the inbox — and 84% of the time, per Validity's 2025 survey, that gate is DMARC still at p=none.

Validate a domain's BIMI setup

Enter the organizational domain. The tool runs the full BIMI gate check — TXT record, DMARC enforcement, SVG fetch and structural validation, certificate URL reachability — in parallel.

DNS via cloudflare-dns.com · SVG fetched directly from your published URL · No data sent to our servers

What BIMI is and what it requires

BIMI is the DNS standard that tells supporting inboxes where to fetch your verified logo — but the logo only shows when every gate is open

BIMI — Brand Indicators for Message Identification — is the email standard that displays a verified company logo next to authenticated messages in supporting inboxes. The current spec is the IETF BIMI Internet-Draft v12, published in 2026. The implementation is a single TXT record at default._bimi.yourdomain.com with three tags: v=BIMI1 (version), l=https://path/to/logo.svg (the URL of your logo), and a=https://path/to/cert.pem (the URL of your VMC or CMC certificate). When a supporting inbox receives a message that authenticates as yours, it fetches the SVG and renders it; when a VMC is present, Gmail shows the additional blue checkmark.

The catch is that the SVG only renders when four prerequisites all pass. First, DMARC must sit at p=quarantine or p=reject with pct=100 on the organizational domain — receivers will not honor BIMI if DMARC is at p=none, no matter how perfect the rest of the configuration. Second, the SVG must conform to SVG Tiny Portable/Secure (SVG Tiny P/S) — a security-restricted subset of SVG that excludes scripts, external references, animations, and other features that could pose risk in an email client. Third, the logo must be square (1:1 aspect ratio), have a solid non-transparent background, and stay under 32 KB. Fourth, for inboxes that require certificate verification (Gmail and Apple Mail), you need a Verified Mark Certificate (VMC) — which itself requires a registered trademark in one of seventeen recognized IP offices — or a Common Mark Certificate (CMC) introduced in 2024-2025, which widens eligibility but does not unlock the Gmail blue checkmark.

The 2026 inbox landscape: Gmail displays the BIMI logo for messages with valid BIMI plus a VMC; with a VMC, you also get the blue verified checkmark. Apple Mail displays BIMI logos similarly. Yahoo Mail displays BIMI logos including for self-asserted records without a certificate, plus CMC-protected logos. Fastmail supports BIMI. Microsoft Outlook and Microsoft 365 do not support BIMI as of 2026 — this matters because that absence covers a large fraction of B2B inbound. Your BIMI investment is real, but the deployment is concentrated on the consumer-facing inboxes.

The validator above runs the same gate checks the receiving inboxes run. When something fails, it tells you exactly which gate is closed — DMARC not at enforcement, SVG too large, certificate URL unreachable, record missing — rather than the generic "BIMI not working" diagnosis that most teams arrive at after staring at their inbox for a week wondering why the logo is not showing.

The four gates the receiver checks

Each gate is checked independently. If any one fails, the logo does not render — and the receiver does not tell you which one

Gate 1 · BIMI TXT record

A TXT record at default._bimi.yourdomain.com containing v=BIMI1; l=...; a=.... The selector "default" is the standard; some senders use additional selectors (e.g., marketing._bimi) keyed to the BIMI-Selector header on outbound mail.

Most common failure: no record. Some teams publish the SVG and cert but forget the DNS step.

Gate 2 · DMARC at enforcement

DMARC on the organizational domain at p=quarantine or p=reject, with pct=100. Some receivers add a 30-day continuous-enforcement requirement before honoring BIMI; new enforcement deployments take time to "season" before logos appear.

Most common failure (84% per Validity 2025): p=none. The most underestimated gate in BIMI deployments.

Gate 3 · SVG Tiny P/S logo

An SVG file conforming to the SVG Tiny Portable/Secure profile: no scripts, no external references, no animation, 1:1 aspect ratio, solid (non-transparent) background, viewBox declared, file under 32 KB. A standard Illustrator or Figma export will not pass — use the BIMI Working Group conversion script or have DigiCert validate the SVG as part of certificate issuance.

Most common failure: transparent background or non-square aspect ratio.

Gate 4 · VMC or CMC certificate

An X.509 certificate (PEM file) issued by a BIMI-qualified CA (DigiCert or Entrust as of 2026). VMC requires a registered trademark in one of seventeen recognized IP offices and unlocks the Gmail blue checkmark; CMC has lower eligibility requirements but does not unlock the blue checkmark. Certificate renewal is annual.

Most common failure: certificate expiry. DigiCert and Entrust take 1-3 weeks to issue or reissue — start renewal 30+ days before expiry.

The silent-failure problem: when a receiver rejects BIMI for any reason, it silently declines to render the logo. There is no bounce, no DMARC report entry, no signal back to the sender. The only way to diagnose is to walk through each gate yourself with a tool like the one above, or to check the inbox manually in Gmail / Apple Mail / Yahoo. This is why teams often spend weeks not realizing why the logo is not showing.

BIMI deployment workflow

Deploy in the right order. Skipping ahead is the most common cause of stalled BIMI projects

1. Get DMARC to enforcement first — this is the long pole

Most BIMI projects stall at this step. Moving from p=none to p=quarantine safely requires DMARC aggregate report analysis to identify every legitimate sender, fixing alignment on each, then a deliberate rollout via the pct= tag (start at pct=10, escalate weekly to 25, 50, 75, 100). Plan 30-90 days for a domain with multiple senders. Do not skip this — receivers genuinely check, and DMARC at p=none is the failure mode for 84% of BIMI deployments.

2. Prepare the SVG Tiny P/S logo

Start with a clean, square version of your logo. Run it through the BIMI Working Group's Adobe Illustrator export script (available at bimigroup.org), or use a dedicated SVG Tiny P/S converter. Confirm: 1:1 aspect ratio, solid non-transparent background, no scripts or animations, no external font or image references, viewBox attribute set, file under 32 KB. Test the rendering in a circular clip (most inboxes display BIMI logos as round avatars).

3. Get a VMC or CMC certificate

If you have a registered trademark covering the logo, go with VMC — only VMC unlocks the Gmail blue checkmark, and that visual signal is meaningful. If you don't, CMC is the alternative as of 2024-2025. Order from DigiCert or Entrust. Expect 1-3 weeks for issuance, including notarized identity documents and a video call with the CA's validation team (mirrors the EV TLS certificate process). Cost is around $650/year minimum for either certificate.

4. Publish the BIMI record

Add a TXT record at default._bimi.yourdomain.com with v=BIMI1; l=https://your-host/logo.svg; a=https://your-host/cert.pem. Host the SVG and PEM on a CDN or static-host with HTTPS — both URLs must serve valid HTTPS with content-types that the receivers expect. Test from a known-working inbox (Gmail with VMC) within a few days; logos typically appear within 24-48 hours of all four gates being green.

5. Monitor and renew on schedule

Run the validator monthly to catch silent failures — certificate drift, SVG host issues, DNS changes. Calendar the VMC/CMC renewal at least 30 days before expiry so the 1-3 week issuance window does not catch you with an expired cert. Watch DMARC reports for any new authentication failures that could push you below the receiver's tolerance for BIMI.

BIMI as the last mile of authentication

BIMI is the visible payoff of the authentication work. Getting there means doing the DMARC enforcement work first — and that is where managed deliverability does most of its load

Most teams that come to us with "we want BIMI" find that the real work is the 60-90 days before BIMI, getting DMARC from p=none to p=reject without breaking any of their legitimate senders. The managed workflow includes the DMARC aggregate report analysis, the per-sender alignment fixes (often involving CRM, helpdesk, marketing automation, and transactional ESP integrations), the staged rollout via pct=, the SVG preparation and validation, the VMC or CMC orchestration with DigiCert or Entrust, and the ongoing monitoring once the logo is showing.

The validator above tells you which gate is closed today. If you are at the point of "DMARC is at p=none and we want a logo in Gmail," the next conversation is the path through enforcement that does not break the marketing team's drip campaigns. That is the work; the certificate and the SVG are the easy parts.

Frequently asked questions

Questions teams ask before and after running the BIMI validator

VMC or CMC — which one should I get?

+

VMC if you have a registered trademark. The Gmail blue verified checkmark only appears with a VMC, and that visual signal is the difference between "verified logo" and "logo." For B2C and brand-recognition use cases, the blue checkmark is most of the value. CMC, introduced in 2024-2025, is the path for organizations that lack a registered trademark — non-profits, internal corporate domains, smaller teams that have not invested in trademark registration. CMC unlocks Yahoo Mail and most other supporting inboxes but does not unlock the Gmail blue checkmark.

Cost is comparable, around $650/year minimum for either certificate from DigiCert or Entrust. The decision is almost entirely about whether you have the trademark, not about cost or technical complexity.

Why doesn't BIMI work in Outlook?

+

Microsoft Outlook and Microsoft 365 do not support BIMI as of 2026. The exact reason is not public, but the practical effect is that BIMI's value is concentrated on Gmail, Apple Mail, Yahoo Mail, and Fastmail — which covers most consumer email but leaves out a large fraction of enterprise B2B inbound running on Microsoft 365.

This shapes the BIMI investment decision: if your audience is primarily B2B and runs on Outlook, BIMI is a smaller win. If your audience is consumer (B2C, retail, fintech, media), Gmail and Apple Mail together cover the majority of opens and BIMI carries clear visual value. Decide based on where your recipients actually read.

How long after publishing the record does the logo appear?

+

Once all four gates are green, expect 24-48 hours for receivers to start displaying the logo. Some receivers cache BIMI results aggressively — Gmail in particular may take 2-3 days to update if you previously had a failing setup. The way to confirm is to send yourself a test message from the domain to a Gmail account with a VMC; if the logo and blue checkmark appear, BIMI is working. If gates 1-3 are green but the logo does not appear after 72 hours, the most common cause is gate 4 — certificate validation failure on the receiver's side that does not surface in our reachability check.

My DMARC is at p=quarantine but Gmail still doesn't show the logo

+

Three things to check. First, is pct=100? Gmail requires full enforcement, not a partial percentage. Second, has the policy been at quarantine or reject for at least 30 days? Some receivers require a seasoning period before honoring BIMI; if you just moved to enforcement yesterday, give it a month. Third, is the DMARC policy on the organizational domain or only a subdomain? BIMI references the organizational domain's DMARC; a subdomain policy alone is not enough.

If all three of those are correct and the logo still doesn't show, the most likely remaining cause is certificate validation — the certificate exists at the URL but Gmail's validation chain is rejecting it. Re-validate with the CA, or try a fresh cert order.

Can I use a free SVG editor to make the logo BIMI-compliant?

+

Editing tools yes, but a standard export from Illustrator, Figma, Inkscape, or SVG editors does not produce BIMI-compliant output. SVG Tiny P/S is a specific profile that strips features the editor adds by default — scripts, animations, masks, filters that reference external resources, font definitions that fall back to system fonts. Use the BIMI Working Group's Adobe Illustrator export script (free, from bimigroup.org) which automates the conversion. Alternatively, DigiCert offers SVG validation as part of the VMC/CMC issuance process — they will tell you what to fix.

Common manual fixes if you are converting by hand: remove all <script> elements; flatten masks; convert any text to outlined paths; add a solid <rect> background; ensure the viewBox is 1:1; verify the file size stays under 32 KB.

Is BIMI worth the effort for a small or mid-size sender?

+

The deliverability community is divided on this. The strong-yes case: BIMI deployment forces DMARC enforcement, which has clear deliverability benefits independent of the logo; engagement studies (TalkTalk's reported 4-6% lift, Validity's 10% engagement increases on BIMI-enabled mail) show real impact for consumer brands. The skeptical case: BIMI is invisible on Outlook (a large fraction of B2B), the $650/year certificate cost is non-trivial, and the DMARC enforcement work that BIMI requires is genuinely valuable on its own — you can get most of the deliverability benefit without paying for the certificate.

Practical heuristic: if you already have DMARC at enforcement and a registered trademark, BIMI is a low-effort win. If you have neither, prioritize DMARC enforcement first (high value independently), then consider BIMI as a follow-on once enforcement is stable.