Updated · 8 min read
BIMI: the logo-in-the-inbox feature, and whether it's worth the effort
BIMI puts your brand logo in the sender column of supported inbox clients — a small but visible brand signal that your authenticated mail is genuinely from you. The setup requires DMARC enforcement, a compliant SVG logo, and (for most implementations) a Verified Mark Certificate that costs $1,000–$2,000/year. The brand impact is real but modest. Here's when it's worth the effort and when it's not.
Justin Williames
Founder, Orbit · 10+ years in lifecycle marketing
What BIMI is and isn't
BIMI is a DNS-based standard that lets email clients display your brand logo next to your mail in the inbox. Gmail supports it (since 2021), Apple Mail (since iOS 16), Yahoo Mail, and Fastmail. Microsoft Outlook does not, as of 2026.
What BIMI is: a trust signal. The logo appears only when your mail passes DMARC enforcement, so a user seeing your logo has cryptographic confirmation that the mail is authentically from your domain.
What BIMI isn't: a deliverability improvement. It doesn't affect inbox placement. It's a display feature that runs on top of authenticated, already-delivered mail.
BIMI is branding, not deliverability. It makes your authenticated mail visibly yours. That's valuable but it's not going to fix a deliverability problem — and it requires you to have good deliverability fundamentals before it'll work at all.
What BIMI requires
1. DMARC with enforcement. Your DMARC policy must be p=quarantine or p=reject, not p=none. For most programs, getting to enforcement is the longest part of the BIMI project — it requires a DMARC deployment that doesn't break legitimate mail.
2. A compliant SVG logo. Specifically SVG Tiny PS (profile Portable/Secure). Most brand logos need reworking to meet the spec — certain SVG features (scripts, external references, some filters) are disallowed. Expect a brand / design project to produce the compliant file.
3. A Verified Mark Certificate (VMC) for Gmail. Gmail specifically requires a VMC for BIMI to display. VMCs are issued by a handful of certificate authorities (DigiCert, Entrust, GlobalSign) and require a trademark on the logo (registered, in most relevant jurisdictions). Cost: $1,000–$2,000/year.
4. DNS configuration. A BIMI DNS record pointing to the SVG file and the VMC. Standard TXT record; the hard parts are the three items above, not the DNS.
The effort-to-impact ratio
Measured effects of BIMI on performance:
Open rate: 5–10% lift reported in vendor case studies; independent measurement shows 2–7%. The effect is larger for brands where the logo adds meaningful recognition over text-only sender display.
Brand trust signals: anecdotal but consistent. Users report higher trust and lower spam-reporting intent when a recognisable logo appears.
Complaint rate: marginally lower, because the logo provides authenticity signal that reduces the "this looks like phishing" instinct.
,
When BIMI is worth it
Large, recognisable brands. Brands with logos users actually recognise get the most from BIMI — the visual brand asset is a real signal. Smaller or less-recognised brands gain less.
Programs with high deliverability stakes. Financial services, healthcare, government, commerce at scale — any sender where phishing impersonation is a real threat. BIMI is a small but meaningful defence against lookalike attacks.
Programs already at DMARC enforcement. If you're already at p=quarantine or p=reject, BIMI adds relatively little marginal effort — just the SVG and VMC work. Programs not yet at enforcement should prioritise DMARC enforcement first for its own sake; BIMI is a downstream benefit.
The SPF/DKIM/DMARC guide covers authentication fundamentals; BIMI sits on top of all three.
When BIMI isn't worth it
Programs without DMARC enforcement. Don't chase BIMI as a way to get DMARC done. If authentication is a distant future, BIMI is too. Focus on the authentication fundamentals.
Low-volume programs. A 5% open-rate lift on 100K sends/month is ~5K additional opens. Worth maybe $500–$5,000 in incremental value depending on per-open economics. VMC alone costs $1,500/year; BIMI might not pay for itself at low volume.
Programs with brand logos that can't easily be trademarked. VMC requires registered trademark in most cases. If your logo isn't trademarked and trademarking is complex (common phrases, generic design), the trademark project is a bigger cost than the BIMI itself.
Implementation sequence
If you've decided to pursue BIMI, the order of operations:
1. Get to DMARC p=none and monitor reports for 30+ days to ensure authentication is correct.
2. Progress DMARC to p=quarantine pct=10, then pct=50, then pct=100, monitoring at each step.
3. Once at p=quarantine pct=100 or p=reject, work on the SVG. Designers produce a Tiny PS compliant version.
4. Trademark the logo if not already; wait for the registration (can take 6–12 months depending on jurisdiction).
5. Purchase VMC from a certificate authority.
6. Publish BIMI DNS record pointing at the SVG and VMC URLs.
7. Test with a Gmail address and an Apple Mail address to confirm the logo appears.
The Deliverability Management skillcovers BIMI as a step-5 item — implemented after the basics (authentication, reputation monitoring, hygiene) are healthy. It's a brand-and-trust enhancement, not a foundation piece.
Frequently asked questions
- Is BIMI worth the cost?
- For large recognisable brands sending high volume, yes — the brand signal and modest engagement lift justify the $1,500–$3,000/year in VMC and related costs. For smaller programs or brands without strong logo recognition, the ROI is less clear. Prioritise deliverability fundamentals first; BIMI is a polish item, not a foundation.
- Do I need a Verified Mark Certificate?
- For Gmail specifically, yes. Other supporting clients (Apple Mail, Yahoo) can use a self-asserted BIMI record without a VMC — less work, but you'll get no logo display in Gmail. Gmail is 40%+ of most audiences, so skipping the VMC substantially reduces BIMI's reach.
- How long does BIMI setup take?
- If you're already at DMARC enforcement: 2–6 weeks (SVG production, VMC acquisition, DNS). If you're not: months — DMARC enforcement is usually the longest part. Full timeline from 'we want BIMI' to 'logo appears in Gmail' is often 3–12 months depending on existing authentication posture.
- Can I use any logo for BIMI?
- No — SVG must be Tiny PS compliant (a subset of SVG with security restrictions), and must match your trademarked logo closely for VMC approval. Brand colour variants, text logos, and composite marks often need simplification. Plan for a design iteration pass.
- Does BIMI improve deliverability?
- Not directly. BIMI is a display feature, not a filtering signal. It affects how authenticated mail appears once delivered, not whether it's delivered. However, the underlying DMARC enforcement required for BIMI does improve authentication confidence, which indirectly helps deliverability for most programs.
- What if my DMARC enforcement breaks legitimate mail?
- This is the main reason DMARC deployment is slow. Mail sent from unauthenticated sources (third-party tools, HR systems, legacy applications) will start getting quarantined or rejected. The DMARC rollout should include a discovery phase (DMARC reports) to identify all legitimate sending sources and authenticate them before moving to enforcement.
This guide is backed by an Orbit skill
Related guides
Browse all →SPF, DKIM, and DMARC explained for lifecycle marketers
Three DNS records decide whether your marketing email is trusted or binned. Gmail and Yahoo have required all three for bulk senders since 2024. This is the practitioner's explainer — what each one does, how they interact, and the configuration that actually works.
Email deliverability — the practitioner's guide
Deliverability is the cumulative result of every send decision over the lifetime of a domain. This guide covers the four pillars — authentication, reputation, engagement, and list hygiene — and how to recover when one breaks.
The unsubscribe page is the most important page in your lifecycle program
The page every lifecycle team ignores is the one that quietly decides sender reputation, suppressed-list quality, and the fate of your next quarter's deliverability. A short defence of why it's worth the ten-minute rebuild.
Dedicated vs shared IP: the real decision
Every Braze sales conversation pitches the dedicated IP. Most programs don't need one. Here's the volume threshold that actually justifies a dedicated IP, the risks most teams don't anticipate, and when the shared pool is genuinely the better call.
List hygiene: the six-rule policy
List hygiene isn't cleanup; it's a continuous policy that runs automatically. Here's the six-rule policy every lifecycle program should have written down, each tied to a specific deliverability outcome.
Bounce rate management: the thresholds and the fix order
Bounce rate is the simplest deliverability metric to read and the easiest to get wrong. Here's what each bounce type actually means, the thresholds that trigger real problems, and the fix order when your bounce rate starts climbing.
Found this useful? Share it with your team.