What image format does BIMI use and why SVG Tiny PS?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

BIMI uses SVG Tiny 1.2 Portable Secure, usually written as SVG Tiny PS or SVG P/S. It is not regular SVG. It is a locked-down subset, and mailbox providers will reject your logo if you hand them anything else.

What SVG Tiny PS actually is

The base spec is W3C SVG Tiny 1.2, a mobile profile of SVG built for low-power devices back in 2008. On top of that, the BIMI Group publishes a Portable/Secure profile that strips out anything risky for an inbox to render. So when someone says "the format comes from W3C," that is half right. W3C wrote SVG Tiny 1.2. BIMI Group wrote the rules on top of it.

The profile requires, among other things:

  • version="1.2" and baseProfile="tiny-ps" on the root <svg> element
  • A <title> element naming the brand
  • A square viewBox (the BIMI Group recommends 0 0 512 512)
  • No external references of any kind
  • No scripting, no event handlers, no animation, no interactivity
  • Solid fills only, no gradients, no filters, no masks, no clip paths beyond the basics
  • File size kept small, target under 32 KB

If any of those rules are broken, validators flag it and Gmail, Yahoo, and Apple Mail will not display the logo. The BIMI Inspector at bimigroup.org will tell you exactly which line failed.

Why the format is locked down this hard

Three reasons, in order of how much they matter.

1. Security. Full SVG supports JavaScript, foreign objects, and external <image> or <use> references. Each one is a way to ship code or fetch a tracking pixel from inside the email client. A logo that runs scripts when the inbox renders it is a vulnerability, not a brand asset. Tiny PS forbids all of it. No <script>, no onload, no xlink:href to anything off-document.

2. Consistent rendering. Gmail, Yahoo, Apple Mail, and Fastmail all have different renderers. Gradients render differently. Filters render differently. Fonts pulled from external URLs render not at all. The Tiny PS profile cuts the spec down to the parts every renderer agrees on, so the logo looks the same in every inbox.

3. Predictable size. Inboxes load logos for billions of messages. A 200 KB SVG with embedded fonts and 50 paths is fine on a desktop browser and a problem at inbox scale. Tiny PS is small by design.

What this means practically

You do not export BIMI SVG from Illustrator and ship it. You export, then run it through the BIMI Inspector, then fix what it flags. Common breaks: leftover <metadata> from Adobe, embedded raster images, gradients masquerading as fills, and the wrong baseProfile attribute.

BIMI only works when DMARC is at enforcement (p=quarantine or p=reject), which is downstream of SPF and DKIM both aligning. If SPF is fragile, BIMI is not going to save your logo from disappearing. Worth reading what SPF actually is and why SPF alone does not prevent spoofing before chasing the logo.

For the protocol itself, the working draft lives at the IETF: draft-brand-indicators-for-message-identification. That is where the indicator selection and trust model are specified.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me understand SVG Tiny PS

I'd like help understanding why BIMI requires SVG Tiny PS format instead of regular SVG files. What security risks does this restriction prevent?

Edit the yellow boxes, then send to the AI of your choice.