What is BIMI? The honest guide to logos in the inbox

Brand Indicators for Message Identification (BIMI) is the most visible email standard ever created - it is literally the only one recipients can see. Set it up correctly and your logo appears beside your messages in Gmail, Apple Mail, Yahoo and other supporting inboxes, marking your mail as verified.

It is also the standard most prone to being oversold, because it is the only one with a glamorous payoff and a certificate industry attached. SealedMail checks BIMI as part of every health check, but does not sell BIMI certificates and has no stake in whether you buy one - so here is the complete picture, including the costs, and an honest view of who actually benefits.

What BIMI does

BIMI is a reward for finished homework. Once your domain’s email authentication is fully in order - and only then - you can publish a record pointing to your logo, and supporting mailbox providers will display it beside your authenticated messages.

The logic is sound: a logo is only worth displaying if the mail provably came from the brand. So the logo is not decoration; it is a visible signal that authentication passed. A fraudster spoofing your domain cannot display your BIMI logo, because their mail fails the authentication BIMI requires.

What BIMI requires - the full list

This is where enthusiasm usually meets reality. To display a logo in the inboxes that matter, you need all of the following:

1. DMARC at enforcement. Your Domain-based Message Authentication, Reporting and Conformance policy must be at p=quarantine or p=reject - monitoring mode (p=none) does not qualify. For most organisations this is itself a multi-week project done properly; see Getting to DMARC p=reject.

2. A logo in a strict format. Not a PNG, not your website’s SVG - a specific profile called SVG Tiny PS, square, with a solid background. Most organisations need their logo professionally converted.

3. A certificate, for the inboxes people use. Yahoo will display self-asserted logos without one, but Gmail and Apple Mail - the inboxes your customers are actually in - generally require a certificate proving you own the logo:

• A Verified Mark Certificate (VMC) requires a registered trademark for the logo, and typically costs in the region of £600-£1,400 per year, depending on issuer and reseller. A VMC is also what triggers Gmail’s blue verified tick.
• A Common Mark Certificate (CMC) removes the trademark requirement - you instead prove 12 months’ established use of the logo - at a somewhat lower annual cost (commonly around £500-£700), but it does not trigger Gmail’s blue tick.

Certificates come from a small set of approved issuers (DigiCert, Entrust, GlobalSign, Sectigo, SSL.com) and must be reissued roughly every 13 months - so this is an annual recurring cost, not a one-off.

4. A trademark, if you want the VMC. If your logo is not already registered, add trademark registration fees and a lead time that can run from several months to a year before the certificate can even be issued.

Who genuinely benefits

Vendor marketing cites open-rate uplifts from BIMI; treat those figures as vendor marketing rather than independent fact. The sober assessment is about scale and recognition:

BIMI earns its keep for high-volume, consumer-facing, recognisable brands - banks, retailers, airlines, large charities - organisations sending hundreds of thousands of messages to consumers who recognise the logo on sight, where impersonation at scale is a live threat and a visible verification mark measurably reassures.

For a small law firm, accountancy practice, GP surgery or local business, the arithmetic rarely works. Your clients already know you; your sending volume is modest; the recurring four-figure certificate cost buys a small badge in some inboxes. The trademark requirement alone excludes many small firms. And critically, BIMI adds no security beyond what DMARC enforcement - its prerequisite - already provides. The protection comes from p=reject; the logo is garnish.

That is why BIMI appears on SealedMail’s health check certificate as one item among seven, reported factually: present and valid, present with issues, or absent - with “absent” being a perfectly sound state for most of our customers.

The sensible sequence

1. Get DMARC to enforcement, guided by monitoring - this is the security work, and it costs nothing but attention. (What is DMARC? covers the foundations.)
2. Once at p=reject, then ask the BIMI question: are we a consumer-facing brand at a volume where inbox recognition has commercial value, and is a recurring annual certificate cost proportionate?
3. If yes - typically the largest minority of our readers - proceed with the SVG conversion and certificate. If no, enjoy the fact that the security benefit was already banked at step 1.

Organisations that pursue BIMI before enforcement have the sequence backwards: the logo cannot display without the policy, and the policy is the part that protects anyone.

Where your domain stands

A BIMI record pointing at a malformed SVG, or published over a p=none policy, displays nothing - and we find both regularly. SealedMail’s Free Domain Health Check checks your BIMI status alongside SPF, DKIM, DMARC, MTA-STS, TLS-RPT and blacklisting, and emails you a scored, plain-English certificate. Free, no sign-up - and given this post’s subject, it bears repeating: no upsell. If BIMI is wrong for your organisation, the certificate will not pretend otherwise.