Last updated: July 2026

In short: BIMI shows your brand logo next to your emails in the recipient’s inbox. After this guide you publish the necessary default._bimi TXT record at IONOS — and know which prerequisites (DMARC, SVG, certificate) are really the work.

Prerequisites

  • A domain at IONOS with access to the DNS settings
  • DMARC at enforcement (p=quarantine or p=reject) — see below
  • Your logo as SVG Tiny PS and (for Gmail & co.) a VMC

What is BIMI?

BIMI (Brand Indicators for Message Identification) is a TXT record in DNS that points to your brand logo. Supporting inboxes — Gmail, Apple Mail, Yahoo — then show this logo next to your authenticated emails. BIMI is therefore not a new security method, but the visible reward for cleanly implemented SPF, DKIM, and above all DMARC.

The order matters: BIMI is the last step. Without the underlying authentication, nothing happens.

The real work isn’t in the DNS record

The TXT record itself is identical at every provider and entered in two minutes. The prerequisites are the effort — and the BIMI Group documents them clearly:

  1. DMARC at enforcement. Your DMARC policy must be at enforcement — specifically “be at enforcement on the organizational domain and subdomains”. A p=none or a pct under 100 isn’t accepted. If you don’t yet have DMARC at IONOS or are still on p=none, first work through the DMARC guide for IONOS and tighten the policy step by step to quarantine or reject.
  2. SVG logo. Your logo must be available as SVG Tiny PS (a special, stripped-down SVG profile) — square and reachable over HTTPS.
  3. VMC or CMC. A Verified Mark Certificate (for registered trademarks) or Common Mark Certificate is, per the BIMI Group, “highly recommended, but Optional” — technically. In practice, though, Gmail, Apple Mail, and Yahoo now require such a certificate for the logo to actually be shown. Self-asserted BIMI without a certificate has “limited support across the various Mailbox Providers”.

Step-by-step guide

1. Tick off the prerequisites

First check with the free MXAudit scanner whether SPF, DKIM, and DMARC are clean and DMARC is at quarantine/reject. Without that, the rest is in vain.

2. Provide the logo as SVG Tiny PS

Convert your logo to the SVG Tiny PS profile and upload it to an HTTPS server (e.g. your IONOS webspace). Note the full HTTPS URL, e.g. https://example.com/logo.svg.

You get a VMC/CMC from a Mark Verifying Authority (e.g. DigiCert or Entrust). You receive a .pem file that you also serve over HTTPS.

4. Create the BIMI TXT record at IONOS

Open your domain’s DNS settings in the IONOS account (as with the SPF record: Menu → Domains & SSL → three dots → DNS) and create a TXT record:

  • Hostname: default._bimi
  • Type: TXT
  • Value: v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem

The basic scheme per the BIMI Group: default._bimi.[domain] IN TXT "v=BIMI1; l=[SVG URL]; a=[PEM URL]". If you don’t (yet) have a certificate, you leave out the a= tag — it’s “currently optional”.

For comparison, a real, production record — this is what BIMI looks like at cnn.com:

v=BIMI1; l=https://amplify.valimail.com/bimi/time-warner/…cable_news_network_inc_….svg; a=https://amplify.valimail.com/bimi/time-warner/…_….pem

5. Wait and check

DNS changes take a few hours. Then check the record with the MXAudit scanner or the BIMI Inspector of the BIMI Group.

Common mistakes

BIMI without DMARC enforcement. By far the most common mistake: record set, but DMARC is on p=none. Then no inbox shows the logo. quarantine or reject is mandatory.

Wrong SVG format. A normal SVG isn’t enough — it must be the SVG Tiny PS profile, square. Other formats are rejected.

No VMC, yet expecting Gmail display. Without a VMC/CMC, the logo usually stays invisible at the large providers. For serious use there’s hardly a way around the certificate.

Logo not reachable over HTTPS. l= and a= must point to files publicly retrievable over HTTPS — HTTP or an internal path won’t work.

Further reading