Brand Indicators for Message Identification
Brand Indicators for Message Identification (BIMI) is an email specification that allows domain owners to coordinate with mail user agents (MUAs) to display brand-specific graphical indicators, such as logos, alongside authenticated email messages.[1] Developed as an extension to existing authentication protocols like DMARC, DKIM, and SPF, BIMI requires a strict DMARC policy (quarantine or reject with pct=100) to ensure only verified messages qualify for logo display, thereby enhancing user trust and reducing phishing risks.[1] Specified in an active IETF Internet Draft (version 12 as of November 2025), the specification operates through DNS-based BIMI assertion records that point to hosted indicator files, typically in SVG Tiny Portable/Secure format, which must be accessible via HTTPS.[1] At its core, BIMI addresses the challenge of email impersonation by providing a visual cue for legitimate communications, encouraging broader adoption of authentication mechanisms among organizations.[2] Domain owners publish a BIMI TXT record in their DNS, which includes a selector for verification and a URI to the brand indicator; mail transfer agents (MTAs) then append relevant headers for MUAs to process.[1] Optional enhancements include Verified Mark Certificates (VMCs) issued by certificate authorities to cryptographically prove trademark ownership, adding an extra layer of assurance against unauthorized use.[1] Mailbox providers, such as Google Workspace, support BIMI, allowing logos to appear in inboxes like Gmail for compliant senders since 2021, along with adoption by Apple Mail and Yahoo.[3] The specification's design emphasizes scalability and compatibility with existing infrastructure, positioning BIMI as an open standard managed through collaborative efforts like the BIMI Group.[2] Benefits for brands include improved recognition and engagement, while recipients gain clearer signals of authenticity, potentially decreasing click rates on malicious emails.[4] As an emerging technology, BIMI's rollout depends on widespread DMARC enforcement and MUA adoption, with ongoing IETF drafts refining features like policy controls and evidence verification.[1]Overview
Definition and Purpose
Brand Indicators for Message Identification (BIMI) is an email authentication specification developed as an active Internet-Draft by the Internet Engineering Task Force (IETF), enabling domain owners to publish brand-specific visual indicators, such as logos, for display in supported email clients alongside authenticated messages. This mechanism operates through a DNS-based BIMI Assertion Record, which mail transfer agents (MTAs) verify to authorize the presentation of these indicators by mail user agents (MUAs). BIMI does not modify the email message content itself but leverages existing infrastructure to associate verified sender identities with recognizable brand elements.[2] The primary purpose of BIMI is to bolster user trust in email communications by visually linking authenticated messages to established brands, thereby mitigating phishing attempts where malicious actors impersonate legitimate senders. By displaying logos only for emails that pass authentication checks, BIMI helps recipients quickly identify genuine correspondence, encouraging broader adoption of robust email security practices among organizations.[2] This visual reinforcement serves as a reward for domains implementing strong authentication, fostering a safer email ecosystem without requiring changes to end-user behavior. Implementation of BIMI requires a strict DMARC policy set to either "quarantine" (with pct=100) or "reject" at both the organizational and RFC 5322.From domains, ensuring that only fully authenticated emails qualify for logo display and preventing unauthorized use of brand indicators. BIMI builds directly on foundational protocols—Sender Policy Framework (SPF) for IP-based authorization, DomainKeys Identified Mail (DKIM) for cryptographic signing, and Domain-based Message Authentication, Reporting, and Conformance (DMARC) for policy enforcement—extending their capabilities to include brand visualization while maintaining compatibility with current email workflows.[2] This integration ensures that BIMI enhances rather than replaces existing authentication layers, promoting seamless deployment in production environments.Benefits and Challenges
BIMI offers several key benefits to brands, email senders, and recipients by integrating visual authentication into email communications. One primary advantage is enhanced brand recognition, as the display of verified logos in supported inboxes provides immediate visual cues that reinforce sender identity and build familiarity among users. This visual element also contributes to stronger phishing deterrence, with logos serving as a clear indicator to distinguish legitimate emails from fraudulent ones, thereby reducing the success rate of spoofing attempts that rely on textual deception alone. Studies from early implementations, such as Yahoo Mail's pilot, have demonstrated uplifts in email engagement, including open and click-through rates of up to 10-15%, attributed to increased user trust in branded messages.[5][6][7][8] From the user perspective, BIMI reduces cognitive load in crowded inboxes by enabling quicker identification of trusted senders through familiar logos and verification indicators, such as Gmail's blue checkmark for compliant domains. This fosters a more secure and intuitive email experience, with surveys indicating up to a 90% increase in consumer confidence regarding email legitimacy when BIMI is present. For the broader email ecosystem, BIMI encourages adoption of foundational authentication protocols like DMARC, promoting layered defenses that enhance overall deliverability and security.[9][10][11] Despite these advantages, BIMI implementation presents notable challenges, primarily its strict dependency on DMARC enforcement policies (p=quarantine or p=reject), which limits accessibility since only approximately 9.7% of global domains had implemented DMARC records as of early 2025, with even fewer enforcing strict policies. Without ongoing DMARC compliance, there is a risk of logo misuse, where outdated or lapsed verifications could inadvertently lend credibility to unauthorized emails if policies are not monitored. Additionally, BIMI's reliance on DNS records exposes it to vulnerabilities like DNS spoofing, which can be mitigated by pairing it with DNSSEC but adds complexity to deployment.[12][5][13] Further limitations include uneven support across email clients; while Gmail and Yahoo Mail provide full BIMI rendering with appropriate certificates, major providers like Microsoft Outlook and Office 365 have not implemented support as of late 2025, restricting visibility to a subset of users. For smaller organizations, scalability issues arise from the costs of required certificates, such as Verified Mark Certificates (VMCs) priced at $1,000 to $1,500 annually per domain, which may deter adoption among resource-constrained entities without established trademarks. These barriers contribute to BIMI's overall low deployment rate, with only around 9,661 domains featuring valid records among the top million as of early 2025.[9][14][15][16]Technical Design
BIMI DNS Record
The BIMI DNS record is a TXT resource record published in the Domain Name System (DNS) to associate a domain with its brand indicator, such as a logo, enabling email receivers to display it alongside authenticated messages. It is specifically located at a subdomain constructed as<selector>._bimi.<domain>, where <selector> is an optional label (e.g., "default") that allows for multiple records per domain, and <domain> is the organizational domain. This placement ensures the record does not interfere with email delivery processes, as it operates independently of the message flow while relying on prior authentication mechanisms like DMARC.[17][18]
The record follows a tag-value syntax similar to that defined in DKIM (RFC 6376), consisting of semicolon-separated key-value pairs enclosed in double quotes. The required tags are v=BIMI1 for the protocol version and l=<HTTPS URI> for the secure location of the brand indicator file, which must use HTTPS to facilitate secure retrieval by email clients. Optional tags include a= for the HTTPS URI of authority evidence, such as a Verified Mark Certificate (VMC); lps= for a local-part selector; and avp= for avatar preference ("personal" or "brand"). If the a= tag is omitted, it defaults to no additional verification beyond DMARC. For example, a basic record might appear as:
This format ensures precise declaration of the indicator without embedding sensitive data directly in DNS.[17][18] The selector mechanism in the DNS label enables organizations to maintain distinct BIMI configurations for different DKIM signing keys or subdomains, promoting flexibility in large-scale deployments; for instance, aligning a BIMI selector with a specific DKIM selector ensures that only messages signed with the corresponding key can trigger logo display. If the BIMI record is invalid—such as containing malformed tags, non-HTTPS URIs, or an unrecognized version—email clients will simply omit the logo, preventing any fallback to unauthorized displays and maintaining security. Additionally, the record integrates with DMARC by requiring alignment to a DMARC policy of at least "quarantine" (with 100% percentage) on the organizational domain, and it leverages DMARC's aggregate (rua) and forensic (ruf) reporting URIs for ongoing monitoring of BIMI-related failures or abuses.[17][18]default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/logo.svg;"default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/logo.svg;"
Logo and Selector Specifications
The Brand Indicators for Message Identification (BIMI) protocol requires logos to be provided in a specific format to ensure secure and consistent rendering across email clients. The logo, also known as the indicator file, must be an SVG file conforming to the SVG Tiny 1.2 Portable/Secure (SVG P/S) profile or its compressed variant SVGZ, which is a restricted subset of the SVG Tiny 1.2 standard designed for secure embedding in email contexts without external resources.[19][17] This format ensures the logo is vector-based, static, and free of bitmaps, scripts, animations, or any interactive elements that could pose security risks.[20] Logos should feature a solid color background to maintain visibility in various display modes, with simple color schemes recommended for clarity, though full RGB color support is permitted as long as the file remains lightweight.[3] The file size must not exceed 32 KB to facilitate quick loading and caching by email providers.[3] BIMI selectors enable organizations to manage multiple logos or configurations per domain, mirroring the selector mechanism in DomainKeys Identified Mail (DKIM) for key rotation and alignment.[21] A BIMI selector is specified in the DNS record at a subdomain likeselector._bimi.example.com, where "selector" can be a custom name such as "default" or one tied to specific DKIM keys for authentication alignment.[21] Within the BIMI DNS TXT record, the l= tag points to the HTTPS URL of the SVG logo file, while the a= tag references the Verified Mark Certificate (VMC) or evidence document associated with that selector, allowing targeted pairing of logos and certificates for different use cases.[21] This selector-based approach supports DKIM alignment by recommending the inclusion of a BIMI-Selector header in the DKIM signature for validation during email processing.[21]
The Verified Mark Certificate (VMC) serves as a cryptographic proof of trademark ownership, issued as an X.509 version 3 certificate by a trusted Certification Authority (CA) to bind the logo to the domain and prevent unauthorized use.[22] CAs must verify the mark through official trademark databases across supported jurisdictions (17 intellectual property offices as of September 2025), such as those from the World Intellectual Property Organization (WIPO), and confirm domain ownership or licensing rights before issuance.[22] VMCs can either link to an external SVG logo via the certificate's structure or embed the SVG directly using the SVG Tiny P/S profile within the certificate's mark representation field, ensuring the logo is self-contained and tamper-evident.[22] This embedding option complies with RFC 6170 for secure SVG handling, excluding any script tags or external dependencies.[22]
To ensure compliance, BIMI logos must pass validation using tools like the Valimail BIMI Checker, which verifies adherence to SVG P/S requirements, file integrity, and absence of prohibited elements such as external links or non-static content.[23] Hosting guidelines mandate that logo and VMC URLs be served over HTTPS from a reliable server, with responses resolving in under 1 second to support real-time email rendering, and appropriate caching headers (e.g., Cache-Control) to minimize repeated fetches while respecting TTL values up to 48 hours for propagation.[24]
Verification Process
The verification process for Brand Indicators for Message Identification (BIMI) begins with email authentication prerequisites, ensuring only legitimate messages from authenticated domains can display brand logos. Incoming emails must first pass Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM) validation, with alignment to the organizational domain in the RFC 5322 From header as required by Domain-based Message Authentication, Reporting, and Conformance (DMARC).[25] Additionally, the DMARC policy for the domain must be set to enforcement level (p=quarantine or p=reject) with a percentage (pct) of 100, meaning all messages must comply or face quarantine or rejection; failure at this stage blocks any BIMI processing entirely.[17] Upon successful DMARC authentication, the mailbox provider or email client initiates the BIMI-specific workflow by querying the DNS for a TXT record at the _bimi subdomain of the authenticated organizational domain (e.g., default._bimi.example.com).[17] If the record exists and is well-formed (starting with v=BIMI1), the client extracts the selector (l=) tag pointing to the logo's HTTPS URI and optionally the certificate (a=) tag for a Verified Mark Certificate (VMC), along with any other optional tags such as lps= or avp=.[17] The client then fetches the logo file, typically an SVG Tiny Portable/Secure (PS) document or SVGZ, over HTTPS to ensure transport security.[17] If a VMC is referenced in the BIMI record, the client must validate it by retrieving the certificate chain, checking its validity period, revocation status via Online Certificate Status Protocol (OCSP), and confirming the embedded SVG matches the fetched logo; only logos with valid VMCs from authorized issuers are rendered for trademarked brands.[17] Upon passing all checks—DMARC authentication, valid BIMI record, successful HTTPS fetch, and VMC validation if applicable—the client renders the logo adjacent to the sender's name in the inbox view.[17] Mailbox Transfer Agents (MTAs) may add authentication headers (e.g., BIMI-Indicator) to pass evidence to Mail User Agents (MUAs) for final display decisions.[26] Fallback behaviors ensure security over display: if no BIMI record is found, the record is malformed, or the HTTPS fetch fails, no logo is shown, though the email may still be delivered if DMARC passes.[17] Similarly, detection of spam, phishing, or malware overrides BIMI, displaying default indicators like sender initials instead.[26] For enhanced integrity, DNS Security Extensions (DNSSEC) is recommended to sign BIMI records, protecting against DNS spoofing during lookups.[17] Clients may implement caching of validated logos and records (e.g., for hours to a day) to reduce latency and limit query-based tracking, with cache invalidation tied to certificate expiration or TTL values.[26] Alignment rules in BIMI follow DMARC conventions, using relaxed mode by default to match the organizational domain (e.g., example.com for sub.example.com) unless strict mode is specified in the DMARC record, ensuring subdomain consistency without requiring exact header domain matches.[25] If the author domain lacks a BIMI record, the client falls back to the organizational domain's record for lookup.[17]Implementations and Adoption
Email Client Support
Gmail has provided full support for BIMI since July 12, 2021, displaying verified brand logos in the inbox for emails authenticated via DMARC, with initial requirements for a Verified Mark Certificate (VMC) that were expanded in September 2024 to include Common Mark Certificates (CMCs) for broader accessibility.[27][28] Apple Mail introduced BIMI support starting with iOS 16, iPadOS 16, macOS Ventura 13, and iCloud.com in fall 2022, requiring strong DMARC authentication and either a VMC or BIMI Evidence Document to display logos upon email opening.[29][30] Yahoo Mail has offered full BIMI support without mandating a VMC, focusing on DMARC-verified emails to enhance sender verification and reduce phishing risks.[31] In contrast, Microsoft Outlook and Office 365, including web and desktop versions, do not support BIMI display as of late 2025, though Microsoft enables BIMI implementation for senders via Dynamics 365 Customer Insights – Journeys.[32][9] ProtonMail lacks BIMI support in 2025, with no announced rollout plans.[33] Provider-specific features vary in enforcement and integration. Google requires VMC or CMC validation for logo display across Gmail's web, mobile, and desktop clients, promoting stricter authentication to combat spoofing.[3] Apple integrates BIMI with its ecosystem, displaying logos only after authentication checks, and mandates compliance from both senders and email service providers.[29] Yahoo emphasizes logo verification through DMARC without additional certificate burdens, applying uniformly across its platforms.[31] Microsoft, while not rendering BIMI logos in Outlook, supports sender-side BIMI setup within Microsoft 365 for outbound emails, tying into broader authentication protocols like SPF and DKIM.[32]| Email Client | SVG Rendering Support | VMC/CMC Validation | Mobile Limitations | Desktop Limitations |
|---|---|---|---|---|
| Gmail | Yes (Tiny 1.2) | Required (VMC or CMC) | Full support post-2024 update | Full support since 2021 |
| Apple Mail | Yes (Tiny 1.2) | Required (VMC or Evidence) | iOS 16+ only; logos post-open | macOS Ventura 13+ only |
| Yahoo Mail | Yes (Tiny 1.2) | Not required | Full support | Full support |
| Outlook | N/A | N/A | No support | No support |