Last updated: July 2026
In short: BIMI shows your brand logo next to your emails. After this guide you publish the
default._bimiTXT record at your domain’s DNS provider — and know the prerequisites: DMARC, SVG logo, certificate.
Prerequisites
- A Microsoft 365 tenant with a custom domain
- Access to your domain’s DNS management (at the domain host — not in the M365 portal)
- DMARC at enforcement (
p=quarantineorp=reject) - Logo as SVG Tiny PS and a VMC
What is BIMI?
BIMI (Brand Indicators for Message Identification) is a TXT record that points to your brand logo. Supporting inboxes — including Outlook/Microsoft as well as Gmail, Apple Mail, and Yahoo — show it next to your authenticated emails. BIMI is not a security method of its own, but the visible reward for clean SPF, DKIM, and DMARC — the last step.
The real work isn’t in the record
As with SPF and DKIM: the BIMI record is created not in the Microsoft 365 portal, but at your domain’s DNS provider. The BIMI Group names the prerequisites clearly:
- DMARC at enforcement. Your policy must “be at enforcement on the organizational domain and subdomains” — a
p=noneor apctunder 100 “policies or ‘pct’ less than 100 percent are not accepted”. For Microsoft 365 domains Microsoft recommends progression torejectanyway — see DMARC for Microsoft 365. - SVG logo. “Produce an SVG Tiny PS version of your official logo” — square, over HTTPS.
- VMC. In practice mandatory for display at Microsoft and Gmail (“highly recommended, but Optional” per the BIMI Group). Self-asserted BIMI “records have limited support across the various Mailbox Providers”.
Step-by-step guide
1. Check the prerequisites
With the free MXAudit scanner you check SPF, DKIM, and DMARC — DMARC must be at quarantine/reject.
2. Provide the logo and certificate
Place the logo as SVG Tiny PS over HTTPS; obtain a VMC from a Mark Verifying Authority (DigiCert, Entrust) based on your registered trademark, and serve the .pem file over HTTPS.
3. Create the BIMI TXT record at the domain host
At your domain’s DNS provider, create a TXT record — where exactly is shown in our host guides, e.g. IONOS, Strato, or Netcup:
- Hostname:
default._bimi - Type:
TXT - Value:
v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem
Basic scheme per the BIMI Group: default._bimi.[domain] IN TXT "v=BIMI1; l=[SVG URL]; a=[PEM URL]". A real record (ebay.com):
v=BIMI1;l=https://vmc.digicert.com/….svg;a=https://vmc.digicert.com/….pem
4. Wait and check
After DNS propagation, check the record with the MXAudit scanner or the BIMI Inspector of the BIMI Group.
Common mistakes
Looked for the record in the M365 portal. BIMI is pure DNS — the record belongs at the domain host, not in the Microsoft portal.
BIMI without DMARC enforcement. p=none isn’t enough; quarantine/reject is mandatory.
Wrong SVG format. Only SVG Tiny PS, square.
No VMC. Without a certificate the logo usually stays invisible at Microsoft and Gmail.
Further reading
- BIMI Group: Implementation Guide (retrieved: July 10, 2026)
- BIMI Group: Creating an SVG logo (retrieved: July 10, 2026)
- Google Workspace Help: BIMI (retrieved: July 10, 2026)
