Why your BIMI logo isn't showing: DMARC enforcement, the TXT record, and a VMC
· bimi · dmarc · email · dns · branding
bimidmarcemaildnsbrandingIf your brand logo isn't appearing next to your messages in the inbox, BIMI is missing one of its three prerequisites: your DMARC policy must be at enforcement (p=quarantine or p=reject, never p=none) with adequate coverage; you need a default._bimi.<domain> TXT record pointing to a correctly formatted SVG logo; and for Gmail and Apple Mail you also need a Verified Mark Certificate (VMC) — or a Common Mark Certificate (CMC) — referenced in the record. Miss any one and the logo silently doesn't render; mailbox providers fail closed rather than show an unverified mark.
DMARC must be at enforcement
BIMI is built on top of DMARC, so it only activates once DMARC is actually protecting your domain. A policy of p=none is monitoring-only and does not qualify — you must publish p=quarantine or p=reject:
v=DMARC1; p=quarantine; rua=mailto:[email protected]
v=DMARC1; p=reject; rua=mailto:[email protected]
Providers also expect meaningful coverage, not a policy that exempts most mail. A p=quarantine; pct=10 essentially still leaves 90% unprotected, which won't satisfy BIMI. Get to full enforcement with passing alignment before expecting the logo.
The default._bimi TXT record
BIMI is discovered via a DNS TXT record at the default._bimi selector under your domain. It declares the logo location (l=) and, optionally, the certificate (a=):
default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem"
The l= tag must point to an HTTPS URL serving the logo, and the logo has hard format rules: it must be SVG in the SVG Tiny Portable/Secure (SVG Tiny PS) profile — a restricted SVG subset, square aspect ratio, with a solid background, no scripts, no external references, and no raster embedding. A generic export from a design tool will not validate; it has to be the Tiny PS profile specifically.
The VMC (or CMC) for Gmail and Apple Mail
Some providers display a BIMI logo from the TXT record alone, but the major mailbox providers — including Gmail and Apple Mail — require a mark certificate that cryptographically attests you are authorized to use the logo. There are two kinds:
- A Verified Mark Certificate (VMC), which requires a registered trademark for the logo.
- A Common Mark Certificate (CMC), which covers logos that aren't trademark-registered (for example, an older prior-use mark).
Either is issued by an authorized certificate authority and referenced in the a= tag of the BIMI record. Without it, those providers reserve the slot but show their default avatar instead of your mark.
Common reasons the logo still doesn't appear
- DMARC is published but stuck at
p=none, or alignment is failing so the policy isn't effectively enforced. - The SVG isn't the SVG Tiny PS profile — wrong aspect ratio, has a transparent background, contains scripts, or references external assets.
- The
l=ora=URL isn't reachable over HTTPS, or the certificate has expired or doesn't match the logo. - You're checking in a provider that hasn't fetched the record yet — propagation and provider-side caching can take time after everything is correct.
Start by confirming DMARC is genuinely at enforcement; that's the single most common blocker.
Check your DMARC policy →Further reading
- What is DMARC? (and how to check if yours is configured correctly)
- DMARC is at p=reject but I'm still getting spoofed — why?
- BIMI specification — Brand Indicators for Message Identification (IETF draft, AuthIndicators Working Group)