BIMI in Action: How Email Clients Decide When to Show Logo

Imagine scrolling through your inbox overflowing with so many emails looking spammy and suspicious. In that unread, cluttered inbox, how do you decide which emails to trust and open?

What if your favorite brands could give a clear hint that this message is genuinely from them? That’s when BIMI (Brand Indicators for Message Identification) comes in to solve this by displaying an official logo next to the email.

This becomes a powerful way to combat spam and spoofed email, but the ultimate decision comes from the email clients and brands to adopt this. This detailed blog will explain the key factors influencing that decision and go deeper into how BIMI works and how to place the logo in the inbox.

What is BIMI?

BIMI actually stands for Brand Indicators for Message Identification. It is an email standard that allows a brand to display its official logo next to authenticated emails in the recipient’s inbox.

The primary purpose of BIMI is to connect robust, technical email authentication with a brand’s visual identity. By displaying a logo, marketers and brands can enhance brand recognition, increase trust, and also grow engagement.

Using BIMI is a privilege of having solid email security practices. Several technical requirements must be satisfied before a logo can be displayed in the receiver’s inbox.

Some basic requirements are:

  • Sender Policy Framework (SPF): An email authentication method to check if the email was sent from an authorized mail server or domain. It validates the hidden “Return-Path” (MAIL from) the original source of the email.
  • DomainKeys Identified Mail (DKIM): A method that adds a digital signature to emails to make sure that the content has not been altered during transit by verifying the sender’s identity.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC): This builds on top of SPF and DKIM. It adds two critical functions, alignment and policy enforcement. If the email passes both SPF and DKIM, but can still fail DMARC if domains do not align. This alignment check can effectively stop email spoofing or phishing attacks.

While email authentication through DMARC can confirm that the email is from the original domain. Proving visual, legal rights, and authenticity of the logo is a different challenge. This is where the Verified Mark Certificate (VMC) comes in.

A VMC is issued by trusted certificate authorities after a thorough vetting process. To qualify, the logo must be trademarked. Once it is approved, a verified checkmark appears next to the logo in supported inboxes.

Though several major email providers recommend using VMC, it is not mandatory in BIMI. Using a VMC is highly recommended because it increases the credibility of your emails, making it a simple technical configuration into a high-visibility trust signal.

How Email Clients Decide When to Show Your Logo

As DMARC is an unnegotiable point for displaying the brand logo, the final decision of showing the logo lies with email clients. It depends on their client-specific rules beyond basic setup and other factors.

Authentication Checks

  • To display the logo successfully, the DMARC should be set to an enforcement mode. This means that the DMARC record must specify a policy of either p=quarantine or p=reject.
  • A p=quarantine policy advises that suspicious emails should be delivered to the spam folder by the mail servers.
  • A p=reject policy advises to completely block or reject the mails that are not authenticated to avoid reaching to the receiver’s inbox.

Domain owners can set DMARC to enforcement mode to show email providers that they actively work to prevent unauthorized use. Also, the enforcement policy should apply to 100% of the domain’s email. This can be configured by setting the percentage to pct=100, or omitting it, as 100 is the default value.

Note: Relaxed DMARC (p=none) usually won’t qualify as it doesn’t protect any fraudulent emails reaching the inbox, so receiving servers don’t consider it as enforcement. It also doesn’t meet the foundational security requirements for BIMI.

Logo Validation

It should be BIMI-compliant and follow some standards to ensure security and consistent display across different email clients. These requirements are very specific, and failure to comply with these results in the logo not showing up.

  1. File Format: Logo must be in the Scalable Vector Graphics (SVG) format, also called SVG Tiny Portable/Secure (SVG P/S)
  2. Vector Graphic: The image must be a true vector graphic; using bitmap images like JPEGs or PNGs within SVG is not permitted and will cause validation failure.
  3. No Scripts or Animations: For Security reasons, the SVG file should not contain any scripts, animations or other elements.
  4. Aspect Ratio: The logo must have a 1:1 square aspect ratio to avoid getting cutoffs when cropped into a circle or rounded square. It should only have a non-transparent background.
  5. File Size: It should not be above 32 kilobytes (KB) in size.

Secured Hosting:

It is important to host the logo publicly accessible so that automated systems from email providers retrieve it without getting blocked. Some Content Delivery Networks (CDNs) might block these requests, causing authentication to fail.

The Secure URL for the logo is specified in the 1= tag of the BIMI DNS record. Even a slight typo in this URL will prevent email clients from finding the file. Also, some email providers use a cache to display the logo, so if the logo has been changed recently, it may take some time to reflect the updated logo until the cache gets refreshed.

Email Mark Certificate Requirements

Some email clients, such as Gmail and Apple Mail, require an Email Mark Certificate to ensure that the logo displayed in the inbox is genuine. And it belongs to the sender and is not fraudulent or spoofed.

There are two main types of Certificates:

  • Verified Mark Certificate: They enable brands to display their logo along with a verified checkmark. Requires a trademarked logo and goes through rigorous verification.
  • Common Mark Certificate: These are a more accessible kind of certificates for organizations without a registered trademark. Only a valid proof of the logo used prior is enough to display it.

By implementing either VMC or CMC, brands help email clients and their end inbox recipients to prevent phishing or spoofing. This increased trust and visibility can help brands to make their emails stand out in crowded inboxes and boost engagement.

Provider-Specific Policies

Every email client enforces their own set of policies for displaying BIMI logos; the same sender could see different results across email clients such as:

  • Gmail / Google: Supports BIMI when DMARC is properly aligned and enforced (quarantine or reject). It accepts both VMC and CMC certificates. A VMC is required to display the verified blue checkmark; CMC allows the logo but without the checkmark.
  • Yahoo Mail: Displays BIMI logos when DMARC is aligned; it is relatively permissive and often accepts self-asserted (no certificate) BIMI records. Use of VMC/CMC improves reliability.
  • Apple Mail / iCloud: Supports BIMI (for iOS 16+, macOS Ventura+, and iCloud.com). Displaying logos typically requires a verifiable evidence document (e.g. a VMC or equivalent) and depends on whether the mail provider validates it. In practice, logos sometimes only appear after the message is opened or under certain caching/client heuristics.
  • Outlook / Microsoft: General Outlook / Office 365 clients do not support BIMI as of 2025. Microsoft’s support is limited to specific enterprise services (such as Dynamics 365) in special contexts, not standard Outlook mail clients.

When Your Logo Might Not Appear

  1. When DMARC is not properly enforced with a policy of  “quarantine” or “reject”.
  2. If the logo file is not compliant with BIMI strict specifications, such as not being in the SVG format, or a size issue, as discussed earlier.
  3. Some email clients like Gmail and Apple Mail require a Verified Mark Certificate (VMC); if missed, the logo might not appear.
  4. Not all email clients support BIMI yet; for example, Microsoft Outlook does not display BIMI logos, so even a perfect setup won’t guarantee logo display.

Addressing these four cases ensures the best chance of displaying the brand logo everywhere.

Best Practices to Improve Display Chances

  • Use DMARC with policies like quarantine or reject, along with alignment of SPF and DKIM records.
  • Using a BIMI compliant logo in SVG format with a square shape, under 32kb in size.
  • Using an Email Mark Certificate (VMC or CMC), depending on your trademark status, helps to improve visibility.
  • Testing across different email clients is crucial to confirm that the BIMI setup works as expected.
  • Regularly detect and address any authentication problems that prevent the BIMI logo from being shown.

Conclusion

BIMI in action implies that your verified brand logo appears in inboxes, but it passes several layers of authentication. Email clients do have their own conventions, thus logos appear differently across platforms. When all standards are complete, BIMI increases brand awareness and confidence, clearly establishing your email’s integrity to recipients.

Email Mark Certificates

Table of Contents