BIMI (Brand Indicators for Message Identification) lets compatible mailbox providers show your brand logo next to authenticated email.

BIMI is not a shortcut around authentication. It depends on strong domain-auth posture first.

Before you create a BIMI record

You need these prerequisites:

  1. DMARC policy at enforcement level (p=quarantine or p=reject, typically with pct=100).
  2. SPF and DKIM configured and aligned for active mail streams.
  3. A BIMI-compliant SVG logo hosted over HTTPS.
  4. Optional but often required: Verified Mark Certificate (VMC) depending on provider requirements.

If DMARC is still p=none, BIMI usually will not activate.

BIMI DNS record format

BIMI is published as a TXT record, usually at default._bimi.<domain>.

Example:

v=BIMI1; l=https://example.com/logo.svg;

Where:

  • v=BIMI1 is required version tag.
  • l= points to the logo location (HTTPS).

Some ecosystems also use a= for certificate location where applicable.

Step-by-step setup

  1. Finalize your SVG logo per BIMI profile constraints.
  2. Host logo at stable HTTPS URL.
  3. Add TXT record at default._bimi.<domain>.
  4. Confirm DMARC policy and alignment are enforcement-ready.
  5. Validate BIMI record syntax and logo accessibility.
  6. Monitor mailbox-provider behavior over time.

Common BIMI setup mistakes

  • logo not in accepted SVG profile,
  • HTTPS certificate issues on logo host,
  • publishing BIMI before DMARC enforcement,
  • inconsistent DKIM/SPF alignment across senders,
  • expecting instant universal logo display.

BIMI support is provider-dependent and rollout can be gradual.

Terraform example (Route 53)

resource "aws_route53_record" "bimi" {
  zone_id = aws_route53_zone.main.zone_id
  name    = "default._bimi.example.com"
  type    = "TXT"
  ttl     = 300
  records = ["v=BIMI1; l=https://example.com/logo.svg;"]
}

Validation checklist

  1. TXT record resolves publicly.
  2. Logo URL returns expected SVG over HTTPS.
  3. DMARC alignment passes on real outbound samples.
  4. No SPF permerror or broken DKIM selectors.
  5. Provider-specific BIMI requirements are satisfied.

Why BIMI matters

  • improves brand recognition in inbox UI,
  • increases sender trust signals,
  • reinforces anti-spoofing posture when combined with DMARC.

BIMI is a trust amplifier, not a primary security control.

Final take

Set up BIMI only after your authentication baseline is stable. Teams that treat BIMI as the final polish on a strong SPF/DKIM/DMARC foundation get the best long-term result.