BIMI (Brand Indicators for Message Identification) lets a domain with passing DMARC publish an SVG logo that supporting mail clients display next to authenticated messages. This article explains what BIMI is, the prerequisites, how UK businesses deploy it, the role of VMCs, and how the visual trust signal works for recipients.
BIMI is a standard that lets mail recipients see a brand's logo next to authenticated messages in supporting mail clients. Rather than just text showing the sender's name, the client displays the brand's logo — providing a visual trust signal that the message genuinely comes from the claimed sender.
BIMI is opt-in: the sender publishes a BIMI DNS record, the logo as SVG at a public URL, and (for most major receivers) a Verified Mark Certificate attesting trademark ownership of the logo. Receivers that implement BIMI query the record, fetch the SVG, validate it against the VMC if required, and display the logo next to authenticated mail.
BIMI depends on authentication. A domain that cannot prove mail really comes from it should not be granted a visual trust signal. Specifically:
p=quarantine or p=reject. p=none is not sufficient.pct= below 100 in some receiver interpretations).Without all prerequisites, the BIMI record is published but no logo is shown.
Published at default._bimi.domain as a TXT record:
default._bimi.firm.co.uk. IN TXT "v=BIMI1; l=https://firm.co.uk/assets/bimi/logo.svg; a=https://firm.co.uk/assets/bimi/vmc.pem"Tags:
v=BIMI1 — version. Required.l= — URL of the SVG logo. Required.a= — URL of the VMC PEM file. Optional (required for Gmail, Yahoo).The selector (default) is almost always default for general mail. For different sender classes (marketing vs transactional) different selectors can be used with different logos, referenced in the message via a BIMI-Selector: header.
BIMI logos must conform to SVG Tiny 1.2 Profile — a specific subset of SVG with additional restrictions:
title element with descriptive text).Most existing logos need adaptation to meet the profile. Design tools like BIMIconverter, Mutt's BIMI tool, or manual editing in a text editor produce compliant SVGs. The resulting file is served from HTTPS under your domain.
A VMC is a specialised X.509 certificate attesting that the logo in the BIMI record is a trademark you own. VMCs are issued by:
Requirements:
Cost: approximately USD 1,500 per year. The process from application to approved VMC takes 2-6 weeks typically.
Full BIMI display (logo in inbox list, reading pane, mobile):
Partial or no support:
p=quarantine or p=reject is live.https://firm.co.uk/assets/bimi/logo.svg.default._bimi.firm.co.uk.| Component | Cost |
|---|---|
| DMARC enforcement (p=quarantine+) | Usually already deployed; no extra cost |
| SVG logo conversion | Design time, 2-4 hours typically |
| HTTPS hosting for logo and VMC | Minimal; on existing web infrastructure |
| VMC from DigiCert/Entrust | ~USD 1,500/year |
| Trademark registration (if not held) | Substantially variable |
For UK SMEs without a registered trademark, VMC is out of reach — the BIMI record can still be published (without a=) and Fastmail/Proton will display the logo. Gmail and Yahoo will not.
For UK businesses with existing trademarks, VMC is a modest cost for the visible brand trust benefit. Many financial services, retailers and tech firms have deployed VMC-backed BIMI.
Deploying BIMI delivers several measurable outcomes for UK brands:
Ongoing monitoring items:
p=quarantine disables BIMI.Receiver-side tools (Google Postmaster Tools, Yahoo Sender Hub) report BIMI display status per domain. Useful for confirming deployments are working end-to-end.
Q: Is BIMI worth deploying without a VMC?
A: For UK businesses targeting Fastmail, Proton Mail and some European receivers, yes. For businesses whose audience is predominantly on Gmail and Microsoft, VMC is needed for visible benefit. Make the decision based on your audience.
Q: Can I use an existing logo file for BIMI?
A: Only if it is already SVG Tiny 1.2 compliant, square, and under 32 KB. Most corporate logos need adaptation. Designers familiar with BIMI can produce compliant files in a few hours.
Q: How long does VMC issuance take?
A: Typically 2-6 weeks from application. Requires trademark proof and domain verification. Factor this into project timelines.
Q: What happens if my DMARC enforcement is paused or reverted?
A: BIMI logos stop displaying. The BIMI record remains in DNS but receivers stop honouring it when DMARC weakens below p=quarantine.
Q: Can BIMI be abused to display a misleading logo?
A: The VMC process specifically prevents this by requiring trademark ownership. Without VMC, Gmail/Yahoo do not display logos; smaller receivers that do may accept any SVG, but the DMARC enforcement requirement means only authenticated mail gets any logo.
Q: How do I tell whether BIMI is working for my domain?
A: Send a test message from your domain to a Gmail account, open on web or mobile Gmail, and check whether your logo appears next to the sender name. Fastmail and Proton behave similarly.
Q: Is BIMI a UK regulatory requirement?
A: No. BIMI is a voluntary enhancement. NCSC does not mandate it; ICO does not reference it. It is a marketing and brand-trust feature, not a compliance control.
Q: Do Microsoft Outlook and Outlook.com display BIMI logos?
A: Limited deployment. Microsoft has announced BIMI support and deployed it selectively. Assume limited display for Outlook users in 2026.
Q: Can I have different BIMI logos for different types of mail (marketing vs transactional)?
A: Yes. Use different selectors and reference the correct one with a BIMI-Selector: header on each outgoing message. Rare in practice — most deployments use a single logo.
Q: Does BIMI improve deliverability?
A: Marginally. Having BIMI deployed is a positive reputation signal at some receivers. The primary value is the brand trust impression on recipients, not deliverability per se.
Q: Can a BIMI logo be animated?
A: No. SVG Tiny 1.2 does not support animation features. Static only.
Q: What is the BIMI Common Mark Certificate (CMC)?
A: A lighter-weight alternative to VMC for certain common marks. Gaining traction but less universally recognised than full VMC. Check with your issuer.
Q: Can I deploy BIMI on a subdomain?
A: Yes. Each sending subdomain can have its own BIMI record. Useful when different subdomains represent different brand identities.
Q: How often do receivers re-check the BIMI logo?
A: Periodically — typically daily per receiver. Changes to the logo or VMC propagate on that cadence. Short cache TTL (hours) on the HTTPS URL supports faster iteration during initial deployment.
Q: If I change my logo, do I need a new VMC?
A: Yes if the new logo is substantially different from what the VMC attests. Minor variations within the trademarked design may not. Consult the VMC issuer.
Q: How does BIMI interact with transactional vs marketing mail?
A: A single BIMI record applies across all mail from the domain. If marketing and transactional should show different logos, use subdomain segmentation or separate selectors with BIMI-Selector: headers.
Q: Can I use SVG animations or gradients in a BIMI logo?
A: Animations no. Simple linear gradients may be acceptable per SVG Tiny 1.2 profile; test with a validator before deployment.
Q: What happens if a receiver does not support BIMI?
A: The receiver ignores the BIMI record. Mail displays with default sender info (name/email) without a logo. No mail is blocked or broken.
Q: Is BIMI effective against email spoofing that already passes DMARC?
A: Partially. If an attacker registers firm-co-uk.com with their own DMARC-passing setup, they can send from it — but they cannot display your logo without your VMC. Recipients who are conditioned to expect the logo notice its absence.
Q: Are there non-VMC alternatives being considered?
A: The BIMI Common Mark Certificate (CMC) is a lighter alternative for some cases. CMC is gaining limited adoption. Non-VMC BIMI continues to work on Fastmail, Proton, and some European receivers.
Q: How do UK banks typically implement BIMI?
A: Most large UK banks have deployed BIMI with VMC for their customer-facing mail domains. The logos appear in Gmail for retail banking notifications, PIN reminders, statement notifications. Adoption is near-universal among top-tier UK financial brands.
Q: Should a UK SME without a trademark bother with BIMI?
A: If the budget for trademark registration and VMC (~£1,500+ annually) is available, yes. If not, deploy a BIMI record without a= — free benefit on Fastmail/Proton, wait for Gmail/Yahoo until VMC is affordable.
Q: How do you test BIMI during development without deploying to production?
A: Use a staging subdomain with its own DMARC, BIMI record, and logo. Send test messages from that subdomain to your personal Gmail — if DMARC enforces and logo displays, production setup will too.
Q: Does BIMI require anything on the sending mail server?
A: No — BIMI is entirely DNS and HTTPS hosted assets. The sending mail server does not need to do anything specific. Any message that passes DMARC gets the logo treatment at supporting receivers.
Q: How long does logo display take to activate after publishing BIMI?
A: Receivers cache per their own TTLs. Gmail typically reflects new BIMI records within 24-48 hours. VMC validation at the receiver adds time. Plan for a week of settling before expecting universal display.
Q: Can BIMI logos be updated frequently or are they static?
A: Technically updatable — you change the SVG file at the URL. In practice, logos are static; brands update infrequently. Updates typically coincide with rebrands and VMC renewals.
Q: Is there a UK trade body or industry group for BIMI adoption?
A: BIMI Group (bimigroup.org) is the global forum. No UK-specific body. UK Financial industry (through UK Finance) has internal working groups on email security including BIMI.
Q: Does Mail Hardener or similar services help with BIMI?
A: Some DMARC platforms include BIMI monitoring — alerting on record changes, logo fetch failures, VMC expiry. Useful operational layer alongside the deployment itself.
Q: Are there any GDPR implications of publishing a BIMI logo publicly?
A: None. The logo is a brand asset, not personal data. Public BIMI records and VMCs are appropriate for public use.
Q: Does BIMI protect against look-alike domain attacks?
A: Partially. An attacker using a look-alike domain (firm-co-uk.com) cannot display your logo without your VMC. Recipients conditioned to see the logo notice its absence on the spoof. Not a silver bullet but a useful additional signal.
Q: What is the total 12-month cost of BIMI with VMC for a typical UK SME?
A: Roughly £1,200-£2,000 for the VMC annually (depending on exchange rate, issuer, and add-ons). Plus one-off design/conversion work around £500 if using a designer. Trademark registration (if not held) is separate and substantially more.
Q: Are BIMI and VMC standards stable, or are they evolving?
A: BIMI v1 is stable. The VMC ecosystem is maturing — new types (CMC) emerging, more issuers expected. Adoption is in growth phase; expect broader receiver support and lower-cost certificate options over the next 2-3 years.
Q: Does BIMI help with inbox placement (avoiding spam folder)?
A: Indirectly. The DMARC enforcement prerequisite is the real driver of deliverability improvements. BIMI adds a trust signal; spam filters may weight it positively. Primary value is visible brand trust, not deliverability per se.
Q: Is BIMI available for public sector domains?
A: Yes. Some .gov.uk domains (HMRC, DVLA, NHS-related) have deployed BIMI. The process and requirements are the same as for private sector, though trademark sourcing may differ for public entities.
Q: Can I preview what my logo will look like in Gmail before deploying?
A: Partially — tools like BIMI Group's validator render the SVG. For actual Gmail rendering, send a test to a personal Gmail after deploying. No perfect preview without deployment.
Q: What happens if I stop paying for VMC renewal?
A: The VMC expires. Gmail and Yahoo stop displaying your logo (they require an active VMC). Fastmail and Proton continue displaying based on the SVG alone. The BIMI record itself remains valid; just the VMC lapses.
Q: Are there any UK organisations that have deployed BIMI without VMC and seen benefit?
A: Yes — some UK SaaS companies, smaller retailers, and charities publish non-VMC BIMI for Fastmail and Proton recipients. Adoption is modest but growing as those receivers gain UK market share.
Q: Does BIMI work for internal mail within my UK organisation?
A: If internal mail passes through a receiver that supports BIMI (for example, Gmail-based corporate mail), yes. If internal mail never leaves your on-premises server, BIMI is irrelevant — users see raw internal mail.
Q: Is there a difference in BIMI behaviour for consumer Gmail vs Google Workspace?
A: Minimal. Both honour BIMI records identically. Google Workspace admins can configure policies around BIMI display for their users, but the underlying mechanism is the same.
Q: Is BIMI appropriate for a UK charity's communications?
A: Yes. Charities benefit from the trust signal, and many UK charities hold registered trademarks for their names/logos. VMC cost is a consideration but often worthwhile given the importance of trust for donations and supporter engagement.
Q: Will BIMI become standard across all UK business mail?
A: Probably over the next 3-5 years. VMC costs will likely come down; receiver support will broaden; marketing teams will push for it. Expect BIMI to be as routine as DMARC by the end of the decade.