Brand logo in the mailbox (Gmail, Yahoo, Apple Mail) via the default._bimi TXT record.
What is this, and when do I need it?
What is this?
BIMI (Brand Indicators for Message Identification) is a standard that displays your company
logo in the recipient's mailbox - right next to the message instead of an anonymous initial
avatar. Supported by Gmail, Yahoo, Apple Mail, AOL and others.
BIMI only works if your domain runs DMARC strictly. That is the real lever: BIMI is the
reward for clean mail authentication, not a shortcut to it.
When do I need it?
When the brand should be visible - useful for any company with its own logo that
regularly sends newsletters or transactional mail. No value for purely internal mail traffic.
Prerequisite: DMARC must be at quarantine or reject. If you are still in the p=none observation phase, enable BIMI
later.
DMARC: p=reject with pct=100 for bulk senders
(Gmail); p=quarantine is only enough
at low volume.
SVG-PS profile (Portrait-Square Tiny 1.2): root element <svg baseProfile="tiny-ps" version="1.2">, square viewBox, a <title> element, no scripts,
no external references, no foreignObject. Practical max 32 KB.
Convert from regular SVG to SVG-PS via the SVG converter on this site.
Mark certificate: a VMC (Verified Mark Certificate) needs
a registered trademark; currently authorised VMC CAs are DigiCert and Entrust (GlobalSign
left the market in 2023). Since 2024 DigiCert and Entrust additionally offer a CMC (Common Mark Certificate), which does not require trademark registration but at least one year
of public logo use. CMC is cheaper and the only path to BIMI display for non-trademark holders.
Selector: default is the default selector;
individual sending selectors (via the DKIM s= tag) can run in parallel for sub-brands
or seasonal logos.
Inspect an existing BIMI record
Reads <selector>._bimi.<domain> and checks v/l/a tags. Selector optional (default "default").
Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.
How to add this record at your DNS provider
The record generated above has three parts: the record type (typically TXT,
occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual
payload in quotes). Every DNS provider asks for these same three fields - only the menu wording
differs.
Button Add record → pick a type, enter the name (use @ for the
root domain), paste the value.
Save. Propagation typically under 5 minutes.
IONOS (1&1)
Sign in to the IONOS customer center.
Menu Domains & SSL → click the domain → DNS.
Button Eintrag hinzufügen → pick a type, enter the host, paste the value into
the content field.
Save. Propagation typically 15-60 minutes.
Cloudflare
Sign in to Cloudflare, pick the domain.
Tab DNS → Records.
Button Add record → pick a type, enter the name (use @ for
the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
Save. Propagation typically under 2 minutes.
Note: If your DNS provider is not listed, you usually find the right place under headings like
"DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps;
the paths shown here are vendor-specific and can shift slightly with redesigns.