How to Set Up a BIMI DNS Record (Complete 2026 Guide)
A marketing director asks why the competitor's logo shows up next to their emails in Gmail, and yours doesn't. You check. They've got a BIMI DNS record. You don't. That gap is surprisingly fixable once you understand the moving parts - and adoption is still low enough that setting this up puts you ahead of most senders.
BIMI (Brand Indicators for Message Identification) is an email standard that uses a DNS TXT record to tell mailbox providers where to find your brand's logo. When everything's configured correctly, your logo appears right in the inbox next to your sender name. It's part branding, part anti-phishing, and part "you have your authentication together" signal.
What You Need Before Starting
Here's the checklist:
- SPF and DKIM passing and aligned
- DMARC at enforcement -
p=quarantineorp=reject,pct=100, nosp=none - SVG Portable/Secure (SVG P/S) logo hosted at an HTTPS URL
- VMC, CMC, or self-asserted setup, depending on which mailbox providers you're targeting
Realistic timeline: budget 6-8 weeks to get DMARC to enforcement if you're starting from scratch, plus 7-10 days for certificate provisioning. This isn't a Friday afternoon project.
Why Bother With BIMI?
Yahoo Mail's pilot program showed a 10% increase in engagement when BIMI was implemented. Other research summaries cite open rate boosts as high as 39%, a 34% higher purchase likelihood, and a 120% improvement in brand recognition. The exact lift varies by audience and vertical, but the directional signal is unmistakable: logos in the inbox get more attention.
There's also the anti-phishing angle. When recipients see your verified logo, they're far less likely to fall for spoofed emails impersonating your brand.
Here's the thing: check your audience's email clients before investing a dime. If most of your recipients are on Outlook, BIMI won't move the needle right now - Microsoft still doesn't support it. Run the numbers on your actual recipient base first.
Prerequisites Before You Touch DNS
Most guides dramatically undersell the prerequisites. Let's fix that.
SPF + DKIM alignment. Both need to pass and align with your sending domain. If you're using third-party senders like marketing automation or transactional email platforms, every one of them needs proper alignment. Miss one, and your DMARC reports will light up with failures.
DMARC at enforcement. This means p=quarantine or p=reject with pct=100 and no sp=none on subdomains. Per Red Sift's implementation guide, reaching enforcement takes 6-8 weeks for most organizations. You need to monitor DMARC reports, fix failing sources, and gradually tighten policy. Rushing this breaks legitimate email.
Clean sender reputation. BIMI amplifies your brand, but only if your emails actually reach the inbox. High bounce rates tank sender reputation, which undermines everything BIMI is supposed to do. We've seen teams invest weeks in BIMI configuration only to realize their contact data was the real bottleneck - tools like Prospeo's real-time email verification (98% accuracy) keep bounce rates low enough for BIMI to matter.
SVG Portable/Secure (SVG P/S) logo hosted at a public HTTPS URL.
Certificate (optional depending on provider). VMC or CMC for Gmail display; VMC for Apple Mail. Self-asserted works for Yahoo, AOL, and Fastmail.
Record Syntax Explained
The record itself is straightforward. It's a TXT record published at a specific subdomain:
default._bimi.yourdomain.com. IN TXT "v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem;"
v=BIMI1 is the version identifier - always BIMI1. l= is the full HTTPS URL to your SVG P/S logo file. a= is the URL to your VMC or CMC certificate in PEM format. For self-asserted BIMI, leave the value blank but keep the tag: a=;
The default._bimi selector is the standard. BIMI supports alternate selectors for different logos, but mailbox provider adoption of non-default selectors is limited. Stick with default.
Creating a BIMI-Compliant SVG
This is where most implementations break. BIMI doesn't accept standard SVGs - it requires SVG Portable/Secure (SVG P/S), a restricted profile of SVG Tiny 1.2 that strips out anything potentially dangerous.
Your SVG must include baseProfile="tiny-ps" and version="1.2" on the root `
Inkscape works as a free alternative. [SVGO](https://github.com/svg/svgo) is excellent for stripping metadata and reducing file size. The AuthIndicators svg-ps-converters tool on GitHub can auto-convert standard SVGs to SVG P/S format - the fastest path if you don't want to hand-edit XML.
<div class="cta-block" style="display:flex;flex-direction:column;align-items:center;justify-content:center;padding:3rem 20px 3.5rem;margin:3rem 0;border-radius:1rem;background-image:url('https://static.prospeo.io/directory-assets/images/home/general-cta-bg.webp');background-size:cover;background-position:center;background-repeat:no-repeat;"><img src="https://static.prospeo.io/directory-assets/images/prospeo_images/prospeo-logo.png" alt="Prospeo" style="display:block;height:40px;width:auto;margin-bottom:1.25rem;" /><h2 style="text-align:center;color:#1a1a1a;font-size:1.35rem;font-weight:400;line-height:1.5;margin:0 0 1.5rem 0;max-width:640px;">BIMI amplifies your brand - but only if your emails reach the inbox. High bounce rates destroy sender reputation and make your entire BIMI investment pointless. Prospeo's 5-step email verification delivers 98% accuracy, keeping bounces under control so your logo actually gets seen.</h2><p style="text-align:center;color:#1a1a1a;font-size:1rem;font-weight:600;line-height:1.5;margin:0 0 1.25rem 0;max-width:640px;">Don't configure BIMI on top of bad data. Fix the foundation first.</p><div style="display:flex;align-items:center;flex-wrap:wrap;gap:0.75rem;justify-content:center;"><a href="https://prospeo.io/sign-up" rel="nofollow noopener" class="cta-primary" style="display:inline-flex;align-items:center;justify-content:center;gap:0.5rem;padding:12px 24px;background:#FF1A26;color:#fff;border:2px solid #FF1A26;border-radius:0.5rem;font-size:15px;font-weight:500;line-height:1.5;text-decoration:none;white-space:nowrap;transition:all 0.2s ease;"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" aria-hidden="true" style="width:20px;height:20px;flex-shrink:0;" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" d="M9 4.5a.75.75 0 0 1 .721.544l.813 2.846a3.75 3.75 0 0 0 2.576 2.576l2.846.813a.75.75 0 0 1 0 1.442l-2.846.813a3.75 3.75 0 0 0-2.576 2.576l-.813 2.846a.75.75 0 0 1-1.442 0l-.813-2.846a3.75 3.75 0 0 0-2.576-2.576l-2.846-.813a.75.75 0 0 1 0-1.442l2.846-.813A3.75 3.75 0 0 0 7.466 7.89l.813-2.846A.75.75 0 0 1 9 4.5ZM18 1.5a.75.75 0 0 1 .728.568l.258 1.036c.236.94.97 1.674 1.91 1.91l1.036.258a.75.75 0 0 1 0 1.456l-1.036.258c-.94.236-1.674.97-1.91 1.91l-.258 1.036a.75.75 0 0 1-1.456 0l-.258-1.036a2.625 2.625 0 0 0-1.91-1.91l-1.036-.258a.75.75 0 0 1 0-1.456l1.036-.258a2.625 2.625 0 0 0 1.91-1.91l.258-1.036A.75.75 0 0 1 18 1.5ZM16.5 15a.75.75 0 0 1 .712.513l.394 1.183c.15.447.5.799.948.948l1.183.395a.75.75 0 0 1 0 1.422l-1.183.395c-.447.15-.799.5-.948.948l-.395 1.183a.75.75 0 0 1-1.422 0l-.395-1.183a1.5 1.5 0 0 0-.948-.948l-1.183-.395a.75.75 0 0 1 0-1.422l1.183-.395c.447-.15.799-.5.948-.948l.395-1.183A.75.75 0 0 1 16.5 15Z" clip-rule="evenodd"/></svg>Start Verifying Emails</a><a href="/contact" rel="nofollow noopener" class="cta-secondary" style="display:inline-flex;align-items:center;gap:4px;padding:12px 24px;background:#fff;color:#1a1a1a;border:1.5px solid #d1d5db;border-radius:0.5rem;font-size:15px;font-weight:400;line-height:1.5;text-decoration:none;white-space:nowrap;transition:all 0.2s ease;">Contact Sales <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="width:16px;height:16px;flex-shrink:0;"><path d="m9 18 6-6-6-6"/></svg></a></div></div>
## VMC vs CMC vs Self-Asserted
This decision determines both your cost and which mailbox providers display your logo. CMCs changed the game when they launched in early 2025 - suddenly you didn't need a registered trademark to get your logo into Gmail.
<figure class="article-image my-8" itemscope itemtype="https://schema.org/ImageObject"><meta itemprop="name" content="VMC vs CMC vs self-asserted BIMI comparison chart" /><img src="https://static.prospeo.io/directory-assets/images/new_images/bimi-dns-record/bimi-vmc-cmc-self-asserted-comparison.png" alt="VMC vs CMC vs self-asserted BIMI comparison chart" loading="lazy" decoding="async" class="w-full rounded-lg shadow-sm" style="max-height:500px;width:auto;display:block;margin:0 auto;cursor:zoom-in;" itemprop="contentUrl image" /><figcaption class="mt-3 text-sm text-gray-500 text-center" itemprop="description caption">VMC vs CMC vs self-asserted BIMI comparison chart</figcaption></figure>
| Requirement | VMC | CMC | Self-Asserted |
|---|---|------|
| Trademark needed | Yes | No | No |
| Brand proof | Registered trademark | 12 months public use | None |
| DMARC enforcement | Yes | Yes | Yes |
| Gmail support | Yes | Yes | No |
| Apple Mail support | Yes | No | No |
| Checkmark displayed | Yes (blue) | No | No |
| Annual cost | ~$800-$1,600 | ~$650-$950 | Free |
### Certificate Pricing
| Item | Annual Cost |
|---|---|
| DigiCert VMC (direct) | ~$1,608/yr |
| Reseller VMC (e.g., SSL2BUY) | $780-$1,200/yr |
| DigiCert CMC (direct) | ~$950/yr |
| Reseller CMC | $650-$950/yr |
| Self-asserted BIMI | Free |
The Reddit sentiment on VMC pricing is blunt - "money grabbing scheme" is a direct quote from [r/sysadmin](https://www.reddit.com/r/sysadmin/). And honestly, $1,600/year for a single domain's certificate does feel steep. CMCs brought the price down meaningfully, and they work with Gmail, which is what most B2B senders care about.
For teams that want Gmail display and have a registered trademark, get a VMC. When budget is tight and you don't have a trademark, a CMC gets you into Gmail at roughly half the cost. If your audience is primarily on Yahoo or Fastmail, skip the certificate entirely - self-asserted BIMI works free. [DigiCert](https://www.digicert.com/tls-ssl/verified-mark-certificates) and Entrust Datacard are the two issuing CAs for both certificate types.
## Publishing Your BIMI TXT Record
Once your SVG is hosted and your certificate is ready, publishing the DNS entry takes minutes.
| Field | Value |
|---|---|
| Name / Host | `default._bimi` |
| Type | TXT |
| TTL | 3600 (or Auto) |
| Value | `v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/cert.pem;` |
Lower your TTL to 60-300 seconds before publishing, then raise it back to 3600 after verification. This speeds up propagation if you need to iterate.
Cloudflare auto-appends your domain to the host field, so just enter `default._bimi`. GoDaddy works similarly. AWS Route 53 typically requires the full FQDN: `default._bimi.yourdomain.com`. When in doubt, check whether your provider appends the domain automatically - entering it twice is a common mistake that'll silently break everything.
We've stared at nslookup output for three days before a logo finally appeared. Propagation takes 24-48 hours typically, but some mailbox providers cache aggressively. Don't panic. Give it a full week before troubleshooting.
## Mailbox Provider Support in 2026
Not every email client supports BIMI. Here's where things stand:
<figure class="article-image my-8" itemscope itemtype="https://schema.org/ImageObject"><meta itemprop="name" content="Mailbox provider BIMI support matrix for 2026" /><img src="https://static.prospeo.io/directory-assets/images/new_images/bimi-dns-record/bimi-mailbox-provider-support-2026.png" alt="Mailbox provider BIMI support matrix for 2026" loading="lazy" decoding="async" class="w-full rounded-lg shadow-sm" style="max-height:500px;width:auto;display:block;margin:0 auto;cursor:zoom-in;" itemprop="contentUrl image" /><figcaption class="mt-3 text-sm text-gray-500 text-center" itemprop="description caption">Mailbox provider BIMI support matrix for 2026</figcaption></figure>
| Provider | BIMI Support | Certificate Required | Notes |
|---|---|---|---|
| Gmail | Yes | VMC or CMC | Blue checkmark with VMC only |
| Yahoo Mail | Yes | Not needed | Logo displays in mobile apps without cert |
| Apple Mail | Yes (iOS 16+) | VMC only | macOS Ventura+ |
| Fastmail | Yes | Not needed | No checkmark displayed |
| Outlook | No | N/A | No BIMI support as of 2026 |
Self-asserted BIMI is underrated. If a significant chunk of your audience uses Yahoo Mail, you get logo display for free - no certificate, no trademark, no annual fee. Don't overlook it.
## Verify and Troubleshoot
After publishing, verify your record:
```bash
nslookup -type=TXT default._bimi.yourdomain.com
Test that your SVG URL is accessible:
curl -I https://yourdomain.com/logo.svg
Online checkers worth bookmarking: MxToolbox BIMI lookup, EasyDMARC's BIMI generator, and Valimail's BIMI checker.
Common Failures
DMARC not at enforcement. The #1 reason BIMI doesn't work. Verify p=quarantine or p=reject with pct=100.
SVG too large. Aim for 32KB or less. Run the file through SVGO to strip metadata if you're close to the limit.
SVG not SVG P/S compliant. Check baseProfile="tiny-ps" and remove unsupported elements like filters, embedded images, or scripts.
Logo URL not HTTPS. The l= value must be a full HTTPS URL. HTTP won't work.
VMC/CMC missing for Gmail. Gmail won't display your logo without a VMC or CMC, regardless of how perfect your record is.
DNS not propagated. Wait 48 hours minimum. Some providers take longer due to caching.
Is BIMI Worth the Investment?
Total cost ranges from $0 (self-asserted) to $2,000+/year with a VMC through DigiCert direct. Some vendors also charge one-time integration fees in the $500-$1,000 range, so factor that into your budget.
Our recommendation: start with DMARC enforcement regardless - it's good security hygiene. Then check where your recipients actually read email. Gmail-heavy audience? A CMC at ~$650-$950/year is reasonable for the brand lift. Yahoo-heavy? Self-asserted BIMI is free and effective. VMC pricing is steep, but if you need that blue checkmark and already have a registered trademark, it's the only path.
CMCs made BIMI accessible to companies without trademark registrations. That single change turned it from an enterprise-only play into something any serious sender can implement. Pair a properly configured BIMI DNS record with clean contact data, and you've built the full deliverability stack - authentication, reputation, and brand visibility working together.
You're spending $800-$1,600/yr on a VMC and weeks on DMARC enforcement. One thing can still wreck it: emailing invalid addresses. Prospeo verifies emails in real time at $0.01 each - with catch-all handling and spam-trap removal built in - so your sender reputation stays clean enough for BIMI to deliver results.
Protect your deliverability investment with data that's refreshed every 7 days.
FAQ
What does a BIMI DNS record look like?
It's a TXT record published at default._bimi.yourdomain.com with the value v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/cert.pem;. The l= tag points to your SVG P/S logo and a= points to your VMC or CMC certificate in PEM format. For self-asserted setups, use a=; with a blank value.
Do I need a VMC for BIMI?
Only for Apple Mail display or the blue checkmark in Gmail. For Gmail logo display without a checkmark, a CMC works and costs ~$650-$950/year - no registered trademark required. Yahoo Mail and Fastmail display logos without any certificate at all, making self-asserted BIMI a free option for those audiences.
How long does BIMI take to show up?
DNS publishes in minutes, but logos typically appear within 24-48 hours. Some mailbox providers cache aggressively, so full rollout can take up to a week. The bigger time investment is reaching DMARC enforcement - budget 6-8 weeks if you're starting from p=none.