What is BIMI?

Posted on Edited on
Have you ever wondered how some email senders manage to display their brand logos right next to their emails in your inbox? That's BIMI in action - Brand Indicators for Message Identification, pronounced "Bih-mee". It's an emerging email specification that allows organizations to display their brand-controlled logos within supporting email clients, but only after passing strict authentication checks.

TL;DR

  • You need DMARC enforcement to use BIMI
  • BIMI requires a specific SVG logo format
  • BIMI requires a Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) to display logos
  • You need to publish a DNS record with your logo URL and optionally (but in practice, required for most providers) a VMC URL

You can check your BIMI implementation using tools like the BIMI Validator.

Certificates are required for displaying logos, which can be expensive (around $1,000-$1,500 per year). Let’s Encrypt does not provide VMCs due to their manual verification requirements.

No fun here.

How BIMI Works

The magic happens through a combination of DNS records and email authentication protocols:

  1. Email Authentication Foundation: BIMI builds upon SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC protocols
  2. DNS Record Publishing: Organizations publish a new standardized DNS record containing a URL to their logo
  3. DMARC Enforcement: The mailbox provider checks that the sending domain has a DMARC policy configured with enforcement (p=quarantine or p=reject)
  4. Logo Display: If both checks are successful, supporting mailbox providers may display the logo from the BIMI record

The process ensures that only legitimate, authenticated emails can display brand logos, making it harder for attackers to impersonate trusted brands.

How to Make Your Own BIMI

Implementing BIMI for your organization involves several steps:

Prerequisites

  1. DMARC Enforcement: Your domain must have a DMARC policy of at least p=quarantine or p=reject
  2. Logo Ownership: You must own the trademark/rights to the logo you want to display (for VMC), otherwise you can use a Common Mark Certificate (CMC), which is somewhat easier to obtain but still costly
  3. SVG Logo: Your logo must be in SVG with specific requirements

Step-by-Step Implementation

  1. Prepare Your Logo:

    • Create an SVG file using the SVG Tiny PS profile
    • Make it square with a solid background color
    • Ensure it displays well in a circle (some email clients crop it)
    • Host it on HTTPS with proper CORS headers

  2. Create the BIMI DNS Record:

    1
    default._bimi.technicaldomain.xyz IN TXT "v=BIMI1; l=https://technicaldomain.xyz/logo.svg;"

  3. Test Your Implementation:
    Use tools like the BIMI Validator to verify your setup

BIMI Record Attributes

  • v=BIMI1: Indicates this is a BIMI record
  • l=URL: The hosting location of the SVG image
  • a=URL: The hosting location of the VMC (Verified Mark Certificate) - optional but recommended, without it the logo will not be displayed in some email clients (for example Apple Mail will not display the logo without a VMC)

Certificates and BIMI

This is where things get expensive. While you can implement basic BIMI without certificates, many major email providers require Verified Mark Certificates (VMCs) to actually display logos.

Currently, only several Certificate Authorities offer VMCs: DigiCert, GlobalSign and SSL.com

Cost: VMCs typically cost $1,000-$1,500 per year - a significant investment just to display a logo in emails.

The Let’s Encrypt Discussion

Unfortunately, Let’s Encrypt cannot and will not offer VMCs. As discussed in their community forums, VMCs require manual verification of trademark ownership, which goes against Let’s Encrypt’s automated certificate issuance model. A Let’s Encrypt staff member confirmed: “Because of the manual verification required for VMC, Let’s Encrypt cannot implement it. I suspect there will never be a free or low cost option.”

This creates a significant barrier to BIMI adoption, especially for smaller organizations that can’t justify the annual expense.

Benefits of Using BIMI

For Organizations

  • Brand Recognition: Your logo appears next to authenticated emails
  • Enhanced Trust: Recipients can visually identify legitimate emails
  • Professional Appearance: Emails look more polished and trustworthy

For Email Recipients

  • Visual Authentication: Quick visual confirmation of sender legitimacy
  • Reduced Phishing Risk: Harder for scammers to fake branded emails
  • Better User Experience: Easier to identify important emails

Real-World Examples

Several major organizations use BIMI successfully:

  • amazon.ca: Amazon Canada displays their logo in supported email clients
  • m.wealthsimple.com: The financial services company uses BIMI for brand recognition
  • skipthedishes.com: The food delivery service leverages BIMI for order confirmations

How to Check BIMI Implementation

You can verify BIMI records using command-line tools:

1
2
# Check for BIMI DNS record
dig TXT default._bimi.technicaldomain.xyz

You will see a response like this if BIMI is implemented:

1
2
3
4
5
6
7
8
9
10
11
12
13
; <<>> DiG 9.10.6 <<>> TXT default._bimi.technicaldomain.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42410
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;default._bimi.technicaldomain.xyz. IN	TXT

;; ANSWER SECTION:
default._bimi.technicaldomain.xyz. 300 IN	TXT	"v=BIMI1;l=https://technicaldomain.xyz/logo.svg;a=https://technicaldomain.xyz/certchain.pem"
1
2
3
4
5
# Download and inspect the logo
curl -s https://technicaldomain.xyz/logo.svg

# If there's a VMC, inspect the certificate
curl -s https://technicaldomain.xyz/certchain.pem | openssl x509 -text -noout

For a complete verification, you can use the BIMI validator at bimivalidator.authmilter.org.

Mailbox Provider Support (at the time of writing)

BIMI support varies significantly across email providers:

Full Support with VMC requirement:

  • Gmail (Google Workspace)
  • Apple Mail

Self-asserted BIMI Support (no VMC required):

  • Yahoo
  • Some other providers

Growing Support:

  • Fastmail
  • La Poste
  • Onet Poczta
  • Zone

No Support:

  • Microsoft Outlook

The inconsistent support means your investment might not pay off across all email clients. Especially if your organization relies heavily on Microsoft Outlook, which currently does not support BIMI at all.

Conclusion

BIMI is an interesting technology that bridges email authentication and brand recognition. It’s somewhat amusing that we’ve reached a point where displaying a simple logo in email requires complex certificate infrastructure and significant annual costs.

The Reality Check:

  • For Large Brands/Banks: BIMI makes sense if budget allows and brand protection is critical
  • For SMBs: The $1,000+ annual cost is hard to justify for logo display
  • For Everyone: Limited mailbox provider support reduces the return on investment

If you’re considering BIMI, focus first on solid email authentication (SPF, DKIM, DMARC) - these provide real security benefits. BIMI is the cherry on top, not the foundation of email security.

Bottom Line: Funny concept, makes some sense for brands with deep pockets, but costly implementation and patchy mailbox provider support limit its practical appeal.

But if you’re banking on email as a key marketing channel, the investment in BIMI could pay off in increased brand trust and recognition.

Evaluate your needs and budget before investing in BIMI.