Last updated: July 2026

In short: BIMI shows your brand logo next to your emails — especially visible in Gmail. After this guide you publish the default._bimi TXT record at your domain’s DNS provider and know the prerequisites: DMARC, SVG logo, VMC.

Prerequisites

  • A Google Workspace account with your own domain
  • Access to your domain’s DNS management (at the domain host)
  • DMARC at enforcement (p=quarantine or p=reject)
  • Logo as SVG Tiny PS and a VMC/CMC (for the Gmail display)

What is BIMI?

BIMI (Brand Indicators for Message Identification) is a TXT record that points to your brand logo. Gmail was one of the first large providers with BIMI display — the logo appears prominently next to your authenticated emails. BIMI is not a security method of its own, but the visible reward for clean SPF, DKIM, and DMARC — the last step.

The real work isn’t in the record

As with SPF and DKIM: the BIMI record is created at your domain’s DNS provider, not in the Google Admin console. The BIMI Group names the prerequisites clearly:

  1. DMARC at enforcement. Your policy must “be at enforcement on the organizational domain and subdomains” — a p=none or a pct under 100 “policies or ‘pct’ less than 100 percent are not accepted”. See DMARC for Google Workspace.
  2. SVG logo. “Produce an SVG Tiny PS version of your official logo” — square, over HTTPS.
  3. VMC/CMC — especially relevant with Gmail. Google only shows the BIMI logo if a valid certificate is present. Per the BIMI Group it’s “highly recommended, but Optional”; self-asserted BIMI “records have limited support across the various Mailbox Providers”.

Step-by-step guide

1. Check the prerequisites

With the free MXAudit scanner you check SPF, DKIM, and DMARC — DMARC must be at quarantine/reject.

2. Provide the logo and VMC

Place the logo as SVG Tiny PS over HTTPS; obtain a VMC from a Mark Verifying Authority (DigiCert, Entrust) based on your registered trademark, and serve the .pem file over HTTPS.

3. Create the BIMI TXT record at the domain host

At your domain’s DNS provider, create a TXT record — where exactly is shown in our host guides, e.g. IONOS, Strato, or Netcup:

  • Hostname: default._bimi
  • Type: TXT
  • Value: v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem

Basic scheme per the BIMI Group: default._bimi.[domain] IN TXT "v=BIMI1; l=[SVG URL]; a=[PEM URL]". A real record (ebay.com):

v=BIMI1;l=https://vmc.digicert.com/….svg;a=https://vmc.digicert.com/….pem

4. Wait and check

After DNS propagation, check the record with the MXAudit scanner, the BIMI Inspector of the BIMI Group, or follow the Google Workspace Help on BIMI.

Common mistakes

Looked for the record in the Admin console. BIMI is pure DNS — the record belongs at the domain host, not in the Google Admin console.

BIMI without DMARC enforcement. p=none isn’t enough; quarantine/reject is mandatory.

No VMC. Gmail generally doesn’t show the logo without a valid certificate.

Wrong SVG format. Only SVG Tiny PS, square.

Further reading