BIMI is quickly becoming the difference between “delivered” and “trusted” in the inbox. When your domain meets the right authentication requirements, BIMI can display your brand’s verified logo in supported email clients. That helps protect against logo spoofing and makes it easier for recipients to recognize legitimate messages, giving your mail a stronger chance of being engaged with rather than ignored.

This guide is for IT and security teams responsible for preparing domains and email infrastructure for Verified Mark Certificates (VMCs) and Common Mark Certificates (CMCs). You’ll find the technical prerequisites, step-by-step setup, and the checks that prevent common issues during rollout, along with tool suggestions that can reduce manual DNS work. 

If your primary objective is to purchase a VMC or CMC, you can go straight to the DigiCert Mark Certificates page, then return here when you’re ready to implement.

Step 1: Prepare your domain

Start by confirming SPF and DKIM are correctly configured for every system that sends mail on behalf of your domain. Then, publish DMARC and move the policy to enforcement. DMARC enforcement is the gating requirement for BIMI in most real-world inbox implementations. 

If you use a DMARC automation platform, this is the moment to validate that every legitimate sender is accounted for before moving from monitoring to enforcement. That sequencing reduces disruption while still getting you to a BIMI-ready state.

Pro tip: Valimail Enforce automates this step, ensuring you meet DMARC requirements without endless manual DNS edits.

Step 2: Create your logo

Convert your logo into a BIMI-compliant SVG. Keep the artwork square, clean, and free of scripts or external references, because mailbox providers validate for safety and consistent rendering. For BIMI, “compliant” generally means using the SVG Tiny Portable/Secure (SVG Tiny PS) profile, which removes features mailbox providers and validators won’t accept.

Before you publish anything to DNS, validate the SVG against BIMI requirements using a trusted checker or validator. A quick validation pass here saves time later because an SVG formatting issue can look like a DNS or certificate problem during troubleshooting.

Step 3: Publish your BIMI record

Next, add a BIMI TXT record in DNS that points to your hosted SVG logo, then update it with your certificate location after your VMC or CMC is issued. Google’s BIMI setup documentation includes this publishing step as part of getting BIMI working in Gmail and similar clients.

Example BIMI record:

Treat the record like production infrastructure. Use stable hosting, confirm TLS is in use, and ensure your URLs are reachable by external verifiers. If your organization operates multiple sending subdomains or brands, plan your BIMI selectors accordingly so you don't have to redesign your DNS structure later.

Pro tip: Valimail Amplify can handle this automatically, hosting your logo and publishing the record with just a few clicks.

Step 4: Get your VMC or CMC

Choose the certificate type that matches your brand status and mailbox-provider goals:

• Verified Mark Certificate (VMC): Intended for registered trademarks and certain verified marks; commonly associated with the highest level of visual verification in supported inbox experience
• Common Mark Certificate (CMC): Expands BIMI access for organizations that don't have the trademark requirement that VMCs depend on, and Gmail has explicitly described CMC support; Gmail has publicly confirmed support for CMCs for BIMI logo display

DigiCert issues both certificate types, and purchasing starts from the Mark Certificates page. Once issued, you’ll link the certificate (often provided/hosted as a PEM file in common implementations) in your BIMI DNS record. Google notes that Gmail and other email clients support BIMI with PEM files in this workflow. Moving toward enforcement with confidence

Stronger DMARC policies depend on accurate visibility. Enforcement actions such as quarantine and reject require assurance that legitimate senders are properly authenticated.

Accessible and continuously updated visibility allows teams to validate configurations, resolve gaps, and transition to enforcement with precision. This reduces the likelihood of disrupting legitimate communications and strengthens protection against unauthorized use.

Step 5: Test and verify

After DNS updates propagate, validate the complete chain: authentication results, BIMI record resolution, SVG accessibility, and certificate linkage. Then, test real sends to supported inboxes (commonly including Gmail and Yahoo Mail in many deployments) to confirm the logo renders as expected.

Verification should be ongoing, not a one-time event. DMARC reporting and authentication monitoring help you catch misaligned senders, vendor changes, or new services that could break DMARC alignment and indirectly prevent BIMI from working. 

Pro tip: Valimail Enforce provides ongoing DMARC and authentication visibility, which helps validate the technical setup with BIMI. Confirming your logo displays as expected in supported email inboxes confirms there are no formatting issues with your SVG. 

Troubleshooting: Why your logo isn’t showing

Most BIMI issues stem from a short list of causes. Work through these in order, because later steps often depend on earlier checks. Note: Valimail Amplify and Enforce dashboards make these checks faster and easier.

DMARC isn’t enforcing: Confirm DMARC is published and set to p=quarantine or p=reject. If your policy is still p=none, many providers won't display BIMI.

SPF/DKIM alignment is failing: Check real message headers from your test sends and confirm DMARC passes through SPF or DKIM alignment. DMARC depends on alignment with the visible From domain.

The SVG isn’t BIMI-compliant: Revalidate the SVG against BIMI requirements first. If the file includes scripts, external links, or invalid formatting, mailbox providers can refuse to render it. Also note that some providers apply additional SVG rules beyond the base BIMI spec—Gmail, for example, requires a minimum of 96x96 pixels and requires the image size to be specified in absolute pixels.

DNS record or certificate link is wrong: Verify the BIMI TXT record value, the selector (default._bimi unless you use another), and the URLs for the logo and certificate. Google’s workflow highlights the certificate file linkage as part of the end-to-end setup for Gmail.