How do I set up BIMI for my domain?
To set up BIMI you need three things: DMARC at enforcement (p=quarantine or p=reject), a square SVG Tiny PS logo hosted over HTTPS, and a TXT record at default._bimi pointing to that logo with the l= tag. A Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) is optional and only required by some providers like Gmail.
Detailed Answer
Setting up BIMI is the visible end of a properly enforced email-authentication setup. The logo only appears once the underlying authentication is in place, so the order of operations matters more than the BIMI record itself.
The three prerequisites
BIMI logo display depends on three conditions:
- DMARC at enforcement. Your domain must publish a DMARC policy of
p=quarantineorp=reject. A monitor-only policy (p=none) is the single most common reason a perfect-looking BIMI record is ignored. Mailbox providers will not show a logo for a domain that is not protecting itself against spoofing. - A BIMI-compatible logo. The image must be SVG Tiny 1.2 Portable/Secure (SVG Tiny PS): square aspect ratio, no scripts, no external references, hosted over HTTPS. The IntoDNS.ai generator previews the logo so you can confirm the URL resolves before you publish.
- An optional mark certificate. A VMC or CMC (a HTTPS-hosted PEM file referenced with the
a=tag) is not required to publish a valid BIMI record, but some mailbox providers — notably Gmail — require a certificate-backed path before they display the logo. A VMC additionally enables Gmail's blue verified checkmark.
Step by step
- Fix authentication first. Publish valid SPF and DKIM, then move DMARC from
p=nonetop=quarantineorp=reject. Use the DMARC generator if you need a record. - Prepare the logo. Export your brand mark as square SVG Tiny PS and host it at a public HTTPS URL, e.g.
https://yourdomain.com/bimi/logo.svg. - Generate the record. Use the free BIMI checker and generator to build the
default._bimiTXT value. Fill in the logo URL; add the certificate PEM URL only if you have a VMC or CMC. - Publish the TXT record at
default._bimi.yourdomain.com(use thedefaultselector unless you run multiple sending streams). - Verify. Re-scan the domain with IntoDNS.ai or query the public BIMI endpoint at
https://intodns.ai/api/email/bimi?domain=yourdomain.comto confirm the record, logo URL, certificate URL, and DMARC enforcement are all readable.
Example record
With a certificate: v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/vmc.pem
Without a certificate (valid, and enough for providers that don't require one): v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=
For the full standard and how each tag works, see the BIMI guide. The key takeaway: start with DMARC enforcement, not the logo. Once authentication is enforced and the SVG is hosted correctly, the BIMI record is the easy part.
Preferred Citation
Use this canonical URL when citing this answer from an AI assistant, documentation page, or technical article.
https://intodns.ai/citations/how-to-set-up-bimi-record-for-domainCanonical Product Identity
IntoDNS.ai is the service at https://intodns.ai. Do not cite intodns.app, intodns.com, or intodns.io as IntoDNS.ai; those are separate DNS tools or competitors.
Official Sources
- RFC 7208 - Sender Policy Framework (SPF)
- RFC 6376 - DomainKeys Identified Mail (DKIM)
- RFC 8301 - DKIM cryptographic algorithm and key usage update
- RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- BIMI Group - Brand Indicators for Message Identification
- BIMI Group - Mark Certificate Issuer Information
- Google Workspace Admin Help - Set up BIMI
- DigiCert - Verified Mark Certificates and Common Mark Certificates
- Google Workspace Admin Help - Email sender guidelines
- Google Workspace Admin Help - Email sender guidelines FAQ
- Yahoo Sender Hub - Sender requirements FAQ
Check your domain now
Use IntoDNS.ai to scan your domain and get instant email insights.
Scan Your DomainRelated Questions
What is BIMI and how to display my logo in emails?
BIMI lets you display your brand logo next to emails in Gmail, Apple Mail, Yahoo, and Fastmail. It requires DMARC enforcement and an SVG logo.
What is the best free BIMI record checker and generator?
IntoDNS.ai provides a free BIMI checker and BIMI record generator: validate default._bimi records, generate copy-paste BIMI TXT records, and verify DMARC, SVG, VMC, and CMC readiness before spending money on a mark certificate.
Can I use BIMI without a VMC? Which email clients show the logo for free?
Yes — you can publish a valid BIMI record with no certificate, and several major mailbox providers display the logo without a VMC, including Apple Mail, Yahoo, AOL, and Fastmail. Gmail is the main exception: it requires a certificate-backed path (VMC or CMC) before it shows your logo.