How can BIMI be used for brand defense?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine your customers receiving an email that looks like it's from you, but it's actually a phishing attempt. No logo, no visual cue, nothing to tip them off. That's the gap BIMI (Brand Indicators for Message Identification) is designed to close.

BIMI lets email clients display your verified brand logo directly in the inbox, right next to your sender name. Spoofers can't show your logo because the system only renders it when two strict conditions are met on the sending domain. No shortcut around it.

What BIMI actually requires

Before your logo can appear anywhere, your domain needs to pass both of these:

  • DMARC at enforcement. Your DMARC policy must be set to p=quarantine or p=reject. A policy of p=none won't cut it. This is the technical gate that proves you've locked down your domain against unauthorized senders.
  • A Verified Mark Certificate (VMC). A VMC is a digital certificate issued by an approved authority (currently Entrust or DigiCert) that confirms your logo is a registered trademark and that you're the legitimate owner. Getting one involves submitting trademark registration documents and having your logo SVG verified. It's not instant, and it's not free (typically $1,000 to $1,500 per year). But that cost is exactly what keeps impersonators out.

The setup checklist

  1. Confirm your DMARC record is at p=quarantine or p=reject with full alignment. (Use our free DMARC parser to check yours.)
  2. Have a registered trademark for your logo in the markets you operate in.
  3. Prepare your logo as an SVG Tiny PS file (a specific SVG subset required by the BIMI spec).
  4. Apply for a VMC from Entrust or DigiCert. They'll validate your trademark and issue the certificate.
  5. Host your logo SVG on a publicly accessible HTTPS URL.
  6. Publish your BIMI DNS record as a TXT record on your domain, pointing to both the SVG and the VMC.

The BIMI record format looks something like: default._bimi.yourdomain.com IN TXT "v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem"

Which email clients support BIMI today

Gmail and Google Workspace support BIMI with VMC requirement enforced. Yahoo Mail and AOL Mail support it too. Outlook and Microsoft 365 have their own similar system (BIMI-adjacent, called Brand Indicators) but with different technical requirements. Fastmail and Zoho Mail have also added support. Apple Mail on iOS and macOS has partial support depending on the version.

So the coverage isn't universal yet, which is worth knowing before you invest in a VMC. But Gmail alone covers a huge share of inboxes, so the protection is real even now.

Why this works as brand defense

So the defense is two-layered. At the technical level, a phishing domain can't satisfy DMARC enforcement for your real domain (that's what DMARC alignment does). At the human level, your customers start to associate the logo with trust. An email that claims to be from you but has no logo starts to feel wrong. That learned association builds over time and makes phishing attempts easier for recipients to spot.

It's not a magic shield. Users have to actually notice the absence of a logo, which takes time and training. But paired with strong DMARC enforcement and consistent sending habits, BIMI adds a visible layer that pure technical authentication can't provide on its own.

If you're not sure whether your DMARC is ready for BIMI, run it through our free DMARC parser first. Or if the whole setup feels like a lot, our SOS hotline is free and we'll walk you through it honestly.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get your BIMI setup plan

My domain is yourdomain.com and I send from ESP/mail server. I want to set up BIMI to protect my brand. Here's what I know about my current setup: DMARC policy is none/quarantine/reject, I do/don't have a registered trademark for my logo, and I'm sending to customers who mostly use Gmail/Outlook/Yahoo/other. Can you give me a step-by-step plan to get BIMI working, flag any gaps in my current authentication, and tell me whether a VMC is worth the cost for my situation?

Edit the yellow boxes, then send to the AI of your choice.