Home›Knowledge Base›How Many BIMI Certificates Do I Need?

How Many BIMI Certificates Do I Need?

Published On: June 23, 2026Read Time: 4 minutes

Core Architectural Rule

The number of BIMI certificates your organization needs is determined by one variable: how many distinct visual logos you intend to display in the inbox. One logo design across any number of domains = one certificate. Each unique logo design requires its own certificate, regardless of how many domains share it.

The Determining Variable

Certificate count is not determined by domain count, subdomain count, or email sending volume. A single VMC or CMC binds exactly one SVG Tiny PS logo file at issuance. That binding is the constraint. Every domain displaying the same logo can reference the same certificate — only when logos diverge does the certificate count increase.

Subdomains add no certificate requirement at all. When a subdomain lacks its own BIMI DNS record, mailbox providers follow the BIMI discovery fallback and evaluate the record at the organizational domain. A subdomain using the same logo may rely on organizational-domain BIMI discovery fallback when no valid subdomain BIMI record exists, provided DMARC enforcement remains valid for both the organizational domain and the RFC5322.From domain.

Certificate Count by Scenario

Scenario	Logo Profile	Certificates Required
Single domain (e.g., brand.com)	One logo	1
Single domain + subdomains (e.g., mail.brand.com, promo.brand.com)	Same logo across all	1 — subdomains covered via BIMI discovery fallback
Multiple domains, same logo (e.g., brand.com, brand.co.uk, brand.de)	One identical logo	1 — using a multi-domain (SAN) certificate
Multi-brand organization (e.g., brand-a.com, brand-b.com with different logos)	Different logo per brand	1 per distinct logo — each logo requires separate CA validation

Key Architectural Pillars

Visual vs. Cryptographic Binding

The BIMI record points to the SVG logo with the l= tag and to the certificate or evidence file with the a= tag. The certificate validates the relationship between the organization, domain, and approved logo. Any variation in corporate colors, layout treatments, or text elements creates a distinct visual mark that requires its own validation track.
DNS Subdomain Discovery Fallback

BIMI discovery may evaluate the organizational-domain BIMI record when no valid record exists at the RFC5322.From subdomain. DMARC enforcement must still be valid for both the organizational domain and the RFC5322.From domain. This fallback minimizes the need for independent subdomain certificates.

SAN Capabilities: Multiple domains may be included through SAN fields, subject to CA product limits, validation rules, and the requirement that the same approved logo identity applies.

DMARC Alignment: BIMI requires DMARC enforcement with p=quarantine or p=reject, and subdomain policy must not weaken enforcement. A policy configuration using pct below 100% or sp=none can break eligibility.

Frequently Asked Questions

Can one trademark registration support certificates for multiple domains?

Yes. A single trademark registration can be used as the validation basis for a certificate covering multiple domains, as long as those domains are under the same organizational control and display the same logo.

Does a subdomain using a different logo need a separate certificate?

Yes. If a subdomain must display a logo that differs from the apex domain, it needs either a separate certificate or a dedicated SAN entry on a different certificate. The BIMI discovery fallback only applies when the subdomain uses the same logo as the parent.

Does a dark-mode or alternate logo variant require a second certificate?

Yes, if it is a distinct SVG file. An alternate color scheme that results in a different SVG constitutes a distinct visual mark requiring its own validation track. If the alternate logo is identical in all respects except color values, check whether the CA treats it as the same mark before proceeding.