BIMI and VMC: the verified-logo upgrade worth doing properly

Imagine two emails sitting next to each other in someone's Gmail. Same sender name, same subject line, same time of arrival. One shows a grey circle with the letter O. The other shows your actual logo, plus a small blue checkmark beside your name — the same kind of checkmark Twitter used to charge for, except this one means "the email provider verified this sender owns the trademark on that logo." The recipient's eye lands on the second one first. Every time. That's what BIMI does, and that's the entire pitch — before any of the acronyms.

Two acronyms do the work. BIMI — short for Brand Indicators for Message Identification — is the standard that lets inbox apps display a logo next to your mail. A VMC — Verified Mark Certificate — is the document that proves the logo is genuinely yours, issued by a trusted third party against a registered trademark. Think of BIMI as the rail and the VMC as the proof of ownership riding on it. Together they convert authenticated mail into visibly branded, visibly trusted mail.

Support varies by inbox. Gmail has displayed BIMI logos since 2021, Apple Mail joined with iOS 16 / macOS Ventura, and Yahoo and Fastmail are on board. Microsoft Outlook is the holdout in 2026 — no logo display in Outlook regardless of what you set up. Apple Mail and Yahoo will technically show a self-asserted logo without a VMC; Gmail will not. Since Gmail is usually 40%+ of any consumer audience, running BIMI without a VMC in practice means giving up your largest reach.

Easiest way to understand it: see the same email rendered twice. Below, the first row shows what an unauthenticated or BIMI-less Orbit message looks like in Gmail — generic initial avatar, no verification mark, the visual default for anyone who hasn't done this work. The second row is what every Gmail user sees once BIMI and a VMC are live: the actual Orbit logo, plus the blue checkmark Google adds beside verified senders.

It's a small visual change. It's also the first thing a recipient sees, every send, on the device that decides whether to open. That's the entire pitch.

Worth being precise about the mechanism, because there's a lot of vendor-speak around this. Logos and checkmarks do not influence whether your mail lands in the inbox or the spam folder — that decision belongs to authentication and reputation, the invisible plumbing underneath. What BIMI does is convert a recipient's glance at the inbox list into recognition and reassurance. Three measurable effects:

Open-rate lift. Vendor case studies cluster around 5–10%. Independent measurement lands at 2–7%. Recognisable brands see the largest lift — which is the whole point of putting a logo there. For programs where the sender name alone doesn't earn instant recognition, the logo does the heavy lifting.

Phishing and impersonation defence. This is the underrated win and the reason regulated industries treat BIMI as table stakes. Once recipients learn to expect your logo and your blue checkmark, the absence of either becomes a flag. Lookalike domains and spoofed senders simply can't reproduce them — they'd need to pass DMARC (the policy that tells inbox providers "this mail really came from us") on your domain, which by definition they can't. Visible authentication for the recipient.

Lower complaint rates. Marginal but consistent. A familiar logo neutralises the "is this real?" reflex that drives some users to mark legitimate mail as spam. Fewer complaints feeds reputation, which feeds deliverability, which feeds opens. Indirect chain, but real.

Brand-side, the effect compounds. Every send reinforces the visual mark. Over a year, a high-volume program puts its logo in front of recipients tens of millions of times — paid attention you don't pay for.

Five things have to be true before the logo turns on. They're not equal in difficulty — the first one is usually the longest, and the last one is the easiest. People do them in the wrong order all the time and lose weeks. Here's the right sequence.

1. DMARC at enforcement. DMARC — Domain-based Message Authentication, Reporting and Conformance — is the policy you publish in DNS that tells inbox providers what to do with mail that fails authentication checks. It has three settings: p=none (monitor only, do nothing), p=quarantine (send failures to spam), and p=reject (refuse delivery entirely). BIMI requires quarantine or reject — known as "DMARC enforcement" — because the standard is designed to display a logo only for senders who've committed to actually rejecting forged mail in their name. For most programs this is the longest part of the project. It's also the part that delivers most of the deliverability upside even before BIMI goes live. Treat enforcement as the foundation it is, not an obstacle.

2. A compliant SVG logo. Specifically SVG Tiny PS — a stripped-down version of the SVG image format, where "PS" stands for Portable/Secure. Most brand logos need a quick rework before they'll pass: scripts, external references, raster fills, and certain filters are disallowed (for security reasons — an inbox provider can't safely render a logo that pulls content from arbitrary URLs). Budget a real design pass rather than a console export. The output is a single static SVG file you host at a public HTTPS URL.

3. A registered trademark on the logo. Required for the VMC. A certificate authority issuing your VMC has to verify you actually own the logo — and the cleanest legal proof of that is a trademark registration. If you don't already have one, kick off the registration alongside the SVG work; it takes 6–12 months in most jurisdictions. Word marks, distinctive logos, and stylised marks all qualify; generic shapes generally don't.

4. A Verified Mark Certificate. Issued by an authorised certificate authority — a CA, the same kind of organisation that issues the certificates behind https:// — against the registered trademark. Three CAs are authorised for VMCs in 2026: DigiCert, Entrust, and GlobalSign. Annual cost runs $1,000–$2,000 depending on CA and term length. Your chosen CA verifies the trademark, the SVG, and your control of the sending domain, then issues a PEM file (a text-format certificate file) that you host alongside the SVG.

5. The BIMI DNS record. A TXT record at default._bimi.yourdomain.com with two parameters: l= pointing at the SVG URL and a= pointing at the VMC URL. This is the easiest step. It's also the one everyone wants to do first; resist that. Without the four steps above it, the record displays nothing.

Cost is real, lift is real. The question is whether your program is in the shape where the lift earns the cost back. Four situations where the answer is clearly yes:

Recognisable consumer brands. If users would recognise your logo at a glance on a billboard or a phone home screen, BIMI converts that recognition into an open-rate signal in the inbox. Where the case studies cluster.

Programs where impersonation is a real threat. Financial services, healthcare, government, marketplaces, anything regulated. A blue checkmark is a meaningful defence against lookalike attacks because attackers cannot reproduce it. Once your audience expects it, its absence does the work.

Any program already at DMARC enforcement. Hard part is done. From there, BIMI + VMC is a 2–6 week project — SVG, trademark check, VMC procurement, DNS publish. Marginal cost is small and the visual lift is permanent.

High-volume senders. Fixed costs (VMC plus design) amortise over volume — meaning a flat annual fee gets cheaper per email the more emails you send. A program sending 5M+ emails a month puts its logo in front of recipients millions of times for a flat ~$1,500/year. Friendly arithmetic.

For more depth on the plumbing, the SPF/DKIM/DMARC guide covers the authentication fundamentals that sit underneath all of this — SPF and DKIM are the two checks DMARC enforces against — and the deliverability fundamentals guide covers the reputation and hygiene work that makes the whole thing pay back.

Programs that have their fundamentals in order are the ones BIMI rewards. Doing it before the foundation is set wastes money and time. Two cases where waiting is the right call:

DMARC isn't at enforcement yet. Don't treat BIMI as the forcing function for the DMARC project. Reaching enforcement involves discovery (finding every system that sends mail in your name), alignment cleanup (making sure each one passes the SPF and DKIM checks DMARC measures), third-party sender chasing (every CRM, support tool, and transactional service has its own setup), and gradual percentage rollout (turning on enforcement for 10% of mail, then 50%, then 100%). That's a real project on its own. Rushing it to chase a logo will break legitimate mail. Do DMARC properly first; BIMI is the natural next step once you're there.

Logos that can't reasonably be trademarked. A VMC requires a registered trademark. Where your mark is a generic shape, a single common letter, or otherwise difficult to register, the trademark project itself becomes the bottleneck. Usually the right answer is to evolve the brand mark to something registrable, then come back to BIMI on the other side.

Neither is a reason to abandon BIMI — they're reasons to sequence it correctly.

The order matters. Skipping or reordering steps adds weeks. This is the canonical sequence — the same one most CAs and ESP deliverability teams will walk you through.

1. Reach DMARC p=none with full reporting and monitor for at least 30 days to confirm authentication is correct and you've found every legitimate sending source. The reporting is what tells you which systems are sending mail in your name — most teams discover at least one they'd forgotten about.

2. Progress DMARC to p=quarantine pct=10, then pct=50, then pct=100, then to p=reject, monitoring at each step for collateral damage to legitimate mail. The pct= parameter — short for percentage — tells inbox providers to apply your enforcement policy to that fraction of failing mail and ignore the rest, so you can ramp gradually rather than going from zero to full enforcement overnight.

3. Alongside step 2, brief design on the SVG Tiny PS version of the logo and start trademark registration if you don't already have one. These are independent tracks; running them at the same time as DMARC enforcement keeps the overall timeline tight.

4. Once DMARC is at enforcement and the trademark is registered, purchase a VMC from DigiCert, Entrust, or GlobalSign. The CA validates the trademark, the SVG, and your domain control, then issues the certificate.

5. Host the SVG and the VMC PEM file on a public HTTPS URL. The URL has to be reachable by Gmail's and Apple's servers from anywhere on the internet — no firewall, no IP allowlist.

6. Publish the BIMI TXT record at default._bimi.yourdomain.com with l= and a= pointing at the two files.

7. Test with real Gmail and Apple Mail addresses. The logo and the blue checkmark should appear within 24–48 hours. The BIMI Group's validator is the easiest way to confirm the record and SVG are well-formed.

Total elapsed time from a standing start: 3 to 12 months, dominated by DMARC enforcement and trademark registration. From DMARC-already-enforced with a registered trademark: 2 to 6 weeks. Either way, every step has standalone value — DMARC enforcement is a deliverability win on its own, and the trademark is brand-protection work you'd want regardless.

The Deliverability Management skillsequences BIMI and VMC after authentication, reputation, and hygiene are healthy — not because they don't matter, but because the visible upgrade only earns its lift once the invisible plumbing is right. Get there in order, and the logo-in-the-inbox moment is the satisfying part of the project, not the frustrating one.