BIMI record support

ab-000929 · deliverability-engineering.dns-auth.bimi-record

Severity: infoactive

Why it matters

BIMI (Brand Indicators for Message Identification) displays your company logo directly in Gmail and Apple Mail inboxes, making authenticated email visually distinct from spoofed mail. For high-volume B2C senders, brand recognition in the inbox measurably increases open rates and recipient trust. BIMI requires a DMARC policy at p=quarantine or p=reject as a prerequisite, meaning it also validates that your domain's authentication stack is at enforcement level. Absence of BIMI is a missed opportunity for inbox differentiation at the accounts where it matters most — Gmail and Apple Mail — per the 2022 BIMI specification.

Severity rationale

Info because BIMI absence has no deliverability impact and is only relevant for high-volume B2C senders who have already achieved DMARC enforcement and consistent brand sending.

Remediation

Once DMARC enforcement is in place, publish the BIMI record at default._bimi.yourdomain.com:

default._bimi.yourdomain.com TXT "v=BIMI1; l=https://yourdomain.com/brand/logo.svg; a=https://yourdomain.com/brand/cert.pem"

The SVG must conform to the BIMI SVG Tiny PS profile — square, no external references, no scripts. For Gmail logo display a Verified Mark Certificate (VMC) from Entrust or DigiCert is required and must be referenced in the a= tag. Track this record in your infrastructure-as-code alongside SPF, DKIM, and DMARC so any domain authentication migration keeps BIMI in sync.

Detection

ID: bimi-record
Severity: info
What to look for: Count all BIMI-related DNS records and for each, search for BIMI (Brand Indicators for Message Identification) record strings (v=BIMI1), SVG logo file references for BIMI, or Verified Mark Certificate (VMC) configuration. Also look for documentation or comments mentioning BIMI. BIMI requires p=quarantine or p=reject DMARC and is primarily relevant for high-volume senders seeking brand logo display in Gmail and Apple Mail.
Pass criteria: At least 1 BIMI record is defined at default._bimi.yourdomain.com with a valid l= tag pointing to an SVG logo and optionally a a= tag for VMC. BIMI prerequisites (DMARC enforcement, aligned SPF/DKIM) are also in place.
Fail criteria: No BIMI record defined or referenced in codebase or infrastructure.
Skip (N/A) when: The project is not a high-volume B2C sender where brand recognition in the inbox is a priority, or DMARC enforcement is not yet at p=quarantine/p=reject.
Detail on fail: "No BIMI record defined — brand logo will not appear in Gmail/Apple Mail inboxes" (low priority until DMARC enforcement and sending volume justify it)
Remediation: Once DMARC is at p=quarantine or p=reject, add a BIMI DNS record:
```
default._bimi.yourdomain.com  TXT  "v=BIMI1; l=https://yourdomain.com/brand/logo.svg; a=https://yourdomain.com/brand/certificate.pem"
```
The SVG must meet BIMI specification requirements (square, no external references, specific SVG profile). VMC from Entrust or DigiCert is required for Gmail logo display.

External references

external · BIMI-spec-2022 — Brand Indicators for Message Identification (BIMI) Overview

Taxons

operational-readiness

History

2026-04-18·v1.0.0·Initial import from deliverability-engineering·automated

Why it matters

Remediation

Once DMARC enforcement is in place, publish the BIMI record at default._bimi.yourdomain.com:

default._bimi.yourdomain.com TXT "v=BIMI1; l=https://yourdomain.com/brand/logo.svg; a=https://yourdomain.com/brand/cert.pem"

Detection

ID: bimi-record
Severity: info
What to look for: Count all BIMI-related DNS records and for each, search for BIMI (Brand Indicators for Message Identification) record strings (v=BIMI1), SVG logo file references for BIMI, or Verified Mark Certificate (VMC) configuration. Also look for documentation or comments mentioning BIMI. BIMI requires p=quarantine or p=reject DMARC and is primarily relevant for high-volume senders seeking brand logo display in Gmail and Apple Mail.
Pass criteria: At least 1 BIMI record is defined at default._bimi.yourdomain.com with a valid l= tag pointing to an SVG logo and optionally a a= tag for VMC. BIMI prerequisites (DMARC enforcement, aligned SPF/DKIM) are also in place.
Fail criteria: No BIMI record defined or referenced in codebase or infrastructure.
Skip (N/A) when: The project is not a high-volume B2C sender where brand recognition in the inbox is a priority, or DMARC enforcement is not yet at p=quarantine/p=reject.
Detail on fail: "No BIMI record defined — brand logo will not appear in Gmail/Apple Mail inboxes" (low priority until DMARC enforcement and sending volume justify it)
Remediation: Once DMARC is at p=quarantine or p=reject, add a BIMI DNS record:
```
default._bimi.yourdomain.com  TXT  "v=BIMI1; l=https://yourdomain.com/brand/logo.svg; a=https://yourdomain.com/brand/certificate.pem"
```
The SVG must meet BIMI specification requirements (square, no external references, specific SVG profile). VMC from Entrust or DigiCert is required for Gmail logo display.