Last updated: July 2026
In short: BIMI shows your brand logo next to your emails. After this guide you publish the
default._bimiTXT record in the Cloudflare dashboard — and know the prerequisites: DMARC, SVG logo, certificate.
Prerequisites
- A domain whose DNS is managed at Cloudflare
- DMARC at enforcement (
p=quarantineorp=reject) - Logo as SVG Tiny PS and (for Gmail & co.) a VMC
- An HTTPS server for the logo and certificate
What is BIMI?
BIMI (Brand Indicators for Message Identification) is a TXT record that points to your brand logo. Gmail, Apple Mail, and Yahoo show it next to your authenticated emails. BIMI is not a security method of its own, but the visible reward for clean SPF, DKIM, and DMARC — the last step.
The real work isn’t in the record
As a DNS service, Cloudflare is the ideal place to publish the BIMI record — but the prerequisites lie with your mail infrastructure. The BIMI Group names them clearly:
- DMARC at enforcement. Your policy must “be at enforcement on the organizational domain and subdomains” — a
p=noneor apctunder 100 (“policies or ‘pct’ less than 100 percent are not accepted”). See DMARC for Cloudflare. - SVG logo. “Produce an SVG Tiny PS version of your official logo” — square, over HTTPS.
- VMC or CMC. In practice needed for display at Gmail & co. (“Acquire a Verified Mark Certificate (VMC) or a Common Mark Certificate (CMC) for Your Logo”). Self-asserted BIMI “records have limited support across the various Mailbox Providers”.
Step-by-step guide
1. Check the prerequisites
With the free MXAudit scanner you check SPF, DKIM, and DMARC — DMARC must be at quarantine/reject.
2. Provide the logo and (optionally) certificate
Place the logo as SVG Tiny PS over HTTPS, obtain a VMC/CMC, and serve the .pem file over HTTPS.
3. Create the BIMI TXT record in the Cloudflare dashboard
Go to DNS > Records, select Add record:
| Field | Value |
|---|---|
| Type | TXT |
| Name | default._bimi |
| Content | v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem |
| TTL | Auto |
Cloudflare uses a plain Content field — no quotation marks. Basic scheme per the BIMI Group: default._bimi.[domain] IN TXT with v=BIMI1; l=[SVG URL]; a=[PEM URL]. Without a certificate you leave out a= — the “a= tag is currently optional (reservered for VMC/CMC)”. A real record (ebay.com):
v=BIMI1;l=https://vmc.digicert.com/….svg;a=https://vmc.digicert.com/….pem
4. Wait and check
After DNS propagation, check the record with the MXAudit scanner or the BIMI Inspector of the BIMI Group.
Common mistakes
BIMI without DMARC enforcement. p=none isn’t enough; quarantine/reject is mandatory.
Wrong SVG format. Only SVG Tiny PS, square.
No VMC, expecting Gmail display. Without a certificate the logo usually stays invisible at the large providers.
Logo not on HTTPS. Both the SVG and the .pem must be served over HTTPS.
Further reading
- BIMI Group: Implementation Guide (retrieved: July 10, 2026)
- BIMI Group: Creating an SVG logo (retrieved: July 10, 2026)
- Google Workspace Help: BIMI (retrieved: July 10, 2026)
