BIMI Checker
Validate a domain's BIMI (Brand Indicators for Message Identification) configuration — check the DNS TXT record, verify the SVG logo URL is reachable, inspect the VMC authority certificate, and get a plain-English assessment with actionable recommendations.
What is BIMI?
BIMI (Brand Indicators for Message Identification) is an email standard that lets domain owners display their brand logo next to authenticated email in supporting inboxes. When an email passes DMARC authentication and a valid BIMI record is published, mail clients like Gmail, Yahoo Mail, Apple Mail, and Fastmail can show the brand logo in the inbox — turning the sender's initial into an identifiable brand mark.
BIMI is a brand visibility enhancement, not an email security control. It does not prevent spoofing by itself, and a missing BIMI record is not a security vulnerability. What BIMI does is give recipients a visual signal that the email is from an authenticated sender — a benefit only available once SPF, DKIM, and DMARC are properly configured. Think of BIMI as the reward for getting your email authentication stack right.
For email admins and MSPs: BIMI is worth considering once DMARC is at p=reject and has been stable for several months. The setup requires a hosted SVG logo in Tiny PS format and optionally a VMC authority certificate (required for Gmail). Use this tool to quickly check whether a client's domain has BIMI configured and whether the logo and VMC URLs are reachable — useful for audits and client onboarding calls.
How BIMI works
BIMI uses a DNS TXT record to tell supporting mail providers where to find the brand logo. When an email is delivered, the receiving provider checks the BIMI record, fetches the logo, and displays it in the inbox if DMARC authentication passes.
The BIMI DNS record
Publish a TXT record at default._bimi.yourdomain.com.
The record specifies the BIMI version (v=BIMI1),
the logo URL (l=), and optionally the
VMC authority certificate URL (a=).
default._bimi.example.com. TXT "v=BIMI1; l=https://cdn.example.com/logo.svg; a=https://cert.example.com/vmc.pem"
The SVG logo file
The logo must be hosted at an HTTPS URL and must be in
SVG Tiny PS (Portable SVG Profile) format: square aspect ratio, no embedded
raster images, no scripts, no external references. The server must respond with
Content-Type: image/svg+xml.
Most SVG editors produce files that need cleanup to meet Tiny PS requirements.
DMARC prerequisite
Before checking BIMI, supporting providers verify that DMARC authentication passes with a
policy of p=quarantine or
p=reject.
A DMARC policy of p=none is not sufficient.
SPF or DKIM must be aligned with the From domain. BIMI without proper DMARC enforcement will
not result in logo display.
VMC and Gmail support
Gmail requires a VMC (Verified Mark Certificate) in the a=
field before displaying the brand logo. A VMC is an X.509 certificate issued by DigiCert or Entrust
that cryptographically certifies your logo and domain association. VMCs require a trademark
registration and have an annual cost and expiry date. Providers like Yahoo and Fastmail display logos
without a VMC if DMARC is properly enforced.
Where BIMI fits in the email security stack
BIMI sits at the top of the email authentication stack — it is only meaningful after the foundational standards are in place. A fully hardened email configuration and the BIMI display chain looks like this:
| Standard | Purpose | Required for BIMI |
|---|---|---|
| SPF | Authorises which servers may send email on behalf of your domain | Alignment required |
| DKIM | Cryptographically signs outbound messages to prove authenticity | Alignment required |
| DMARC | Ties SPF and DKIM together; specifies policy for failures | p=quarantine or p=reject required |
| BIMI | Displays brand logo in supporting inboxes when DMARC passes | — |
| VMC | Certifies the logo–domain association; required for Gmail | Optional (Gmail requires it) |
Priority order: SPF → DKIM → DMARC (p=none → quarantine → reject) → MTA-STS → TLS-RPT → BIMI. Do not prioritise BIMI over the foundational email authentication standards. A domain with SPF, DKIM, and DMARC at p=reject is well-protected. BIMI is the polish after the foundation is solid.
VMC (Verified Mark Certificates) explained
A Verified Mark Certificate is an industry-standard X.509 certificate that binds a brand logo to a domain. Like a TLS certificate proves a website's identity, a VMC proves the association between your logo and your organisation. VMCs contain the SVG logo data encoded within the certificate and are signed by a Certificate Authority (CA) in the BIMI Mark Verifying Authority (MVA) program.
Who issues VMCs
- DigiCert — Offers VMCs directly and through partners. One of the longest-established VMC issuers.
- Entrust — Also offers VMCs as part of their certificate portfolio.
VMCs require a trademark registration (national or international) for the logo. The CA validates the trademark before issuing the certificate.
VMC expiry and monitoring
VMCs expire annually. An expired VMC causes Gmail to stop displaying the brand logo — the same way an expired TLS certificate causes HTTPS warnings. Monitor VMC expiry the same way you monitor TLS certificate expiry. This tool can verify the VMC URL is reachable but cannot check the certificate expiry date — verify this with your CA's management console.
Frequently asked questions
What is BIMI and do I need it?
BIMI (Brand Indicators for Message Identification) is a DNS-based email standard that displays your brand logo next to authenticated emails in supporting inboxes. You do not need it for email to work correctly — it is a brand visibility enhancement. It is most useful for organisations that send high-volume email and want recipients to recognise their messages visually. BIMI only has effect once SPF, DKIM, and DMARC are fully configured. If your DMARC policy is still at p=none, BIMI is not yet relevant.
Why does Gmail not show my BIMI logo?
Gmail requires a VMC (Verified Mark Certificate) in the a= field of the BIMI record before displaying the brand logo. Without a VMC, Gmail will not show the logo even if the rest of the BIMI configuration is correct. Other common reasons include: DMARC policy is p=none (must be quarantine or reject), the logo URL is unreachable or not in Tiny PS SVG format, or the BIMI record is missing or has syntax errors. Use this tool to check each component and see which is failing.
Can I use BIMI without a VMC?
Yes — the BIMI specification makes the a= VMC field optional. Yahoo Mail, Fastmail, Apple Mail, and some other providers will display the brand logo without a VMC if DMARC is properly enforced. However, Gmail — the most widely used mail client — requires a VMC. If Gmail support matters to you, you need a VMC. VMCs require a trademark registration and involve an annual fee from the issuing CA (DigiCert or Entrust).
Does BIMI prevent email spoofing?
No — BIMI does not directly prevent spoofing. Spoofing prevention is the role of SPF, DKIM, and DMARC. BIMI is a display enhancement that works on top of those standards. What BIMI does provide is a visual authentication signal to recipients — when they see the brand logo, they can be more confident the email is from an authenticated sender. But this signal only appears after DMARC enforcement is in place, so the spoofing protection is provided by DMARC, not BIMI itself.
What is SVG Tiny PS and why does BIMI require it?
SVG Tiny PS (Portable SVG Profile) is a restricted subset of the SVG format designed for safe rendering in constrained environments like email clients. BIMI requires it because full SVG supports embedded scripts, external resources, and raster images — all of which are security risks or rendering problems in mail clients. Tiny PS requires: square aspect ratio, no embedded scripts, no external resource references, no embedded raster images, proper SVG namespace declaration, and specific profile declarations. Standard SVG files from design tools like Illustrator or Figma usually need cleanup to meet Tiny PS requirements. The BIMI Group provides an official free validator at bimigroup.org.
What is the default selector in BIMI?
The default selector means the BIMI record is published at default._bimi.yourdomain.com. The BIMI specification supports named selectors (e.g., newsletter._bimi.yourdomain.com) for domains that want to display different logos for different email streams. Named selectors are referenced in the DKIM signature's bimi= tag. In practice, nearly all BIMI deployments use the default selector only. This tool checks the default._bimi record, which covers the vast majority of BIMI configurations.
Is BIMI a security risk to deploy?
No — BIMI is safe to deploy and has no effect on email delivery. The DNS record and the logo URL are read-only by mail providers. Publishing a BIMI record does not cause email to be rejected, filtered, or redirected. If the BIMI record or logo URL has an error, the logo simply will not display — no other impact occurs. The only operational risk is an expired VMC causing logo display to stop in Gmail, which is a brand impact rather than a security or delivery issue.
What does this BIMI checker tool test?
This tool performs four checks from the Cloudflare edge: DNS TXT record lookup at default._bimi.yourdomain.com via Cloudflare DNS-over-HTTPS; HTTPS fetch to the logo URL to verify it returns HTTP 200 and the Content-Type indicates SVG; optional HTTPS fetch to the VMC URL to verify reachability; and DNS lookup of _dmarc.yourdomain.com to check the DMARC prerequisite. It cannot validate SVG Tiny PS compliance, VMC certificate issuer, or VMC expiry date — those require the BIMI Group validator and CA management console respectively.