BIMI and VMC — the $1,500 logo most senders shouldn't buy.

What BIMI actually does

BIMI — Brand Indicators for Message Identification — is the protocol that causes a sender's logo to render in the avatar slot of the recipient's mail client, in place of the first-letter monogram or default silhouette that would otherwise occupy that position. A receiving mail server, upon delivery of an inbound message that passes DMARC alignment, queries a TXT record at default._bimi.example.com, retrieves the URL of the sender's logo file, optionally retrieves a Verified Mark Certificate from a separate URL specified in the same record, validates both against the published trust criteria, and renders the logo at the message-list level and message-detail level of the recipient's inbox.

The trust signal BIMI represents is approximately: this sender has reached p=quarantine or p=reject at DMARC, has produced a logo that conforms to a constrained vector profile, and — if a VMC is presented — has demonstrated trademark ownership of the logo to a certificate authority that performs the verification. The signal is meaningful but narrow. BIMI does not improve placement, does not reduce spam classification, does not contribute to the bulk-sender requirements of February 2024. It modifies what the rendered message looks like to the recipient, conditional on the message having already been delivered to a folder the recipient is looking at.

The hard prerequisites

BIMI is not a standalone authentication layer. It is a presentation feature gated on a specific posture across the underlying authentication stack. The published BIMI record is queried by receivers only when the following conditions all hold for the sending domain:

• DMARC at p=quarantine or p=reject with pct=100. A domain at p=none, or a domain at quarantine with a partial pct rollout, does not qualify. The major mailbox providers honoring BIMI explicitly require full enforcement; partial enforcement is treated as no enforcement.
• Organizational-level enforcement. BIMI published on a subdomain whose organizational DMARC record sits at p=none does not qualify. The enforcement posture must hold at the organizational tier.
• Valid SPF or DKIM alignment on the specific message being delivered. The receiver does not render the BIMI logo on a message that itself failed alignment, regardless of the published policy.
• A published BIMI TXT record at default._bimi.example.com, containing at minimum a logo URL (l=) and — for verified display in major providers — a VMC URL (a=).

The practical implication of the first three prerequisites: BIMI is downstream of every preceding chapter in this reference. A sender that has not yet completed the DMARC escalation path (Chapter 3) cannot deploy BIMI, and a sender that has reached p=reject on the corporate domain but not yet on the cold-sending subdomain (Chapter 7) cannot deploy BIMI on the cold-sending subdomain. BIMI is the last of the authentication chapters because every other chapter is a hard precondition.

The BIMI record

The published record is a TXT record at the default._bimi subdomain, with two operational tags:

default._bimi.example.com.  IN  TXT  "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem"

The l= tag specifies the URL of the logo file. The a= tag specifies the URL of the VMC or CMC certificate, in PEM format. Both URLs must be served over HTTPS with a valid TLS chain — receivers will not honor a logo or certificate hosted under a self-signed or expired certificate.

The default selector is the selector consulted when the message does not specify an alternative via the BIMI-Selector header. A sender that wants different logos per business unit can publish additional selectors and reference them from the outbound headers — in practice, the multi-selector pattern is used by a vanishingly small number of senders and the operational complexity is rarely justified.

The logo file — SVG-Tiny PS

The logo file referenced by the l= tag is required to conform to SVG-Tiny PS — a constrained profile of SVG 1.2 Tiny designed specifically for BIMI. The constraints are non-trivial. The profile prohibits scripts, external references, animation, raster image embeds, gradients with non-standard color spaces, and several other categories of SVG content that would otherwise be valid. The file must be square, must declare a viewBox, must use a baseProfile of tiny-ps, and must fit under 32 kilobytes uncompressed.

The technical reason for the constrained profile is straightforward. The logo is rendered inside the receiver's mail client at small sizes — typically 64x64 or 96x96 pixels — across a wide range of clients with heterogeneous SVG renderers, and the receiver is not willing to expose any of those renderers to scripted content, external HTTP fetches, or animation that would affect rendering performance. The profile is the minimum surface area required to render a static branded mark across every renderer in the inbox ecosystem.

In production, the SVG-Tiny PS conversion is the deployment step that most consistently fails. A marketing team supplies the brand logo as a print-grade SVG with embedded raster fallbacks, gradient meshes, and font glyphs that the conversion tool cannot resolve. The output either fails validation outright or renders correctly in a desktop browser but inconsistently across mail clients. The functional approach: commission the conversion from a vendor that specializes in BIMI logo files, or have an in-house designer rebuild the mark from scratch under the profile constraints.

VMC — the Verified Mark Certificate

The Verified Mark Certificate is an X.509 certificate, derived from the RFC 5280 PKI format, that binds a registered trademark to the published logo file. The certificate is issued by a certificate authority operating under the BIMI verification scheme, and it certifies — to receivers honoring the protocol — that the entity publishing the BIMI record has demonstrated, to the CA's satisfaction, ownership of the trademark depicted in the logo.

As of 2026, the two operational certificate authorities issuing VMCs are the two CAs accredited under the AuthIndicators Working Group's verification scheme. Annual VMC pricing is in the $1,200 to $1,800 range, with multi-year discounts available. The issuance timeline is typically 4 to 12 weeks from initial application to certificate delivery — the CA performs trademark verification against national registries, identity verification against the applying entity, and logo-to-trademark visual matching, and the process is not parallelizable below the CA's internal SLA.

The trust signal the VMC represents to the receiver: the entity behind this logo has, in some specific jurisdiction, a registered trademark for the mark depicted, and the CA has verified the chain of ownership. Receivers honoring VMCs render the logo with a distinct presentation — in some clients, a checkmark or shield is overlaid on the avatar — that signals verified status to the recipient. Receivers that do not honor VMCs (or that honor the underlying BIMI record without requiring a VMC) render the logo without the verified-status overlay.

CMC — the Common Mark Certificate

The Common Mark Certificate is the newer alternative for senders without a registered trademark. It was introduced into the BIMI ecosystem in 2023 to widen the addressable surface beyond brands holding registered marks — for trademarks too new to have completed registration, for senders operating under common-law mark protection, and for non-trademark logos a sender nevertheless wants to display.

The CMC is issued under a lower verification bar than the VMC. The certificate authority verifies entity identity and prior usage of the mark in commerce, but does not require a registered trademark. The annual pricing is broadly comparable to the VMC and the issuance timeline is shorter — typically 2 to 6 weeks. The trust signal to the receiver, however, is also lower: mailbox providers honoring CMCs render the logo without the verified-status overlay that VMC-backed logos receive.

The CMC is the correct path for senders who want the logo display without the trademark registration overhead, and who have accepted that the recipient will see the brand mark without the additional verification signal. For a B2C transactional brand chasing every fractional lift, the VMC is the canonical choice. For a B2B sender deploying BIMI principally as a brand-presentation investment, the CMC clears the bar at lower friction.

Mailbox provider support

BIMI support across the mailbox-provider ecosystem is uneven, and the gap matters for ROI modeling. As of 2026:

• Gmail implements full BIMI enforcement, including VMC verification, and is the largest single source of BIMI-rendered impressions for any consumer-facing sender.
• Yahoo supports BIMI with VMC and CMC, and was one of the early implementers of the protocol.
• Apple Mail implements BIMI for inbound messages from iOS 16 forward on iCloud-hosted inboxes. The implementation honors VMCs and renders the logo in the message list across iOS, iPadOS, and macOS Mail.
• Microsoft has stated a roadmap for BIMI enforcement across Outlook.com and the enterprise Exchange Online tier, with phased rollout that has been periodically delayed. As of mid-2026, BIMI is not enforced across the Microsoft consumer or enterprise mail surface, which means a sender deploying BIMI captures zero impressions on the largest enterprise mail tier.
• The long tail — regional ISPs, enterprise self-hosted Exchange, niche providers — overwhelmingly ignore BIMI. The protocol is honored, in practice, by approximately the four providers above plus a handful of regional implementers.

The practical implication: a sender whose audience sits primarily on enterprise Microsoft tenants captures effectively zero rendered impressions from a BIMI deployment. A sender whose audience sits primarily on consumer Gmail captures the largest share. The pre-deployment provider mix audit is the single most important variable in the BIMI ROI calculation.

Display lift — measurement methodology

The display lift attributable to BIMI is measured by A/B testing across matched cohorts within the same sender's estate: one cohort receives messages from a sending identity with BIMI active, a matched cohort receives messages from a sending identity without BIMI. The cohorts must be balanced across recipient mailbox provider, recipient segment, message content, send time, and prior engagement history — and the test must run for enough volume to clear the noise floor.

The reported lift across published case studies — predominantly from large B2C transactional senders running this methodology in-house — falls in a 5% to 21% open-rate improvement range, with the high end of the range concentrated in consumer e-commerce sending to Gmail and Yahoo. The low end of the range — and the more honest reference point for a B2B sender — is the 5% to 8% lift observed when controlling for prior brand familiarity, message content, and pre-BIMI baseline open rates.

Where measurable, the downstream conversion-rate signal is smaller than the open-rate signal — typically a 1% to 4% lift, conditional on the broader funnel mechanics. The open-rate lift captures attention; the conversion-rate lift captures the marginal incremental purchase decisions attributable to the brand-recognition signal at inbox surface, which is a small fraction of the open-rate population.

Trademark prerequisites and the registration path

The VMC requires a registered trademark in a jurisdiction the CA accepts. The accepted jurisdictions cover the major national trademark registries — USPTO in the United States, EUIPO in the European Union, JPO in Japan, CIPO in Canada, IPO UK, and several others — and the registration must be active, in good standing, and matched to the logo file at the visual level.

For a sender without a registered trademark, the registration path is the gating cost. USPTO filing fees fall in the $250 to $750 per class range, with attorney fees pushing the total cost to the $1,000 to $2,000 range for a single-class filing. The USPTO timeline from filing to registration is typically 8 to 14 months under normal examination — and the application can be rejected, requiring response and amendment, which extends the timeline further. The combined cost of registration plus VMC issuance is realistically $2,500 to $4,000 and a 12-to-18-month calendar window.

The strategy for senders without a registered mark, and not willing to absorb the registration runway, is the CMC path — accepting the lower verification signal in exchange for skipping the trademark prerequisite. The strategy for senders unwilling to absorb either is to defer BIMI until corporate priorities shift, which for most cold-outbound estates is indefinitely.

The BIMI economics

The investment justifies itself for a narrow archetype: high-volume B2C transactional brands sending hundreds of thousands of messages per month to consumer mailboxes, with a measurable open-rate floor that a 5-to-15% lift moves against revenue at scale. A retailer sending shipping confirmations to a million Gmail recipients per quarter, with a baseline open rate of 35% and a measurable conversion path off of open events, can model the BIMI investment against incremental revenue and clear the threshold inside a single quarter.

The investment does not justify itself for low-volume B2B cold outbound. The per-recipient lift, in absolute terms, is small — and the cold-outbound audience is more likely to sit on enterprise Microsoft tenants that render no BIMI logo at all, suppressing the realized lift below the published benchmarks. A B2B sender shipping 50,000 messages per month with a Microsoft-heavy enterprise audience captures a fraction of the addressable BIMI impressions, and the per-message economic lift does not clear the $1,500 annual VMC cost plus the trademark registration tax.

The asymmetry is the relevant frame. For a corporate brand, BIMI is an extension of the existing trademark-and-brand investment, and the marginal cost is a thin layer on top of a registration that already exists. For a cold-sending domain registered six months ago for the purpose of housing outbound sequence traffic, BIMI requires a net-new trademark registration on a domain whose corporate brand is, by design, lower-profile than the corporate root.

Common deployment failures observed in production

• Logo file fails SVG-Tiny PS validation. The marketing team supplies an SVG that opens correctly in every browser, the operator publishes the BIMI record, no logo appears in any receiver. The output of the validation tooling — typically a baseProfile mismatch, an embedded raster image, or an unsupported gradient — is the diagnostic, but the deployment dashboard surfaces only the absence of rendering.
• DMARC enforcement not at pct=100. The operator escalates to p=quarantine; pct=50, publishes the BIMI record, observes that the logo renders on half of recipients and not the other half. The fix is escalating to pct=100; the lesson is that BIMI does not honor partial enforcement.
• VMC expired silently. The annual VMC lapses without renewal, the receiver-side verification fails on the next message, the logo silently disappears from inboxes. No deployment alarm fires unless the operator is monitoring receiver-side rendering — typically via seed-list testing (Chapter 13) or VMC-expiration calendar reminders.
• Trademark mark does not match the logo file. The CA rejects the VMC application because the registered mark, while valid, differs visually from the logo the sender wants to display. The fix is either amending the registered mark, supplying a logo that matches the existing registration, or filing a new mark — none of which are fast.
• Logo URL behind authentication or rate limit. The published l= URL is served from infrastructure that rate-limits anonymous requests or requires a session cookie. Receivers fetch the URL with neither, fail to retrieve the file, and render no logo. The fix is hosting the logo on a public, anonymous-accessible HTTPS endpoint with permissive caching headers.
• Subdomain BIMI without organizational DMARC enforcement. The operator publishes BIMI at default._bimi.mail.example.com, having reached p=reject on mail.example.com, but the organizational record at example.com sits at p=none. Receivers consult the organizational policy, determine that organizational enforcement is absent, and ignore the BIMI record entirely.

Pre-deployment checklist

• DMARC at p=quarantine or p=reject with pct=100, at the organizational tier (Chapter 3)
• All known sending sources passing SPF or DKIM alignment with the published From domain (Chapters 1, 2)
• Trademark registered, in good standing, in a jurisdiction the CA accepts — or accepted CMC path documented
• SVG-Tiny PS logo file validated against the AuthIndicators reference validator, square, under 32KB
• VMC or CMC issued and hosted at a stable HTTPS URL with a valid TLS chain
• Logo file hosted at a stable, anonymous-accessible HTTPS URL with permissive caching
• Calendar reminders for VMC expiration set 60 and 30 days ahead of renewal
• Provider-mix audit confirming that the audience sits on BIMI-honoring receivers (Gmail, Yahoo, Apple Mail iCloud)
• Seed-list testing (Chapter 13) configured to verify rendered display in major providers post-deployment

Where BIMI fits in the broader infrastructure

BIMI is the protocol that converts the underlying authentication posture into a recipient-visible brand signal. It does not improve placement, does not reduce spam classification, does not contribute to bulk-sender compliance, and does not protect against impersonation any more than the DMARC enforcement it sits on top of. It modifies the visual rendering of messages that have already been delivered, and the rendering lift — measurable, reproducible, in the 5-to-21% open-rate range — accrues to senders whose audience sits on the receivers that honor the protocol.

For a cold-sending domain specifically, BIMI is rarely worth pursuing. The cold-outbound estate is, by design, isolated from the corporate brand identity (Chapter 7) — the domain that needs the logo display is the corporate root, not the sending subdomain registered six months ago to house sequence traffic. The cold-sending audience is overweighted on enterprise Microsoft tenants where BIMI is not currently rendered. The per-recipient lift is small enough that the $1,500-plus annual cost plus trademark overhead does not clear a return threshold a finance team would underwrite. BIMI is a corporate-brand investment, made on a corporate domain with a corporate trademark, and the cold-outbound stack is the wrong place to spend the budget.

The sender who reaches Chapter 5 in the wrong sequence — having heard about BIMI before reaching p=reject, before completing alignment audits on the third-party platforms, before isolating the cold-sending domain — is the sender who buys the VMC and discovers six months later that the logo renders in 12% of recipient inboxes against a campaign that was always going to clear or fail on the basis of the message body and the underlying reputation, not the avatar.