Gmail BIMI Verification Process: Six Checks Before Logo Display
The Gmail BIMI Verification Pipeline
Think of Gmail BIMI display as a chain of gates. The logo appears only when each gate passes. A failure at any point usually falls back to the sender’s default avatar, even if the later items in the setup are correct.
Step 1
SPF, DKIM and Identifier Alignment
Gmail first checks whether the message is authenticated and whether the authenticated domain aligns with the visible From: domain. BIMI is built on SPF, DKIM and DMARC alignment, so a message that fails this layer will not reach the BIMI display decision.
- SPF: the sending IP must be authorized by the domain’s SPF record. You can use the SPF checker when reviewing sending sources.
- DKIM: the message signature must validate against the public key in DNS.
- Alignment: SPF or DKIM must align with the RFC 5322
From:domain.
Many BIMI projects fail here because the marketing platform, CRM, or newsletter system authenticates with its own domain instead of the brand’s domain. The email may still deliver, but Gmail will not treat it as BIMI-ready unless alignment is correct.
Step 2
DMARC Enforcement Check
After alignment succeeds, Gmail checks whether the sending domain is enforcing DMARC. A domain still using p=none is not ready for Gmail BIMI logo display, even if the BIMI DNS record and certificate are valid. For a focused explanation, see why DMARC alone is not enough for BIMI unless the policy is enforced.
| DMARC item | Required for BIMI display | Common failure |
|---|---|---|
p policy | quarantine or reject | p=none stops BIMI display. |
pct rollout | Full enforcement is expected | Partial enforcement may not qualify for display. |
| Subdomain policy | Sending subdomains must also be covered | A permissive subdomain policy can block display for that stream. |
Do not check only the root domain. If newsletters are sent from news.example.com, Gmail evaluates that stream’s effective DMARC coverage. A strict root policy does not automatically fix a permissive subdomain configuration. For related domain-scope rules, review BIMI subdomain inheritance.
Step 3
BIMI DNS Record Discovery
Once authentication and DMARC pass, Gmail resolves the BIMI TXT record. If no custom selector is used, the default location is the DNS path covered in our BIMI DNS record location guide:
default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/cert.pem;"
The record points Gmail to two resources: the hosted SVG logo at l= and the VMC or CMC certificate file at a=. For Gmail, the certificate path is essential because Gmail expects certificate-backed BIMI display. Use the BIMI checker to confirm whether these DNS values are discoverable.
Small DNS mistakes create large delays: a missing semicolon, a certificate URL that redirects incorrectly, a blocked HTTPS path, or a stale selector can make an otherwise valid setup appear broken. If hosting is the weak point, the BIMI logo and certificate hosting guide explains what Gmail needs to fetch.
Step 4
Certificate Validation and Trusted Logo Source
For certificate-backed BIMI, the certificate is not just proof of identity. It also protects the logo that Gmail can trust. The hosted SVG remains important, but Gmail needs the certificate-backed logo and a valid certificate chain before the visual identity is considered reliable. This is where the choice between a Verified Mark Certificate and a Common Mark Certificate affects Gmail’s final trust treatment.
Hosted SVG at l=
Useful for BIMI record discovery and logo preparation. It must be reachable and compliant, but by itself it does not create Gmail’s verified display experience.
Certificate-backed logo at a=
The VMC or CMC certificate ties the logo to verified identity and domain authorization. This is the trusted package Gmail can validate.
At this stage, Gmail checks whether the certificate is issued by an accepted authority, whether it matches the sending domain, and whether the organization identity data is complete enough for certificate-backed BIMI display. If the certificate is near expiry or being replaced, review the VMC expiry and renewal revalidation guidance.
If the BIMI record is correct but Gmail still does not display the logo, check the certificate URL, HTTPS accessibility, certificate chain, and domain binding before changing the SVG. The problem is often in the certificate path rather than the artwork. For broader diagnosis, see why a BIMI logo may not be showing.
Step 5
SVG Tiny P/S Validation
The logo must be prepared in SVG Tiny Portable/Secure format. A normal designer-exported SVG is often not enough. Gmail may reject SVG files that contain unsupported elements, external references, unsafe markup, missing metadata, or dimensions that do not match the expected profile.
| SVG check | What to verify | Typical issue |
|---|---|---|
| Profile | version="1.2" and baseProfile="tiny-ps" | Exported as generic SVG instead of Tiny P/S. |
| Dimensions | Absolute width/height and matching viewBox | Percentage dimensions or mismatched canvas. |
| Security | No scripts, animations, external references or unsafe objects | Brand tools leave hidden unsupported elements. |
| Metadata | Use a clear <title>; add <desc> where useful | Missing title or incomplete accessible metadata. |
Most SVG failures are not design problems. They are export and compliance problems. Even a logo that already exists as an SVG often needs cleanup before it will pass BIMI-specific validation.
Step 6
Sender Reputation and Display Decision
Passing the technical checks does not always guarantee immediate display. Gmail also considers sender reputation and abuse signals. If the domain has weak or unstable reputation, the certificate can remain valid while the logo is not shown to recipients. This is one reason a setup can pass a BIMI record check but still fail real Gmail display.
- Good reputation supports display: low complaint rates and consistent authenticated sending matter.
- VMC and CMC display differently: a VMC can support the Gmail blue checkmark; a CMC can support logo display without the same checkmark treatment.
- Caching can delay changes: DNS, certificate and logo updates may not appear immediately. In practice, changes commonly take up to 48 hours, but timing can vary.
Practical diagnosis
Gmail BIMI Troubleshooting Matrix
Use this table when the BIMI record appears correct but Gmail still does not show the expected result.
| Symptom | Likely area to check first | What it usually means |
|---|---|---|
| No logo anywhere | SPF, DKIM, DMARC | The message is not reaching the BIMI pipeline. |
| Works in some clients, not Gmail | Certificate, SVG, reputation | Gmail-specific requirements are not being satisfied. |
| Logo appears but no blue checkmark | Certificate type | CMC or non-VMC-backed display may show a logo without the VMC badge. |
| One domain works, another does not | Subdomain DMARC and BIMI DNS | Each sending domain or subdomain needs its own compliant configuration. |
| Valid DNS but no change after update | Hosting and cache window | Gmail may still be using cached certificate or logo state. |
| Logo disappeared after working earlier | Expiry, reputation, DMARC drift | Check complaint rate, certificate validity, DNS accessibility and DMARC policy. |