Skip to content
PowerMTA Experts

Deliverability service

Your verified logo in the inbox, set up to stay there.

BIMI puts your verified brand logo beside authenticated mail in Gmail, Apple Mail, Yahoo and Fastmail, with a verified checkmark in Gmail for senders holding a VMC. It sits on top of DMARC enforcement, so it is the reward for authentication done properly rather than a shortcut around it — and Microsoft Outlook does not display it at all.

Free 25-point audit Talk to an expert

BIMI (Brand Indicators for Message Identification) puts your verified brand logo beside authenticated mail in Gmail, Apple Mail, Yahoo and Fastmail, with a verified blue checkmark in Gmail for senders holding a VMC. It is the last step of an authentication programme, not a shortcut around one: the logo only appears once DMARC is at enforcement (p=quarantine or p=reject), the logo is a valid SVG Tiny P/S inside the size limit, a certificate — a VMC backed by a registered trademark, or a cheaper CMC backed by about a year of documented prior use — vouches for your right to the mark, and the files sit on reliable hosting. Microsoft Outlook and 365 do not display BIMI at all as of 2026, so the real reach is Gmail, Apple Mail, Yahoo and Fastmail, and the payoff is brand recognition and anti-impersonation rather than better placement.

In short

  • BIMI is a brand and trust signal, not a deliverability lever: a verified logo does not move mail out of spam, and the placement benefit belongs to the DMARC enforcement underneath it.
  • The logo only appears at DMARC enforcement (p=quarantine or p=reject); a p=none policy never qualifies, which is the single most common reason a logo fails to show.
  • A VMC needs a registered trademark and is the only certificate that triggers Gmail’s verified checkmark and that Apple Mail honours; a CMC skips the trademark with ~12 months of prior use, costs less, but Apple ignores it.
  • Microsoft Outlook and 365 show no BIMI logo as of 2026, so the real reach is Gmail, Apple Mail, Yahoo and Fastmail — worth knowing before spending on a certificate.
  • A VMC runs roughly $749 to $1,499 a year and a CMC around $650 to $1,100; the certificate is identical across authorities, so the price buys brand and service, not capability.

BIMI — Brand Indicators for Message Identification — is the standard that lets a mailbox provider show your logo next to a message once it has confirmed the message is genuinely yours. The appeal is immediate: a recognised mark in a crowded inbox, and in Gmail a verified checkmark that says a real, authenticated brand sent this. The catch is that the providers only extend that trust to senders who have already proven they control their mail, which is why BIMI is the last step of an authentication programme rather than a standalone tactic.

That ordering is the single most important thing to understand before spending a cent. A logo will not appear until your DMARC policy is at enforcement, your logo is in the exact format the providers accept, the right certificate vouches for your right to the mark, and the files sit on hosting that never blinks. Each of those is a small project, and most BIMI failures trace to one of them being skipped. The work pays off, but only when the sequence is respected.

VMC or CMC: which certificate do you need?

Two kinds of certificate can light up a BIMI logo, and choosing between them shapes the cost, the timeline and which inboxes will honour it. A Verified Mark Certificate proves your legal right to a logo through a registered trademark. A Common Mark Certificate, which arrived for Gmail in early 2025, skips the trademark in favour of proof that the logo has been in public use for about a year. The differences are not cosmetic.

 VMCCMC
Trademark needed Yes — a registered mark covering the logo No — roughly 12 months of documented prior public use
Gmail Logo plus the verified blue checkmark Logo only, no checkmark
Apple Mail Supported (DigiCert; Apple stopped honouring Entrust certs issued from 15 Nov 2024) Not recognised
Yahoo & Fastmail Supported Supported
Typical cost / year About $749 (Sectigo via resellers) up to roughly $1,499 (DigiCert, Entrust) About $650 to $1,100
Time to issue Months — trademark registration is the long pole Weeks — prior-use proof, no trademark wait

Authorised mark-certificate issuers listed by the AuthIndicators Working Group include DigiCert, Entrust, GlobalSign, SSL.com and Sectigo; individual mailbox providers choose which issuers they honour, so the right CA depends on your target inboxes.

The four prerequisites

Every BIMI implementation clears the same four gates, in roughly this order. Each missing one adds weeks, and the first accounts for the large majority of logos that never appear.

  1. DMARC at enforcement. Your policy must be at p=quarantine or p=reject, covering all of your mail. A policy still at p=none is the reason a logo fails to show in roughly five cases out of six, by one checker’s data — and no amount of logo or certificate work substitutes for it.
  2. A compliant logo. The artwork has to be SVG Tiny P/S, square, under 32 KB, served over HTTPS, with no scripts or external references. Providers validate it for safety and consistent rendering, and a near-miss simply does not display.
  3. Proof of the mark. A registered trademark for a VMC, or about a year of documented prior use for a CMC. Trademark registration can run six to eighteen months, which is why it is usually the longest part of the whole project.
  4. Control and hosting. You own the base domain and host both the PEM certificate and the SVG on stable public HTTPS. You need one certificate per unique logo and per base domain, and a mark certificate is valid for at most 397 days before renewal.
The chain to a visible logo: every link must hold, in order
1 · DMARC enforcement, not p=none 2 · SVG logo Tiny P/S, square, inside size limit 3 · Certificate VMC or CMC vouches for mark 4 · DNS + host record published, files always up Logo visible Renders in Gmail, Apple Mail, Yahoo, Fastmail — never in Microsoft Outlook (no BIMI support in 2026). The chain is only as strong as its weakest link: one broken condition removes the logo everywhere it showed.
BIMI looks like a single DNS record, but the logo is the output of a four-link chain, and a provider checks every link before it renders anything. The order is not arbitrary: enforcement comes first because it is the trust the providers actually price, and the logo, certificate and hosting are the proof stacked on top. Break any one link — let a certificate lapse, move a file, drop DMARC to p=none for a test — and the logo disappears from every inbox at once, with no warning.

How does a mailbox provider evaluate BIMI?

It helps to see the check from the receiver’s side, because every prerequisite maps to a step the provider runs in order. When a message arrives, the provider first confirms DMARC passes at an enforcement policy; a failure here ends the process and no logo is considered. It then looks up your BIMI record — a TXT entry published at default._bimi.yourdomain.com — which carries two values: l=, the HTTPS URL of your SVG logo, and a=, the URL of your mark certificate. The provider fetches the SVG and validates it against the format rules, fetches the PEM and checks the certificate chain, and confirms the logo inside the certificate matches the one you published. Only when all of that lines up does the logo render, and in Gmail the checkmark appears for a VMC. Each link is a place the chain can break, which is why a single moved or missing file takes the whole logo down rather than degrading gracefully.

Checking the BIMI chain the way a provider does
BIMI chain — DNS, read-only 
# Prerequisite: is DMARC actually at enforcement?
$ dig +short TXT _dmarc.example.com
"v=DMARC1; p=none; rua=mailto:[email protected]"
# p=none — BIMI will not render: enforcement (quarantine/reject) is required first

# The BIMI record: does it point at a logo and a certificate?
$ dig +short TXT default._bimi.example.com
"v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem"
# record is well-formed — but it stays invisible while DMARC sits at p=none
Two read-only queries show the most common BIMI failure in one frame: a perfectly formed BIMI record, with a logo URL and a certificate, that renders nothing because DMARC is still at p=none. The record looks done, so the sender assumes the problem is the logo or the certificate and spends time there — when the actual blocker is the enforcement prerequisite one record above it. A provider checks DMARC first, and so do we.

Which inboxes actually show the logo?

BIMI’s reach is real but uneven, and knowing the map before you buy keeps the spend honest. Receiver-side support is stable across the providers below, even though the specification itself is still an IETF Internet-Draft rather than a finished RFC.

InboxWhat it shows
Gmail Logo for a valid VMC or CMC; the verified checkmark for a VMC only.
Apple Mail Logo for a VMC issued by a CA it trusts; CMCs are not recognised.
Yahoo Mail Logo display, and historically without requiring a paid certificate at all.
Fastmail Logo for a valid VMC or CMC.
Microsoft Outlook / 365 No BIMI support as of 2026 — no logo regardless of your setup.

Apple Mail and Gmail between them cover a large majority of consumer mail, which is what makes BIMI worth the effort despite Outlook’s absence.

Preparing the logo: where SVGs fail

The artwork requirement is stricter than most designers expect, and a logo that looks perfect in a browser routinely fails BIMI validation. The format is SVG Tiny P/S, a deliberately limited profile, and the file has to declare that profile, sit on a square canvas, stay under 32 KB, and carry no scripts, no external references, no raster images and no embedded fonts. A title element naming the mark is expected, and the artwork should be centred on a solid background rather than transparency, since some clients render a transparent logo onto a colour that ruins it. Most brand SVGs leave a design tool carrying exactly what the profile forbids, so the real work is converting and stripping the file down until it validates, then confirming it through the BIMI Group’s inspector before any certificate is ordered against it. Ordering the certificate first and discovering afterwards that the logo will not validate is a common and avoidable waste.

The part most senders underestimate: keeping it alive

Getting a logo to appear is a finite task. Keeping it appearing is the part that quietly defeats teams who treated BIMI as a one-time setup. Several things can switch the logo off without warning, and none of them announces itself.

The certificate expires every 397 days and has to be renewed and re-hosted. The PEM file and SVG live on hosting you control, and a moved URL or an hour of downtime breaks display immediately. The authorities themselves are not fixed points: when Apple stopped honouring Entrust certificates issued from 15 November 2024, every affected sender relying on Apple Mail had a problem that no change on their own side had caused. And because BIMI rests on DMARC alignment, any new sending tool or DNS edit that breaks alignment will take the logo down with it, often before anyone notices the underlying authentication slip. A logo that vanishes is worse than one that never appeared, because customers learned to expect it. Keeping it lit is an upkeep job, and we treat it as one.

What does BIMI cost, plainly?

The pricing is knowable, which is more than can be said for much of this market. A VMC runs from around 749 US dollars a year through the cheaper authorities to roughly 1,499 at the best-known ones, and a CMC sits lower, between about 650 and 1,100. If the trademark does not yet exist, add a few hundred dollars at the USPTO or in the region of 850 euros at the EUIPO, plus the months registration takes. Hosting the files need not cost anything. The detail worth holding onto is that the certificate is technically identical whichever authority issues it — same format, same validation, same provider compatibility — so paying the premium name buys guided service and reputation, and the cheaper authority your inboxes already honour does the same job for the logo.

The Gmail verified checkmark, specifically

Gmail draws a line the other inboxes do not, and it is worth understanding before you choose a certificate. A valid BIMI setup with either a VMC or a CMC places your logo beside your mail in Gmail. The verified checkmark next to the sender name, though, is reserved for a VMC — the certificate backed by a registered trademark. To a recipient the distinction reads as a small mark beside the name, but its meaning is precise: Gmail is vouching that the sender’s identity was checked against a trademark, a stronger statement than confirming a published logo alone. For a consumer brand fighting impersonation, that mark is often the real prize, and it is the reason a sender with the budget and the trademark takes the VMC path even though a CMC would show the same logo. For a brand without a registered mark, the logo on its own still earns recognition, and the checkmark simply waits until the trademark exists. We make that trade-off explicit when we scope the work, because it is the difference between a project measured in weeks and one measured in months.

Is BIMI worth the payoff?

Adoption tells its own story: a Validity survey in 2025 put BIMI at roughly 4.6% of the domains it looked at, a small share precisely because the DMARC-at-enforcement prerequisite is a real barrier rather than a checkbox. For the brands that clear it, the certificate-industry research reports meaningful lifts in open rates, brand recall and consumer trust, and those findings are consistent enough to take seriously even discounted for the source. The reasonable conclusion is narrow and useful: BIMI rewards brands whose name carries weight and whose audience sits on the supporting providers, and it does so as a trust and recognition signal layered on authentication — not as a fix for mail that is landing in spam. If your placement is the problem, BIMI is the wrong tool, and we will say so.

How long until the logo is visible?

The honest answer ranges from a few weeks to most of a year, and the variable is almost entirely the certificate path. If you already hold a registered trademark, a VMC can be validated and issued quickly once DMARC is at enforcement — an authority can often issue within a day of verifying the documents. If you do not, trademark registration is the long pole at six to eighteen months, during which a CMC offers a faster route: prior-use proof rather than a mark, issued in weeks, with a logo in Gmail, Yahoo and Fastmail while Apple and the checkmark wait. The work with no shortcut is reaching DMARC enforcement, which is why we start there in parallel with everything else. A sender already at enforcement with a clean trademark is weeks away; one starting from p=none with no mark should plan in months and use the CMC and Yahoo paths to show a logo in the meantime.

BIMI across a portfolio of brands

The cost and effort scale with the number of distinct logos and base domains, because the rule is one certificate per unique logo and per unique base domain. A business running several brands is therefore running several BIMI projects at once, each with its own DMARC enforcement, its own SVG, its own certificate and its own renewal clock. The trap is treating them as one: a single certificate cannot cover distinct marks, and a lapse on one brand’s hosting or alignment quietly drops that brand’s logo while the others stay lit, which is hard to spot without per-brand monitoring. We run portfolio BIMI as a set of parallel tracks on a shared renewal calendar, so no brand’s logo expires unnoticed and each brand’s authentication stays isolated from the rest.

BIMI as brand protection

The strongest case for BIMI is rarely the open-rate chart. It is impersonation. A brand whose name is worth forging — a bank, a retailer, a platform people trust with money — gains a visible, hard-to-fake signal that a message is the real thing, and over time trains its audience to treat mail without the logo as suspect. That works only because the logo cannot appear without DMARC enforcement, which is itself the control that stops most spoofing at the door. Seen this way, the certificate is the visible tip of an anti-impersonation programme rather than a marketing decoration, and the brands that gain most from it are exactly the ones criminals find most worth imitating.

Where we fit

Most of the difficulty in BIMI is the prerequisite, and the prerequisite is our core work. Bringing a domain to DMARC enforcement without bouncing legitimate mail is the same authentication discipline we run as a service in its own right, which means the hardest gate is one we are already built to clear. From there the BIMI-specific steps are ones we handle end to end: validating the SVG against the exact specification, advising VMC against CMC for your trademark reality and provider mix, choosing the cheapest authority your target inboxes will honour, coordinating the validation, and hosting the PEM and SVG on infrastructure that stays up.

We do all of it independently. We resell no certificates and hold no CA partnership, so the recommendation is shaped by your audience and budget rather than a margin we would earn. And because we work in Spanish and Portuguese as readily as in English, a brand protecting its mark across Latin American and Iberian markets is not left translating a certificate process designed for somewhere else.

How we run it

The sequence is fixed, because skipping a step is what wastes money on this particular project.

  1. Confirm or reach enforcement. We verify DMARC is at p=quarantine or p=reject across all mail, and bring it there first if it is not.
  2. Prepare the logo. The artwork is converted to compliant SVG Tiny P/S and validated before a certificate is ever ordered.
  3. Choose the certificate path. VMC or CMC, and which authority, decided against your trademark position and the inboxes you care about.
  4. Coordinate issuance and hosting. We run the validation with the CA and host the PEM and SVG on stable HTTPS.
  5. Publish, test and watch. The BIMI record goes live, we confirm the logo renders in real sends, and the certificate and alignment go onto the same monitoring that keeps the rest of your authentication honest.

The free 25-point audit is the place to begin, because it shows whether you are anywhere near the enforcement BIMI demands. If you are far from it, that is the work to do first; if you are already there, a logo can be in supported inboxes within weeks on the CMC path, or once the trademark clears on the VMC one.

FAQ

BIMI and VMC questions

Is BIMI worth doing?

It depends on what you want from it. BIMI is a brand and trust signal, not a deliverability lever — your verified logo beside authenticated mail in Gmail, Apple Mail and Yahoo, and a checkmark in Gmail if you hold a VMC. Vendor research from the certificate side reports gains in open rates, brand recall and consumer confidence, and those studies point the right way even if the exact figures are theirs to defend. What BIMI will not do is rescue placement: a logo does not move mail out of spam. The honest case for it is recognition and anti-impersonation for a brand whose name gets forged, sitting on top of authentication you should have anyway.

VMC or CMC — which do we need?

A VMC requires a registered trademark and is the only certificate that triggers Gmail’s verified checkmark and that Apple Mail will honour. A CMC, introduced for Gmail in early 2025, skips the trademark by accepting about a year of documented prior use, costs less, and ships in weeks rather than months — but Apple Mail does not recognise it and Gmail shows the logo without the checkmark. The decision comes down to two questions: do you already hold the trademark, and does your audience live on Apple Mail. We map that to your situation rather than defaulting to the most expensive certificate.

Does BIMI improve deliverability?

Not directly. Placement is decided by reputation, authentication and engagement; a logo is none of those. What helps your deliverability is the prerequisite BIMI forces you to meet — DMARC at enforcement — which is valuable in its own right and which we would push you toward regardless of whether a logo ever appears. Treat the placement benefit as belonging to the authentication work underneath, and the logo as the brand reward sitting on top of it.

Why is our logo not showing in Outlook?

Because Microsoft Outlook and Microsoft 365 do not support BIMI as of 2026, no configuration on your side will produce a logo there. This catches a lot of senders by surprise, since Microsoft is a large share of business mail. BIMI display today means Gmail, Apple Mail, Yahoo and Fastmail; we are clear about that reach before you spend on a certificate, so the investment is made with the real audience in view rather than an assumed one.

What does it cost?

A VMC runs from about 749 US dollars a year through the cheaper authorities up to roughly 1,499 at DigiCert or Entrust, and a CMC sits lower, around 650 to 1,100. If you need to register the trademark first, add the filing cost — on the order of a few hundred dollars at the USPTO or around 850 euros at the EUIPO — and the months it takes. The certificate itself is technically identical across authorities, so the price difference buys service and brand, not capability. Hosting the files can be free. We help you spend the minimum that still works for your provider mix.

We have no registered trademark. Can we still get a logo in the inbox?

Often yes. A CMC accepts proof that the logo has been in continuous public use for roughly a year, which suits brands that have been trading under a mark they never formally registered. Yahoo, separately, has historically shown a BIMI logo without requiring any paid certificate at all. If Apple Mail and the Gmail checkmark matter to you, the trademark route and a VMC become necessary; if they do not, a CMC or a Yahoo-first approach puts a logo in front of a large audience far sooner.

Our DMARC is set up but the logo still will not appear. Why?

The most common cause by far is a DMARC policy still at p=none. BIMI needs enforcement — p=quarantine or p=reject covering all of your mail — and a monitoring policy does not qualify, however complete the record looks. After that, the usual culprits are an SVG that is not valid Tiny P/S or sits above the size limit, a PEM certificate chain that does not validate, or a hosting URL that moved or went down. We work the chain end to end until each link checks out and the logo renders in a real send.

Do you resell the certificate?

No. We hold no reseller relationship with any certificate authority, so we have no reason to steer you toward a pricier one. We tell you the cheapest authority your target inboxes will actually honour — which is not always the best-known name — coordinate the validation, and handle the technical chain around it. You pay the CA directly; we are paid for the work, not a margin on the certificate.

Start with the audit.

Twenty-five points across authentication, reputation, infrastructure and compliance — a written assessment, no charge and no obligation. It tells both of us exactly what we are working with.

Request the free audit Talk to an expert