Last updated: July 2026

In short: BIMI shows your brand logo next to your emails. After this guide you publish the default._bimi TXT record in the Cloudflare dashboard — and know the prerequisites: DMARC, SVG logo, certificate.

Prerequisites

  • A domain whose DNS is managed at Cloudflare
  • DMARC at enforcement (p=quarantine or p=reject)
  • Logo as SVG Tiny PS and (for Gmail & co.) a VMC
  • An HTTPS server for the logo and certificate

What is BIMI?

BIMI (Brand Indicators for Message Identification) is a TXT record that points to your brand logo. Gmail, Apple Mail, and Yahoo show it next to your authenticated emails. BIMI is not a security method of its own, but the visible reward for clean SPF, DKIM, and DMARC — the last step.

The real work isn’t in the record

As a DNS service, Cloudflare is the ideal place to publish the BIMI record — but the prerequisites lie with your mail infrastructure. The BIMI Group names them clearly:

  1. DMARC at enforcement. Your policy must “be at enforcement on the organizational domain and subdomains” — a p=none or a pct under 100 (“policies or ‘pct’ less than 100 percent are not accepted”). See DMARC for Cloudflare.
  2. SVG logo. “Produce an SVG Tiny PS version of your official logo” — square, over HTTPS.
  3. VMC or CMC. In practice needed for display at Gmail & co. (“Acquire a Verified Mark Certificate (VMC) or a Common Mark Certificate (CMC) for Your Logo”). Self-asserted BIMI “records have limited support across the various Mailbox Providers”.

Step-by-step guide

1. Check the prerequisites

With the free MXAudit scanner you check SPF, DKIM, and DMARC — DMARC must be at quarantine/reject.

2. Provide the logo and (optionally) certificate

Place the logo as SVG Tiny PS over HTTPS, obtain a VMC/CMC, and serve the .pem file over HTTPS.

3. Create the BIMI TXT record in the Cloudflare dashboard

Go to DNS > Records, select Add record:

FieldValue
TypeTXT
Namedefault._bimi
Contentv=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem
TTLAuto

Cloudflare uses a plain Content field — no quotation marks. Basic scheme per the BIMI Group: default._bimi.[domain] IN TXT with v=BIMI1; l=[SVG URL]; a=[PEM URL]. Without a certificate you leave out a= — the “a= tag is currently optional (reservered for VMC/CMC)”. A real record (ebay.com):

v=BIMI1;l=https://vmc.digicert.com/….svg;a=https://vmc.digicert.com/….pem

4. Wait and check

After DNS propagation, check the record with the MXAudit scanner or the BIMI Inspector of the BIMI Group.

Common mistakes

BIMI without DMARC enforcement. p=none isn’t enough; quarantine/reject is mandatory.

Wrong SVG format. Only SVG Tiny PS, square.

No VMC, expecting Gmail display. Without a certificate the logo usually stays invisible at the large providers.

Logo not on HTTPS. Both the SVG and the .pem must be served over HTTPS.

Further reading