Phisher Safe by SimpleDMARC

DMARC + BIMI: Show Your Brand Logo in Gmail, Yahoo & Apple Mail (2026 Guide)

Gaurav Maniar -

The reason BIMI matters in 2026 isn't really the aesthetics. It's the trust signal. Spoofing is cheap, AI-generated phishing is convincing, and customers are right to be suspicious of any email from a brand they recognize. A verified logo in the inbox is one of the few visual signals that survives the threat landscape, because it's gated by authentication you can't fake.

This guide covers what you actually need to set up BIMI in 2026, which inboxes render it (and which don't), how much it really costs, and the fastest way to get a logo into Gmail this quarter without learning XML or fighting with your DNS provider.

What is BIMI?

BIMI stands for Brand Indicators for Message Identification. It's an open standard that lets mail providers display your verified brand logo next to messages from your domain. It requires four things working together: DMARC at p=quarantine or p=reject, a BIMI-compliant SVG version of your logo, a DNS record pointing at that logo, and (for Gmail and Apple Mail) a Verified Mark Certificate proving you legally own the logo.

It builds on top of the work you've already done if you have DMARC running. BIMI doesn't add new authentication — it adds a visual layer on top of authentication that already exists.

Which inboxes actually show BIMI logos in 2026

Honest map of where BIMI works today and where it doesn't. The authoritative source is the BIMI Group's official mailbox provider list, maintained by the AuthIndicators Working Group that owns the standard.

Gmail is the strong yes. Full support across web, mobile, and desktop. Requires a Verified Mark Certificate for logo display, with the blue checkmark badge as a bonus for VMC-verified brands. As of 2025, Gmail also accepts Common Mark Certificates for logo display without the checkmark. Gmail is where most of the visible business value lives.

Yahoo Mail and AOL also support BIMI consistently. The bar is lower than Gmail — DMARC enforcement is required, but a VMC is not strictly necessary. A Common Mark Certificate works fine.

Apple Mail on iOS 16+, iPadOS 16+, and macOS Ventura+ supports BIMI. Requires a VMC. This covers most modern Apple devices but not older ones.

Fastmail supports BIMI with flexible requirements.

Other supporting providers on the official list include Comcast, La Poste, Zoho Mail, GMX, Web.de, KDDI, NTT docomo, Onet Poczta, Zone.ee, Zoner, and Cloudmark/Proofpoint. These vary in user base size, but the protocol works the same way across all of them.

Microsoft is the honest no. Outlook.com, Microsoft 365, Exchange Online, and the Outlook desktop and mobile apps do not support BIMI rendering. This is confirmed both by the BIMI Group's official list (Microsoft sits explicitly in the "Does not support BIMI" category) and by Microsoft's own Q&A documentation, which states: "Microsoft does not currently support BIMI rendering in Exchange Online or Outlook." Microsoft does support BIMI as a sender via Dynamics 365 Customer Insights – Journeys, but that only helps mail you send to Gmail and Yahoo recipients. Mail received by Outlook users will not display your logo.

A note on this. Many BIMI vendor pages in 2026 are vague or actively misleading about Microsoft support. Some hint at a "preview" or "coming soon" rollout. As of this writing, Microsoft has not published any roadmap commitment for BIMI rendering, and there's no public timeline. If your audience is primarily on Outlook and Microsoft 365 corporate inboxes, BIMI today won't show up where they're reading mail. That's a fact worth knowing before you spend $1,200 on a certificate.

So why set up BIMI at all if your audience uses Outlook? Two reasons. First, most brand audiences are mixed — even Outlook-heavy organizations have Gmail and Apple Mail recipients, and BIMI rewards you there immediately. Second, if Microsoft ever does ship BIMI rendering, you're already configured. The DMARC enforcement and the certificate take months to put in place, so doing them now means you're ready whenever the situation changes.

What you need to make BIMI work

Five things, in roughly the order you'll tackle them.

1. DMARC at p=quarantine or p=reject, with pct=100.

This is the hard prerequisite. BIMI does not work at p=none. Gmail in particular checks your DMARC policy when deciding whether to render your logo, and a p=none policy or a fractional pct value disqualifies you. If you're currently at p=none, the path to BIMI runs through the policy progression first.

You can check your current DMARC state with the free DMARC record checker. If you're not at p=quarantine yet, the practical timeline is six to eight weeks of monitoring reports and fixing your legitimate senders before you can move safely. There's no shortcut on this step.

Most BIMI vendors also recommend a 30-day "settling period" at enforcement before the logo will reliably render. Plan for that on top of the policy work.

2. A BIMI-compliant SVG logo.

BIMI requires a specific subset of SVG called "SVG Tiny PS" (SVG Tiny Portable/Secure). Most design tools don't export it natively, and the file your designer hands you almost certainly isn't compliant out of the box. The constraints:

File format:    SVG Tiny PS (subset of SVG 1.2 Tiny)
Max file size:  32 KB
Aspect ratio:   1:1 (square)
Background:     Solid color (no transparency)
Content:        Logo only, no taglines or text
Hosting:        HTTPS, publicly accessible

The painful part is the SVG editing. The BIMI spec requires removing certain attributes (x=, y=, scripts, external references), adding a <title> element with your brand name, and constraining the SVG namespace to a specific profile. This is not a designer task. It's a text-editor task done by someone who reads XML.

If your design team gives you a regular SVG, expect to spend an afternoon converting it, or use a service that does the conversion as part of setup.

3. A Verified Mark Certificate (or Common Mark Certificate).

This is what proves you legally own the logo. A VMC requires a registered trademark of the exact logo (not just the name — the visual mark itself) and costs roughly $1,200-$1,500 per year from authorized certificate authorities. As of 2026, those include DigiCert, GlobalSign, and SSL.com. Entrust exited the VMC market in early 2025. The VMC is required for Gmail's blue checkmark badge and for Apple Mail.

A CMC is the cheaper alternative — no trademark required, costs less (roughly $400-$700 per year), and works with Yahoo, AOL, Apple Mail, and Gmail (without the blue checkmark). The CMC was introduced by the BIMI Group in September 2024 specifically to lower the cost barrier for brands without registered trademarks. It relies on website archive verification instead of trademark registration.

Realistically: trademark registration takes 6-12 months if you don't already have one. If you're starting from scratch and want the VMC, plan around that. If you already own the trademark, the certificate itself takes 2-4 weeks to issue. CMC issuance is faster because the trademark step is skipped.

4. A BIMI DNS record.

This is the small part. You publish a TXT record at default._bimi.yourdomain.com that points at your hosted SVG and your certificate:

v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem

Two-line job for whoever manages your DNS. The hard parts are everything above this.

5. Test rendering.

After DNS propagation (24-48 hours), send a test email from your domain to a Gmail account, a Yahoo account, and an Apple Mail account. Verify the logo renders. The BIMI Group maintains a validator tool that catches most setup errors before they hit production.

Why most brands stall on BIMI

The list above looks tractable. The reality is that most brands that start the BIMI process don't finish, and it's the same three reasons every time.

The SVG editing breaks people. Designers don't speak SVG-Tiny-PS, IT teams don't speak design, and the file bounces back and forth between teams for weeks before someone gives up. A logo that looks fine in Figma fails the BIMI validator for reasons that aren't obvious from the error message.

The VMC trademark requirement traps people. Brands assume "we have a trademark" means "we have a registered design trademark for this exact logo." Usually they have a wordmark, or a registration in one country but not the country the VMC issuer requires. The discovery happens after the certificate is purchased, and the refund process is slow. The CMC option (released September 2024) has helped here, but only for brands that don't need Gmail's blue checkmark.

The DMARC policy isn't actually at enforcement. Marketing thinks DMARC is "done" because there's a record. The BIMI process surfaces that the policy is p=none, which means there's another six to eight weeks of monitoring work before BIMI can possibly work. This is the most common reason BIMI projects miss quarterly deadlines.

If any of this resonates, that's normal. BIMI is genuinely harder than the vendor brochures suggest.

Hosted BIMI: the practical shortcut

The case for doing BIMI yourself: you have an in-house design team that can produce SVG Tiny PS, an IT team that's comfortable with DNS and certificate management, and time to coordinate across both. If that's you, the steps above are the playbook.

The case for hosted BIMI: any of those pieces are missing, and you'd rather pay someone to handle the SVG conversion, host the logo, manage the certificate renewal, and produce the DNS record for you to paste in. For most SMB and mid-market brands, this is the realistic path.

A hosted BIMI service typically includes:

SVG conversion from whatever format your designer provided — Adobe Illustrator, regular SVG, even high-resolution PNG with manual tracing. The output is a BIMI-compliant SVG hosted on the service's CDN.

VMC or CMC procurement, with the service handling the certificate authority paperwork on your behalf and renewing annually.

DNS record generation — they hand you the exact TXT record to publish in your DNS provider.

Rendering validation across providers, and alerts when something breaks (the logo URL goes down, the certificate is about to expire, or DMARC drops below enforcement).

SimpleDMARC's hosted BIMI feature bundles this into the same dashboard that handles your DMARC monitoring, which matters because BIMI failures and DMARC failures are connected. If your DMARC drops to p=none (because someone reverted it during a deliverability investigation), your BIMI logo stops rendering in Gmail. Having both managed on one platform means the alert is one alert, not two systems fighting each other.

The cost comparison is usually the deciding factor. Enterprise BIMI setup through a consultant runs $3,000-$10,000 in setup fees plus ongoing annual certificate costs. A hosted BIMI service from a DMARC vendor is typically $30-$100 per month all-in, including the certificate. For brands below the $500K marketing-tech-stack threshold, hosted is the only path that pencils out.

When BIMI is worth it (and when it isn't)

BIMI is worth doing when:

You send marketing or transactional email to consumers, and brand recognition in the inbox matters for open rates. Reported lift varies — some studies show 4-10% improvement in open rates, others report higher. The exact number depends on your industry and how visually distinctive your logo is.

You've been the target of brand impersonation phishing, and you want a visual signal customers can use to distinguish your real emails from spoofs.

You're in a regulated or trust-sensitive industry (finance, healthcare, government) where the Gmail blue checkmark is a credible signal of legitimacy.

You're already at DMARC p=quarantine or p=reject, so the prerequisite is satisfied.

BIMI is probably not worth doing when:

You're a B2B SaaS company selling primarily to enterprise IT, and most of your recipients are on Microsoft 365. The logo won't render in Outlook inboxes, which is where most of your audience is reading mail. Revisit if Microsoft announces BIMI support.

You're still at DMARC p=none and don't have a plan to move to enforcement. Without that, BIMI cannot work, and the VMC investment is wasted.

Your annual marketing email volume is under 100,000 messages. The setup cost ($400+ for a CMC, $1,200+ for a VMC) is hard to justify at that scale.

Your logo isn't trademarked and you don't want to start that process. The CMC route is open to you, but you'll need to verify that your logo has been publicly displayed on your domain for at least 12 months.

Frequently asked questions

Does Outlook show BIMI logos?

No. Microsoft's email products — Outlook.com, Microsoft 365, Exchange Online, Outlook desktop, Outlook mobile — do not render BIMI logos. The BIMI Group's official mailbox provider list explicitly categorizes Microsoft as "Does not support BIMI." There is no announced timeline for Microsoft to add BIMI rendering. Brands with Outlook-heavy audiences will see BIMI logos display only for the portion of their recipients on Gmail, Yahoo, Apple Mail, and the other supporting providers.

How long does BIMI take to set up?

If you already have DMARC at p=reject, an SVG-compatible logo, and a registered trademark, the BIMI-specific work is two to four weeks (mostly VMC issuance time). If you're starting from p=none with no trademark, plan for six to twelve months end to end. The DMARC progression and the trademark registration are the long poles.

What's the difference between a VMC and a CMC?

A Verified Mark Certificate requires a registered trademark of the exact visual logo and unlocks Gmail's blue checkmark badge. A Common Mark Certificate doesn't require a trademark — it relies on archive verification showing the logo was publicly displayed on your domain for at least 12 months — and is roughly half the cost. CMCs display the logo in supported inboxes but don't get the Gmail badge. Choose VMC if Gmail badge visibility is part of the goal, CMC if it isn't.

Can I use BIMI without DMARC enforcement?

No. BIMI explicitly requires DMARC at p=quarantine or p=reject with pct=100. A record at p=none will not render BIMI logos in any supported provider. This is the most common reason BIMI setups fail.

How much does BIMI actually cost in 2026?

The certificate is the main recurring cost. VMCs run $1,200-$1,500 per year, CMCs $400-$700. Hosted BIMI services that bundle the certificate, SVG hosting, and DNS management typically charge $30-$100 per month. Doing it yourself adds internal engineering time (typically 10-20 hours initial setup, plus annual renewal).

What happens if my BIMI setup breaks?

Two failure modes. If the logo URL becomes unreachable or the certificate expires, the logo stops rendering and recipients see the default avatar — no email failure, just no logo. If your DMARC policy drops below enforcement (someone reverts to p=none during a deliverability fire drill), the logo stops rendering across all providers immediately. Monitoring both DMARC and BIMI together is the only way to catch this.

Which certificate authorities issue VMCs in 2026?

As of 2026, three CAs issue VMCs: DigiCert, GlobalSign, and SSL.com. Entrust previously issued VMCs but exited the market in early 2025 after Google removed trust in Entrust as a CA. Some resellers offer VMC procurement at lower prices than buying directly from the CA.

Get the logo in Gmail this quarter

If you're at DMARC p=quarantine or stronger and your logo is trademarked, you can have BIMI live in Gmail, Yahoo, and Apple Mail within four to six weeks. If you're not there yet, the DMARC work is the prerequisite and worth starting now regardless of BIMI.

The fastest path for most brands is hosted BIMI on a platform that also handles DMARC monitoring. SimpleDMARC's hosted BIMI feature covers SVG conversion, certificate procurement, DNS, and ongoing monitoring on the same dashboard as your DMARC reports. If you want to check where your domain stands first, sign up for free at simpledmarc.com and review your DMARC posture before deciding whether to add BIMI. No credit card, no sales call.