BIMI and Common Mark Certificates: Display Your Brand Logo Without a Trademark

hangrydev ·

Your Email Looks Like Every Other Email

Your transactional emails land in Gmail next to phishing attempts, promo blasts, and messages from domains registered yesterday. There’s no visual indicator that your domain is legitimate. No logo. No brand presence. Just a grey initial in a circle.

BIMI changes that. Brand Indicators for Message Identification puts your logo next to every email you send in supporting inboxes. Gmail, Apple Mail, Yahoo. Your recipients see your brand before they open the message.

The catch? BIMI traditionally required a Verified Mark Certificate (VMC), which required a registered trademark. That means filing with the USPTO or EUIPO, waiting 12-18 months for approval, and paying $1,500+ in legal fees before you even buy the certificate. For a startup shipping a SaaS product, that’s a non-starter.

Common Mark Certificates (CMCs) skip the trademark requirement entirely. If your logo has been in use for 12 months, you qualify. DigiCert and Sectigo both issue them. They validate domain ownership and logo usage, not trademark registration. That’s the unlock for most dev teams.

What BIMI Actually Does

BIMI is a DNS-based standard. You publish a TXT record that points to your logo file and (optionally) a certificate. When a receiving mail client gets your message, it checks your BIMI record, verifies your DMARC policy passes alignment, and displays the logo.

The logo shows up in two places: the inbox list view and the message header. On mobile Gmail, it replaces the grey sender initial. Apple Mail renders it in the sender’s avatar slot.

Here’s what the spec requires before any logo appears:

  1. DMARC record with p=quarantine or p=reject (not p=none)
  2. SPF and DKIM passing with proper alignment
  3. A valid SVG Tiny PS logo hosted at a public HTTPS URL
  4. A BIMI TXT record at default._bimi.yourdomain.com

Miss any of these and the logo doesn’t render. No error message. No fallback. Just the grey circle again.

VMC vs CMC: What’s Different

A Verified Mark Certificate requires your logo to be a registered trademark. That means it exists in an official registry (USPTO, EUIPO, CIPO, or equivalent). The Certificate Authority checks the registration, confirms you own it, and issues the certificate. The process takes 2-4 weeks after you already have the trademark. VMCs cost around $1,500-1,600/year from DigiCert directly, though resellers offer lower prices.

A Common Mark Certificate requires proof that you’ve used the logo for at least 12 months. No trademark registration. The CA verifies domain ownership, validates your organization, and confirms the logo has been publicly associated with your brand (they check archive.org and public records). CMCs issue in 5-10 business days and cost roughly $1,100-1,250/year depending on the provider.

The one functional difference in Gmail: VMCs display a blue checkmark next to your avatar. CMCs display the logo without the checkmark. Both display the logo. The checkmark is nice but not necessary for brand recognition in the inbox.

Should you care about the checkmark? For most SaaS teams, no. Your users recognize your logo. They don’t look for a tiny blue check. The logo alone increases trust and open rates. A 2021 Red Sift and Entrust study found that BIMI logos increased brand recall by up to 44%, purchase likelihood by 34%, and open rates by 21% across tested campaigns.

The DNS Record

Your BIMI record is a TXT record at a specific subdomain. Here’s the format:

default._bimi.yourdomain.com TXT "v=BIMI1; l=https://yourdomain.com/brand/logo.svg; a=https://yourdomain.com/brand/certificate.pem"

Three tags:

  • v=BIMI1 is the version. Always this value.
  • l= points to your SVG logo file. Must be HTTPS. Must return Content-Type: image/svg+xml.
  • a= points to your certificate PEM file. Optional for Yahoo and Fastmail. Required for Gmail and Apple Mail.

If you don’t have a certificate yet, you can publish the record without the a= tag. Yahoo and Fastmail will still display your logo (self-asserted BIMI). Gmail and Apple Mail won’t.

default._bimi.yourdomain.com TXT "v=BIMI1; l=https://yourdomain.com/brand/logo.svg; a="

Verify your record propagated:

dig TXT default._bimi.yourdomain.com +short
# Expected: "v=BIMI1; l=https://..."

SVG Tiny PS: The Format Nobody Uses

BIMI doesn’t accept regular SVGs. It requires SVG Tiny 1.2 PS (Portable/Secure), a restricted profile that strips out anything that could execute code or load external resources.

Here are the hard requirements:

The root <svg> element must include version="1.2" and baseProfile="tiny-ps". The viewBox must be square (e.g., 0 0 100 100). The file must be under 32KB. And a long list of elements are forbidden: <script>, <image>, <animate>, <filter>, <style>, <a>, <foreignObject>, <mask>, <pattern>, <symbol>, and <marker>.

Inkscape won’t help you here. It exports SVG 1.1 by default and doesn’t support the Tiny PS profile natively. Illustrator is the same story.

Your best bet is to design your logo in whatever tool you prefer, export a clean SVG, then convert it. Here’s a minimal compliant file:

<?xml version="1.0" encoding="UTF-8"?>
<svg version="1.2" baseProfile="tiny-ps"
     xmlns="http://www.w3.org/2000/svg"
     viewBox="0 0 100 100" width="100" height="100">
  <title>YourBrand Logo</title>
  <rect width="100" height="100" fill="#2563EB"/>
  <text x="50" y="60" text-anchor="middle"
        font-size="40" fill="#FFFFFF" font-family="sans-serif">YB</text>
</svg>

That’s a placeholder. Your real logo will be more complex. But the structure is what matters: correct version, correct baseProfile, square viewBox, no forbidden elements.

Two conversion paths that work:

  1. The AuthIndicators working group’s SVG conversion tools on GitHub (authindicators/svg-ps-converters) process your SVG and strip forbidden elements automatically.
  2. EasyDMARC and CaptainDNS both offer free online converters that output compliant Tiny PS files.

After conversion, validate the output. The BIMI Group’s inspector at bimigroup.org/bimi-generator checks your BIMI DNS record format and DMARC enforcement. For SVG validation, use a dedicated checker like the URIports BIMI Validator or EasyDMARC’s BIMI Lookup tool.

Getting the Certificate

For a CMC from DigiCert (Sectigo also issues CMCs), here’s the process:

  1. Create a DigiCert CertCentral account
  2. Submit a CMC order with your domain, organization details, and logo SVG
  3. DigiCert verifies domain ownership (DNS or email challenge, same as any SSL cert)
  4. DigiCert validates your organization exists (business registry check)
  5. DigiCert confirms logo usage for 12+ months (they check archive.org and public records)
  6. Certificate issues in 5-10 business days as a PEM file

Host the PEM file at a stable HTTPS URL. This is the URL you put in the a= tag of your BIMI record. Don’t put it behind authentication or a CDN that might change the URL.

One gotcha: the logo you submit to the CA must match the SVG in your BIMI record. If you update your logo, you need a new certificate.

Testing Your Setup

Before you wait for the certificate, verify everything else works.

Check DMARC enforcement

Your DMARC policy must be p=quarantine or p=reject. If you’re still at p=none, BIMI won’t activate. The DMARC enforcement guide walks through the full progression from p=none to p=reject.

dig TXT _dmarc.yourdomain.com +short
# Must contain p=quarantine or p=reject

Validate SPF and DKIM alignment

Send a test email to a Gmail address. Open raw headers (“Show original” in Gmail). Look for:

SPF: PASS
DKIM: PASS
DMARC: PASS

All three need to pass. DMARC failing means your logo won’t display even if every other BIMI requirement is met. The SPF DKIM DMARC alignment details matter here because BIMI has zero tolerance for authentication failures.

Check the BIMI record

dig TXT default._bimi.yourdomain.com +short

Validate the SVG

Use a BIMI SVG validator like EasyDMARC’s BIMI Lookup, the URIports BIMI Validator, or VerifyBIMI. Upload your SVG and it’ll flag any Tiny PS violations. Common failures: file over 32KB, missing baseProfile="tiny-ps", embedded <image> elements referencing external PNGs.

Send and verify

After everything is in place, send an email to a Gmail account. Don’t check immediately. BIMI logo display can take 24-48 hours to propagate after DNS changes. Google caches BIMI lookups aggressively.

Who Supports What

Not every inbox shows BIMI logos. Here’s where things stand as of early 2026:

Gmail displays logos with either a VMC or CMC. The blue checkmark only appears with VMC. CMC shows the logo without the checkmark. Gmail requires a certificate; logo-only BIMI records (no a= tag) don’t work.

Apple Mail on iOS 16+ and macOS Ventura+ supports BIMI but requires a certificate (VMC or CMC). Self-asserted BIMI records without a certificate won’t display logos in Apple Mail.

Yahoo Mail and Fastmail support BIMI logos without requiring a certificate (self-asserted BIMI), though they recommend one.

Microsoft Outlook doesn’t support BIMI at all. Not Outlook.com, not Hotmail, not the desktop client. Despite Microsoft’s bulk sender requirements tightening on authentication, they haven’t adopted BIMI.

Overall BIMI adoption is still low. Only about 4.6% of domains have valid BIMI records, according to a 2025 Validity analysis. But BIMI DNS record adoption jumped 28% year-over-year according to URIports’ analysis of the top million domains. The standard is gaining traction, especially now that CMCs removed the trademark barrier.

The Realistic Path for a Dev Team

You’re running a SaaS product. You send transactional emails (password resets, notifications, receipts). You’ve already got DMARC configured because Gmail and Yahoo require it. Here’s what BIMI adds to that foundation.

Week 1: Design or export your logo as a clean SVG. Convert it to Tiny PS format. Host it at a stable HTTPS URL. Publish your BIMI record without a certificate. Yahoo and Fastmail will start showing your logo.

Week 2: Order a CMC from DigiCert. Submit domain verification and logo validation. Wait for issuance.

Week 3: Receive the PEM file. Host it. Update your BIMI record with the a= tag. Gmail and Apple Mail start displaying your logo within 24-48 hours.

Total cost: $1,100-1,250/year for the CMC. No trademark lawyers. No 12-month registration wait. No legal review of logo variations.

That’s the whole path. DMARC enforcement gets your email delivered. BIMI gets your logo displayed. CMC gets you there without a trademark. And an email validation API makes sure you’re only sending to inboxes that exist in the first place.

We use cookies to process payments and improve your experience. By using MailCop, you agree to our use of cookies in accordance with our Privacy Policy.