SenderReady

How to set up BIMI safely

BIMI can let participating mailbox providers display a brand logo next to authenticated mail, but it is not the first email-authentication step. Treat it as a later-stage signal after SPF, DKIM, DMARC alignment, reporting, and enforcement are already under control.

Check your BIMI and DMARC readiness

Run the public DNS scan before publishing a BIMI record. The scan can find BIMI and DMARC signals, but provider display still depends on external eligibility rules.

01$0Free scan

Check the public sender-auth records mailbox providers expect.

02$0Shareable action plan

Keep one URL with evidence, owner steps, and decisions.

03$49$49 fix plan

Add human review, provider context, and verification steps.

Optional. Most first scans can run with just the domain.
Checks Gmail, Yahoo, and Microsoft sender requirementsPublic DNS onlyNo mailbox login needed
Example result72/100Needs attention

Review DMARC policy strength before a high-volume send.

Public DNS evidence
DMARC/SPF/DKIM status and caveats are visible before you pay.
Owner-ready next step
The audit adds provider context and a verification checklist.
Get the exact fix plan for your domain.$49 readiness audit: prioritized owner actions, DNS evidence, and verification checks.
Get my $49 fix planView sample
Sender readiness cockpitExample action plan

Public DNS workspace

Overall sender readiness

72/100

Needs attention

Sample output: one warning and one fail mean this domain is not campaign-ready yet.

DMARCPass
SPFPass
DKIMPass
MXPass
BIMIWarning
MTA-STSFail

Fix workspace preview

The scan becomes a focused work surface: evidence, owner action, verification, and the paid context a public lookup cannot infer.

HighDMARC

Review DMARC policy strength before a high-volume send.

Evidence
Evidence: a monitoring-only policy can satisfy visibility needs, but enforcement requires aligned legitimate senders.
Verify after change
Re-scan _dmarc after DNS propagation and confirm aligned SPF or DKIM senders before enforcement.
Paid audit adds
Policy sequence, starter record review, alignment questions, and enforcement caveats.
Get my fix plan

What BIMI needs before DNS

Google says BIMI requires third-party certification for the domain and logo through a Verified Mark Certificate or Common Mark Certificate. Google also requires the domain's DMARC policy to be p=quarantine or p=reject, with pct=100.

The BIMI Group implementation guide uses the same enforcement posture: DMARC should be at enforcement on the organizational domain and subdomains, and policies with pct below 100 percent are not accepted.

A cautious BIMI record shape

The BIMI TXT record is normally published at default._bimi.example.com. Do not copy a sample record until your logo, certificate path, HTTPS hosting, and DMARC enforcement are ready:

v=BIMI1; l=https://example.com/brand/bimi.svg; a=https://example.com/brand/vmc.pem

Some certificate-backed flows use the PEM file as the primary asset. Follow the current mailbox-provider and certificate-authority instructions for the exact l and a values.

Setup sequence

Reach DMARC enforcement firstBIMI depends on authenticated, aligned mail and an enforced DMARC policy. Do not treat p=none as BIMI-ready.
Prepare the logo assetUse the BIMI-required SVG Tiny PS shape, not a generic exported SVG with scripts, animation, remote references, or loose dimensions.
Plan certificate requirementsGmail expects a VMC or CMC PEM flow. Other providers may vary, and self-asserted BIMI has limited support.
Publish and test the DNS recordHost assets over HTTPS, publish the TXT record at default._bimi, then test with real authenticated mail and provider-specific checks.

Logo and hosting checks

  • Use SVG Tiny PS rather than a normal marketing SVG export.
  • Host BIMI files on a public HTTPS URL with a trusted TLS certificate.
  • Remove scripts, animation, external references, and interactive SVG features.
  • Keep logo dimensions explicit and test the rendered asset before publishing DNS.
  • Confirm the VMC or CMC process with the current certificate issuer before buying.

Why a valid record may not display

Yahoo says it considers a BIMI record, a valid SVG logo, DMARC quarantine or reject, bulk-mail context, and sufficient reputation and engagement. Google has its own VMC or CMC path. That means the DNS record can be technically present while a logo still does not appear for a given recipient or mailbox product.

Keep the promise narrow: BIMI setup is a brand-authentication readiness project, not guaranteed inbox placement, not a spam-folder bypass, and not proof that every recipient mailbox will show a logo.

BIMI setup FAQ

Does BIMI work with p=none?

No for the practical setup most senders want. Google and the BIMI Group call for DMARC enforcement, and Google requires p=quarantine or p=reject with pct=100.

Does a BIMI record guarantee my logo appears?

No. Mailbox providers apply their own eligibility, certificate, reputation, engagement, and product-support rules. BIMI is a readiness signal, not a display guarantee.

Can I skip the VMC or CMC?

Some providers may show self-asserted BIMI in limited cases, but Gmail and other clients require or expect certificate-backed PEM files for supported display paths.

Want a BIMI readiness review before touching DNS?

SenderReady readiness audits check public BIMI, DMARC, SPF, DKIM, and provider-readiness signals so your DNS owner can review the next step. They are diagnostics, not logo display guarantees.

View audit options