Brand Indicators for Message Identification (BIMI, pronounced Bih-mee) is an experimental standard to improve brand recognition in email. It allows for email clients to display a verified mark, usually in the form of a brand logo, in the inbox of the user. BIMI can be compared to verified accounts for brands, which are common for social media platforms.
BIMI is aimed at rewarding those who implement DMARC with the opportunity to strengthen their brand presence. The BIMI standard is currently in its second draft, named bimi-draft-01. The BIMI standard is created and maintained by the AuthIndicators Working Group.
BIMI is still very much experimental, very few email clients support it, and the required Verified Mark certificates are not commonly available.
For the latest developments on BIMI, we also have blog post on the current state of BIMI which we update periodically.
BIMI is a mechanism for brands to tie brand identification material, such as logos and trademarks numbers to their domain via a special certificate known as a Verified Mark Certificate (VMC).
If email is received from a domain that implements BIMI, and the email is DMARC aligned, the email client can display the logo and name as found in the VMC.
For this to work, the domain must have a DMARC policy of
reject, applied to 100% of the email.
The Verified Mark certificate must be issued by a certificate authority that is trusted by email providers to supply VMCs.
The BIMI standard is created to drive adoption of DMARC by bigger brands, by rewarding them with stronger brand recognition.
For BIMI to work, a domain must comply with the following prerequisites:
Roughly speaking, BIMI works like this for the receiver:
domain.com, using the selector found in the BIMI email headers.
Displaying a brand logo in the email client of the receiver comes with the responsibility of validating that the email is coming from an authorized source. Hence that DMARC alignment is a hard requirement for BIMI to work.
The sender domain must have DMARC enabled with a
Any subdomain policy (the
sp value) must also meet this minimum policy strength.
The policy must be applied to 100% of the email sent by the domain, thus the
pct DMARC value must be set to
100 or omitted (100% is the default).
The following DMARC records are not valid for use with BIMI:
v=DMARC1; p=none; (policy is not 'quarantine' or 'reject') v=DMARC1; p=reject; pct=25; (reject policy is not applied to 100% of emails) v=DMARC1; p=reject; sp=none; (reject policy is not applied to all subdomains)
The Verified Mark certificate is the source of trust for email clients to safely display a brand logo in the inbox. It is also the most misunderstood portion of the BIMI standard.
A Verified Mark (VM) certificate is a standard X.509 certificate as is used for web servers (HTTPS), but with an additional extension for mark verification.
In the Verified Mark extension, the brand logo is stored as an SVG vector image, as well as any trademark numbers.
The domain name that is used for the email is stored as the
subjectAltName value in the certificate, a VMC may contain multiple domain names.
A VM certificate can be obtained through a Certificate Authority (CA), just like with web server certificates. The CA must verify through the relevant trademark office that the supplied logo and trademark numbers are indeed owned by the organisation that also holds the domain name. Which trademark office is queried depends on the region where the organisation originates from.
Hence, due to the amount of manual validation required for the CA to issue a VM certificate, only a select few CAs currently offer VM certificates. It is also not expected for VM certificates to be offered at competitive prices compared to HTTPS certificates.
Although the BIMI draft marks the certificate as optional, for BIMI to work with any of the public email systems the Verified Mark certificate is required.
A DNS TXT type resource record must be published under the email domain. This record points to an SVG vector image of the brand logo, and a verified mark certificate. Both the SVG image, as the VM-certificate must be served over an HTTPS scheme, with a valid web server certificate.
A domain can have multiple BIMI records (as a domain may serve multiple brands).
Each BIMI record is identified by a
selector, the same as how DKIM public keys are identified.
An email sent from the domain may have the BIMI selector value in the headers of the email.
If no header value is present, a default selector with value
default may be assumed by the email client.
The location of the BIMI DNS record is
[selector]._bimi.[domain], for example:
v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/bimi_cert.pem
||Version||Must be the first field in the record, must be set to value
||Location||Optional, points to an SVG format logo image of the brand, must be served over HTTPS|
||Authority Evidence Location||Optional, points to a PEM format VM-certificate, must be served over HTTPS|
Note: In the (now superseded) first BIMI draft, it was allowed for the
a= value to contain the value
self, this is no longer allowed since (the current) draft-01.
We want to repeat once more that although the VM-certificate location (
a=) value is technically optional, a VM-certificate is required for BIMI to work with public email providers.
You can test a BIMI DNS record for validity using our free to use BIMI record validator tool.
An optional (but recommended) header
BIMI-Selector should be added to all email sent from the domain to instruct a BIMI-capable email receiver that BIMI is used, and where to find the VM-certificate.
||Version||Must be the first field in the header, must be set to value
||Selector||Optional, the selector value where the DNS record is located. Defaults to
An example of an email containing a BIMI header:
From: firstname.lastname@example.org BIMI-Selector: v=BIMI1; s=demo; Subject: This demonstrates BIMI Hi, this is a demo for BIMI
For the example above, a BIMI capable receiver will look for a BIMI DNS record at
If no BIMI header is present in the email, the receiver may still attempt to query a BIMI DNS record at the
default selector location.
There are also 2 additional headers
BIMI-Indicator which may be injected into the email by the receiving email server as hints to the email client (MUA).
As mentioned, BIMI is still an experimental email standard.
Some major email providers, such as Google and Yahoo are currently testing BIMI as part of a pilot program. It is not enabled for all of their customers just yet, meaning that BIMI logos are not always shown for every user.
As of writing, there are just 2 certificate authorities who are entrusted to issue Verified Mark certificates.
Mailhardener has a BIMI validation service which sees thousands of validations per day, but it is rare for us to see a domain with an actual VM-certificate set.
We also published a blog post with the current state of BIMI, which we update periodically with the latest updates on BIMI.
Mailhardener has full BIMI monitoring support in the Mailhardener dashboard.
BIMI allows for stronger brand recognition which should reduce fraudulent email and drive the adoption of DMARC.
The BIMI standard is still very much in experimental phase. Few email services have BIMI fully integrated, and only time will tell if other email services adopt the technology.
The Verified Mark Certificates required for BIMI are available from a select group of certificate authorities, but the cost of such VMC may prove too high for smaller brands.
On last thing: If you have questions, comments or thoughts on this article, don't hesitate to shoot us an email.
You can also follow and reach us on Twitter @Mailhardener.