Gmail BIMI Verification Process: Six Checks Before Logo Display

The Gmail BIMI Verification Pipeline

Think of Gmail BIMI display as a chain of gates. The logo appears only when each gate passes. A failure at any point usually falls back to the sender’s default avatar, even if the later items in the setup are correct.

Fast takeaway: If your BIMI logo is not showing in Gmail, do not start by replacing the certificate or changing the logo. Work through the sequence in order. Most issues are found before the final display stage.

Step 1

SPF, DKIM and Identifier Alignment

Gmail first checks whether the message is authenticated and whether the authenticated domain aligns with the visible From: domain. BIMI is built on SPF, DKIM and DMARC alignment, so a message that fails this layer will not reach the BIMI display decision.

  • SPF: the sending IP must be authorized by the domain’s SPF record. You can use the SPF checker when reviewing sending sources.
  • DKIM: the message signature must validate against the public key in DNS.
  • Alignment: SPF or DKIM must align with the RFC 5322 From: domain.
From implementation experience

Many BIMI projects fail here because the marketing platform, CRM, or newsletter system authenticates with its own domain instead of the brand’s domain. The email may still deliver, but Gmail will not treat it as BIMI-ready unless alignment is correct.

Step 2

DMARC Enforcement Check

After alignment succeeds, Gmail checks whether the sending domain is enforcing DMARC. A domain still using p=none is not ready for Gmail BIMI logo display, even if the BIMI DNS record and certificate are valid. For a focused explanation, see why DMARC alone is not enough for BIMI unless the policy is enforced.

DMARC itemRequired for BIMI displayCommon failure
p policyquarantine or rejectp=none stops BIMI display.
pct rolloutFull enforcement is expectedPartial enforcement may not qualify for display.
Subdomain policySending subdomains must also be coveredA permissive subdomain policy can block display for that stream.
From implementation experience

Do not check only the root domain. If newsletters are sent from news.example.com, Gmail evaluates that stream’s effective DMARC coverage. A strict root policy does not automatically fix a permissive subdomain configuration. For related domain-scope rules, review BIMI subdomain inheritance.

Step 3

BIMI DNS Record Discovery

Once authentication and DMARC pass, Gmail resolves the BIMI TXT record. If no custom selector is used, the default location is the DNS path covered in our BIMI DNS record location guide:

default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/cert.pem;"

The record points Gmail to two resources: the hosted SVG logo at l= and the VMC or CMC certificate file at a=. For Gmail, the certificate path is essential because Gmail expects certificate-backed BIMI display. Use the BIMI checker to confirm whether these DNS values are discoverable.

From implementation experience

Small DNS mistakes create large delays: a missing semicolon, a certificate URL that redirects incorrectly, a blocked HTTPS path, or a stale selector can make an otherwise valid setup appear broken. If hosting is the weak point, the BIMI logo and certificate hosting guide explains what Gmail needs to fetch.

Step 4

Certificate Validation and Trusted Logo Source

For certificate-backed BIMI, the certificate is not just proof of identity. It also protects the logo that Gmail can trust. The hosted SVG remains important, but Gmail needs the certificate-backed logo and a valid certificate chain before the visual identity is considered reliable. This is where the choice between a Verified Mark Certificate and a Common Mark Certificate affects Gmail’s final trust treatment.

Discovery and validation

Hosted SVG at l=

Useful for BIMI record discovery and logo preparation. It must be reachable and compliant, but by itself it does not create Gmail’s verified display experience.

Trusted display source

Certificate-backed logo at a=

The VMC or CMC certificate ties the logo to verified identity and domain authorization. This is the trusted package Gmail can validate.

At this stage, Gmail checks whether the certificate is issued by an accepted authority, whether it matches the sending domain, and whether the organization identity data is complete enough for certificate-backed BIMI display. If the certificate is near expiry or being replaced, review the VMC expiry and renewal revalidation guidance.

From implementation experience

If the BIMI record is correct but Gmail still does not display the logo, check the certificate URL, HTTPS accessibility, certificate chain, and domain binding before changing the SVG. The problem is often in the certificate path rather than the artwork. For broader diagnosis, see why a BIMI logo may not be showing.

Step 5

SVG Tiny P/S Validation

The logo must be prepared in SVG Tiny Portable/Secure format. A normal designer-exported SVG is often not enough. Gmail may reject SVG files that contain unsupported elements, external references, unsafe markup, missing metadata, or dimensions that do not match the expected profile.

SVG checkWhat to verifyTypical issue
Profileversion="1.2" and baseProfile="tiny-ps"Exported as generic SVG instead of Tiny P/S.
DimensionsAbsolute width/height and matching viewBoxPercentage dimensions or mismatched canvas.
SecurityNo scripts, animations, external references or unsafe objectsBrand tools leave hidden unsupported elements.
MetadataUse a clear <title>; add <desc> where usefulMissing title or incomplete accessible metadata.
From implementation experience

Most SVG failures are not design problems. They are export and compliance problems. Even a logo that already exists as an SVG often needs cleanup before it will pass BIMI-specific validation.

Step 6

Sender Reputation and Display Decision

Passing the technical checks does not always guarantee immediate display. Gmail also considers sender reputation and abuse signals. If the domain has weak or unstable reputation, the certificate can remain valid while the logo is not shown to recipients. This is one reason a setup can pass a BIMI record check but still fail real Gmail display.

  • Good reputation supports display: low complaint rates and consistent authenticated sending matter.
  • VMC and CMC display differently: a VMC can support the Gmail blue checkmark; a CMC can support logo display without the same checkmark treatment.
  • Caching can delay changes: DNS, certificate and logo updates may not appear immediately. In practice, changes commonly take up to 48 hours, but timing can vary.
Important distinction: A valid certificate confirms identity. It does not override Gmail’s sender reputation controls. If reputation drops, Gmail may stop displaying the logo even though the BIMI setup remains technically valid.

Practical diagnosis

Gmail BIMI Troubleshooting Matrix

Use this table when the BIMI record appears correct but Gmail still does not show the expected result.

SymptomLikely area to check firstWhat it usually means
No logo anywhereSPF, DKIM, DMARCThe message is not reaching the BIMI pipeline.
Works in some clients, not GmailCertificate, SVG, reputationGmail-specific requirements are not being satisfied.
Logo appears but no blue checkmarkCertificate typeCMC or non-VMC-backed display may show a logo without the VMC badge.
One domain works, another does notSubdomain DMARC and BIMI DNSEach sending domain or subdomain needs its own compliant configuration.
Valid DNS but no change after updateHosting and cache windowGmail may still be using cached certificate or logo state.
Logo disappeared after working earlierExpiry, reputation, DMARC driftCheck complaint rate, certificate validity, DNS accessibility and DMARC policy.

Frequently Asked Questions

Why does my BIMI logo appear in other email clients but not Gmail?

Gmail may apply stricter certificate-backed BIMI checks, reputation controls, SVG validation and cached state handling. Work through authentication, DMARC, BIMI DNS, certificate, SVG and reputation in order.

Where does Gmail fetch the BIMI logo from?

For certificate-backed BIMI, Gmail validates the BIMI DNS record and certificate path, then relies on the CA-verified logo associated with the certificate package. The hosted SVG still matters, but it is not the only trust signal.

Will a subdomain DMARC policy stop Gmail logo display?

It can. Gmail evaluates the effective sending domain. If a subdomain is used for sending and remains permissive, that stream may fail BIMI display even when the root domain policy is stricter.

How long after updating DNS or a certificate does Gmail reflect the change?

Updates are often not immediate because Gmail and DNS infrastructure can cache BIMI-related resources. In practice, allow up to 48 hours, while recognizing that timing can vary.

Why is the blue checkmark missing?

The Gmail blue checkmark requires a VMC tied to a registered trademark. CMC-backed BIMI may support logo display but does not create the same blue checkmark treatment.