BIMI Setup Guide: Get Your Logo in Gmail & Apple Mail (2026)
BIMI setup from SVG prep to DNS — your logo in Gmail awaits.
By JustEmails Platform Team
BIMI Setup Guide: Get Your Logo in Gmail & Apple Mail (2026)
The first time I saw a brand logo next to a company's email in my inbox — not an avatar, their actual logo — I spent ten minutes trying to figure out how they did it. Turns out it wasn't magic. It was a DNS record I'd never heard of.
BIMI (Brand Indicators for Message Identification) lets you display your logo next to your emails in supported inboxes. Gmail shows it. Apple Mail shows it. Yahoo shows it. The catch: your email authentication has to be locked down first. No DMARC enforcement, no logo.
We're the JustEmails team — JustEmails is built by Velocity Digital Labs, and we've set up BIMI for a dozen VDL domains over the past year. This is the exact process we follow, including the parts that aren't obvious from the spec. If you're still setting up your domain's email infrastructure, start with our custom domain email setup guide first.
What You'll Have at the End
A working BIMI implementation where your brand logo appears next to emails you send — in Gmail (with VMC), Apple Mail, Yahoo Mail, and Fastmail (without VMC). You'll know exactly which clients require the $1,500/year certificate and which ones don't.
(Fair warning: the SVG conversion step took me longer than everything else combined. Twice.)
Prerequisites
Before you touch BIMI, you need these in place:
- DMARC at p=quarantine or p=reject — BIMI doesn't work with p=none. If you're still monitoring, finish your DMARC ramp to p=reject first.
- SPF and DKIM passing with alignment — BIMI inherits DMARC's authentication requirements. Both need to pass.
- A square logo in SVG Tiny PS format — Not standard SVG. Not PNG. Not JPEG. We'll cover conversion below.
- Access to your DNS — We'll use Cloudflare in this guide, but any DNS provider works.
- (Optional) A VMC certificate — Required for Gmail. About $1,500/year from DigiCert or Entrust. Apple Mail and Yahoo don't need it.
Step 1: Verify Your DMARC Policy
BIMI requires DMARC enforcement. Not monitoring — actual enforcement.
Check your current policy:
dig +short TXT _dmarc.yourdomain.com
You need to see either p=quarantine or p=reject. If you see p=none, stop here. BIMI won't work, and there's no workaround. Gmail, Apple Mail, Yahoo — they all check your DMARC record before even looking at BIMI.
Here's the thing: a lot of people try to rush BIMI setup before their DMARC is ready. Don't. We spent a week debugging "why isn't my logo showing" for a client before realizing they'd published BIMI with p=none still active. The logo literally cannot appear until DMARC is enforcing.
If you need to get from p=none to p=reject without breaking your email, that's a whole process — we wrote up the safe DMARC ramp separately.
Step 2: Create Your SVG Tiny PS Logo
This is where most people get stuck. I certainly did.
BIMI doesn't accept standard SVG files. It requires SVG Tiny PS (Portable/Secure) — a stripped-down version that removes scripting, external references, and anything that could be a security risk.
Requirements for your logo:
- Square aspect ratio — 1:1 exactly
- Centered design — the logo should work when cropped to a circle (Gmail does this)
- Solid background — transparency works but looks bad on dark mode
- No text that's critical — at 32px wide, text becomes unreadable
- File size under 32KB — most providers reject larger files
Honestly, this spec feels over-engineered for what's basically "show a small picture." But email security history is... well, email clients used to execute JavaScript in messages. So here we are.
To convert a standard SVG to SVG Tiny PS:
- Open your logo in a vector editor (Figma, Illustrator, Inkscape)
- Export as standard SVG
- Run it through Entrust's BIMI checker:
bimi.entrust.com/checker - The tool will flag disallowed elements — remove them manually or use their converter
Common elements you'll need to strip:
<script>tags (obviously)- External
xlink:hrefreferences <style>blocks (inline styles only)- Filters and effects that reference external resources
- Metadata from design tools
The converted file should start with:
<svg version="1.2" baseProfile="tiny-ps" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
That baseProfile="tiny-ps" is the giveaway. If it says anything else, receiving servers will reject it.
Step 3: Host Your Logo
Your SVG needs to be publicly accessible over HTTPS. The URL goes in your BIMI DNS record.
Hosting options:
- Your own domain —
https://yourdomain.com/bimi/logo.svg - CDN — Cloudflare R2, AWS S3 + CloudFront, etc.
- BIMI hosting services — some VMC providers include hosting
We host ours at /bimi/logo.svg on the root domain. Simple and you control it. (If you're comparing email hosting options that include BIMI-ready infrastructure, see our JustEmails vs Google Workspace comparison.)
Two requirements for the hosting:
- Valid HTTPS certificate — no self-signed certs, no expired certs
- Correct Content-Type header — must be
image/svg+xml
Test it:
curl -I https://yourdomain.com/bimi/logo.svg
Look for content-type: image/svg+xml in the response. If you see application/octet-stream or text/plain, fix your server config. BIMI validators will reject incorrect MIME types.
Step 4: Add the BIMI DNS Record
The BIMI record is a TXT record at default._bimi.yourdomain.com. The selector is default for most setups — you can use different selectors for different sending streams, but that's an edge case.
Without VMC (works for Apple Mail, Yahoo, Fastmail):
default._bimi.yourdomain.com. IN TXT "v=BIMI1; l=https://yourdomain.com/bimi/logo.svg"
With VMC (required for Gmail):
default._bimi.yourdomain.com. IN TXT "v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/vmc.pem"
In Cloudflare:
- Go to DNS → Records
- Click "Add record"
- Type: TXT
- Name:
default._bimi - Content: the BIMI string above
- TTL: Auto (or 3600)
- Save
That's it for the DNS side. Propagation is usually under 5 minutes with Cloudflare.
Verify it's live:
dig +short TXT default._bimi.yourdomain.com
You should see your BIMI record in the output.
Step 5: (Optional) Get a VMC Certificate for Gmail
Here's the honest take: VMC certificates cost around $1,500/year from DigiCert or Entrust. That's a lot of money for a small avatar. I get it.
But it's the only way to get your logo into Gmail inboxes. If most of your audience uses Gmail, it might be worth it. If your audience skews Apple or enterprise (Outlook, Fastmail), skip this — you'll still get BIMI benefits in those clients without paying the Gmail tax.
What VMC gets you:
- Logo display in Gmail (the biggest inbox by market share)
- Verified Mark indicator in supporting clients
- Trademark verification (they check you actually own the logo)
What VMC requires from you:
- A registered trademark for your logo (USPTO, EUIPO, etc.)
- A completed trademark verification process (takes 2-6 weeks)
- Annual renewal at $1,500/year
The process:
- Go to DigiCert or Entrust's VMC page
- Submit your trademark registration details
- Provide your SVG Tiny PS logo
- Complete their verification (they'll contact your trademark counsel)
- Receive a PEM file with your certificate
- Host the PEM at a public HTTPS URL
- Add the
a=parameter to your BIMI record
We went through DigiCert for our VDL domains. The verification took 3 weeks — mostly waiting on trademark confirmation. Annoying, but not difficult. Once you have the PEM file, the technical setup is the same as the non-VMC version. Just add the a= URL to your DNS record. (For context on how we manage email infrastructure across our 9 SaaS products, BIMI is part of the standard domain setup checklist.)
Step 6: Test Your BIMI Setup
Before you start emailing customers, verify everything works.
DNS check:
dig +short TXT default._bimi.yourdomain.com
Should return your BIMI record.
BIMI validators:
- BIMI Group Inspector:
bimigroup.org/bimi-generator - Entrust BIMI Checker:
bimi.entrust.com/checker - Valimail BIMI lookup:
valimail.com/bimi
These tools check your DNS record, fetch your logo, validate SVG compliance, and verify your DMARC policy. Any failures will show you exactly what's wrong.
Live email test:
Send an email from your domain to:
- A Gmail account (VMC required for logo)
- An Apple Mail account (no VMC needed)
- A Yahoo Mail account (no VMC needed)
Open the email. Look at the sender avatar. If you see your logo instead of the default initial — it's working. Finally.
One gotcha: Gmail caches sender information aggressively. If you've emailed that Gmail account before from this domain, the avatar might not update for days. Try a fresh Gmail account you've never emailed for the cleanest test. (I keep a throwaway Gmail just for this.)
Common Errors and Fixes
"BIMI record not found"
Your DNS record isn't propagated or the selector is wrong. Double-check you used default._bimi (not _bimi alone, not bimi). Wait 10 minutes and try again.
"SVG validation failed"
Your logo isn't SVG Tiny PS compliant. Run it through Entrust's checker — it'll tell you which elements are disallowed. Usually it's embedded fonts, external references, or the wrong baseProfile declaration.
"DMARC policy insufficient"
Your DMARC is still at p=none. BIMI requires p=quarantine or p=reject. No exceptions, no workarounds.
"Logo not displaying in Gmail"
Gmail requires VMC. Without the certificate, Gmail ignores BIMI entirely — no error, just silent fallback to the default avatar. If you have VMC and it's still not showing, check that the a= URL is correct and the PEM file is accessible.
"Logo displays in Yahoo but not Apple Mail"
Apple Mail requires the logo to work at small sizes and in both light and dark mode. If your logo is too detailed or has transparent backgrounds that look bad inverted, Apple may not display it. Simplify the design.
Which Clients Support BIMI in 2026
| Client | BIMI Support | VMC Required | Notes |
|---|---|---|---|
| Gmail | Yes | Yes | Displays as circular crop in sender avatar |
| Apple Mail | Yes | No | iOS 16+ and macOS Ventura+ |
| Yahoo Mail | Yes | No | One of the first adopters |
| Fastmail | Yes | No | Full support since 2023 |
| Outlook.com | Partial | Varies | Rolling out, inconsistent |
| Proton Mail | No | — | Not supported |
| Hey | No | — | Not supported |
Real talk: Gmail is where VMC matters. If you're not willing to spend $1,500/year, you can still get BIMI working in Apple Mail and Yahoo — which isn't nothing. Apple's market share on mobile is huge, especially if your audience skews US or affluent. And Hey and Proton not supporting it? Annoying, but their user bases are comparatively small. For agencies managing multiple client domains, flat-fee email hosting makes BIMI setup across many domains much more cost-effective.
Next Steps
Now that BIMI is live, your emails have visible brand identity in supporting inboxes.
A few things to keep in mind:
- Monitor your DMARC reports — if DMARC breaks, BIMI stops working immediately. No warning.
- Update your logo carefully — change the SVG at your hosted URL, not the DNS record. DNS caches stick around. HTTPS fetches update faster.
- Track VMC renewal — DigiCert and Entrust send reminders, but mark your calendar anyway. I've seen companies forget and lose their Gmail logo for a month.
For the DMARC foundation that makes this all work, our DMARC p=reject ramp guide walks through the safe path. And if you're setting up email for a new domain, the custom domain email guide covers SPF, DKIM, and DMARC from scratch.
Questions about BIMI or stuck on SVG validation? Reach out at support@justemails.app — we've seen the weird edge cases. The one where Illustrator's export adds a hidden <defs> block that breaks validation? Yeah, been there. And if you're weighing whether to send via SMTP relay or API for transactional emails, our SMTP vs API comparison breaks down when each makes sense.
Frequently Asked Questions
Do I need a VMC certificate for BIMI?
Not always. Gmail requires a VMC ($1,500/year from DigiCert or Entrust) to show your logo. But Apple Mail, Yahoo Mail, and Fastmail display BIMI logos without a VMC — they just need the SVG and DNS record. If your audience skews Apple or Yahoo, you can skip the VMC and still get brand visibility in those inboxes. Gmail users will see the default avatar instead.
Why isn't my logo showing in Gmail after BIMI setup?
Gmail has three requirements beyond the DNS record: your DMARC policy must be p=quarantine or p=reject (not p=none), you need a valid VMC certificate pointing to your logo, and your domain needs positive sender reputation. New domains or domains with spam complaints may not display logos even with perfect configuration. Check Google Postmaster Tools for reputation signals.
What image format does BIMI require?
BIMI requires SVG Tiny PS (Portable/Secure), not standard SVG. This is a restricted subset of SVG that strips scripting and external references. Your logo must be square, centered, and work at 128x128 pixels. Most designers export standard SVG — you'll need to convert it using a tool like bimi.entrust.com/checker or manually strip disallowed elements. JPEG and PNG will not work.
How long does BIMI take to appear after DNS propagation?
DNS propagates in minutes to hours, but logo display depends on receiving servers caching your BIMI record. Gmail and Yahoo may take 24-72 hours to start showing the logo after you've added the record and sent mail. If you're testing, send from the domain to a fresh Gmail or Yahoo account you haven't emailed before — cached sender data from before BIMI setup won't update immediately.
Try JustEmails
Unlimited custom domain email hosting for $49/year flat — unlimited domains, unlimited mailboxes, 10 GB storage, full IMAP/SMTP. Built for agencies, freelancers, and anyone managing email across more than one domain.