Last updated: July 2026
In short: BIMI shows your brand logo next to your emails. After this guide you publish the
default._bimiTXT record for your Mailcow domain — and know the prerequisites: DMARC, a self-hosted SVG logo, a certificate.
Prerequisites
- A running Mailcow server
- DMARC at enforcement (
p=quarantineorp=reject) - Logo as SVG Tiny PS, reachable over HTTPS (your own web server)
- Optional, but in practice needed for display: a VMC/CMC
What is BIMI?
BIMI (Brand Indicators for Message Identification) is a TXT record that points to your brand logo. Gmail, Apple Mail, and Yahoo show it next to your authenticated emails. BIMI is not a security method of its own, but the visible reward for clean SPF, DKIM, and DMARC — the last step.
The real work isn’t in the record
When self-hosting you hold all the strings — but also all the tasks. The BIMI Group names the prerequisites clearly:
- DMARC at enforcement. Your policy must “be at enforcement on the organizational domain and subdomains” — a
p=noneor apctunder 100 “policies or ‘pct’ less than 100 percent are not accepted”. Mailcow’s DNS docs recommendp=rejectanyway; see DMARC for Mailcow. - SVG logo — you host it yourself. “Produce an SVG Tiny PS version of your official logo” — square. Mailcow provides no logo hosting; place the SVG file on your web server and make it reachable over HTTPS.
- VMC or CMC. In practice needed for display at Gmail & co. (“highly recommended, but Optional”). Self-asserted BIMI “records have limited support across the various Mailbox Providers”.
Step-by-step guide
1. Check the prerequisites
With the free MXAudit scanner you check SPF, DKIM, and DMARC — DMARC must be at quarantine/reject. When self-hosting, it’s also worth checking PTR and TLS.
2. Provide the logo and (optionally) certificate
Place the SVG Tiny PS over HTTPS (e.g. https://example.com/bimi/logo.svg), obtain a VMC/CMC, and also serve the .pem file over HTTPS.
3. Create the BIMI TXT record in your DNS zone
In your domain’s DNS zone, create a TXT record:
- Name:
default._bimi - Type:
TXT - Value:
v=BIMI1; l=https://example.com/bimi/logo.svg; a=https://example.com/bimi/vmc.pem
Basic scheme per the BIMI Group: default._bimi.[domain] IN TXT "v=BIMI1; l=[SVG URL]; a=[PEM URL]". Without a certificate you leave out a= — it’s “currently optional”. A real record (ebay.com):
v=BIMI1;l=https://vmc.digicert.com/….svg;a=https://vmc.digicert.com/….pem
4. Wait and check
After DNS propagation, check the record with the MXAudit scanner or the BIMI Inspector of the BIMI Group.
Common mistakes
Forgot the logo hosting. Mailcow doesn’t host your BIMI logo — the SVG file must sit on your own web server over HTTPS.
BIMI without DMARC enforcement. p=none isn’t enough; quarantine/reject is mandatory.
Wrong SVG format. Only SVG Tiny PS, square.
No VMC, expecting Gmail display. Without a certificate the logo usually stays invisible at the large providers.
Further reading
- BIMI Group: Implementation Guide (retrieved: July 10, 2026)
- BIMI Group: Creating an SVG logo (retrieved: July 10, 2026)
- Google Workspace Help: BIMI (retrieved: July 10, 2026)
