Gmail blue checkmark · Apple Mail logo · 5 CAs supported · 397-day renewal management

A BIMI deployment that survives the URIports audit, not just the initial DNS publish.

URIports analysis published in 2025 found 53.6 percent of BIMI records contain at least one error preventing the logo from displaying. Validity 2025 survey traced approximately 84 percent of BIMI failures to DMARC still at p=none, the prerequisite that brands publish a BIMI record without first completing. The other 16 percent split across SVG that does not conform to Tiny Portable Secure, expired or domain-mismatched certificate, and alignment errors between BIMI domain and DMARC organizational domain. BIMI itself is not a hard standard to deploy. The technical chain has four layers and any one of them breaks silently. EMP runs the four layers end-to-end for brands sending to Gmail, Apple Mail, Yahoo Mail, and Fastmail audiences: DMARC migration to enforcement if needed, SVG Tiny P/S preparation under the 24-32 KB ceiling, certificate procurement across DigiCert, Entrust, Sectigo, GlobalSign or SSL.com, DNS publication and ongoing renewal against the 397-day VMC validity window.

BIMI discovery See the 4-layer chain
53.6%BIMI records have errors
URIports 2025 analysis
84%failures from DMARC p=none
Validity 2025 survey
$749-$1,688VMC annual range
Sectigo to DigiCert/Entrust
397dVMC max validity
CA/Browser Forum requirement
The four-layer BIMI chain · break one and the logo silently disappears

A BIMI deployment lives or dies on its weakest layer.

BIMI is sometimes described as a "DNS record" which dramatically understates the engineering. The actual chain involves four sequential layers with strict dependencies. Layer 1 (DMARC enforcement) is the prerequisite gate; without it nothing else works. Layer 2 (SVG Tiny P/S) determines whether the logo file is accepted by the validating CA. Layer 3 (certificate) provides the cryptographic binding between logo and domain. Layer 4 (DNS publication plus HTTPS hosting) is where the receiver looks. If any layer breaks, the logo stops displaying with no user-visible error. The diagram below maps the chain with failure modes per layer.

BIMI deployment chain · 4 layers · failure mode per layer

Each layer must pass · break any one and the logo stops displaying

Production architecture
01 DMARC ENFORCEMENT ──────── p=quarantine or p=reject on org domain SPF + DKIM align FAILURE: 84% of BIMI errors 02 SVG TINY P/S PREPARATION ──────── ≤24-32 KB Square 600×600 No scripts/fonts Solid background FAILURE: format non-compliance 03 VMC OR CMC CERTIFICATE ──────── 5 CAs available VMC: trademark CMC: prior use PEM via HTTPS FAILURE: expired or domain mismatch 04 DNS + HTTPS HOSTING ──────── default._bimi v=BIMI1 l= SVG URL a= PEM URL FAILURE: alignment, HTTP Result: Gmail blue checkmark (VMC) or logo (CMC) · Apple Mail logo (VMC only) · Yahoo + Fastmail logo Microsoft 365 / Outlook does NOT support BIMI as of 2026

One operational point worth emphasizing for senders that have already published a BIMI record but see no logo in Gmail or Apple Mail. The most common diagnosis is not the BIMI record itself but the underlying DMARC state. Gmail will not even attempt logo lookup if the sender domain is at p=none. The fix is not "fix the BIMI record" but "complete the DMARC migration to enforcement." This is exactly the workflow EMP runs in the BIMI Health Audit. The second most common diagnosis is an SVG that was prepared for web use (Figma export, Adobe Illustrator export) and contains JavaScript, embedded fonts, or external references that the SVG Tiny P/S profile prohibits. The BIMI Group publishes a free validator; running the SVG through it before paying for the certificate eliminates this failure mode.

Provider support matrix · who displays what in 2026

Five mailbox providers handle BIMI five different ways.

The BIMI ecosystem is fragmented across mailbox providers with different requirements per provider. Gmail accepts both VMC and CMC since September 2024 but only VMC activates the blue authenticated checkmark. Apple Mail requires VMC only and additionally stopped accepting Entrust certificates issued on or after 15 November 2024 over a trust incident. Yahoo Mail and Fastmail display self-asserted logos without any certificate. Microsoft 365 and Outlook do not support BIMI at all as of 2026. The matrix below maps the practical reality for each provider so the brand can make an informed CA selection.

Mailbox provider BIMI support matrix · 2026

Verified against current Gmail, Apple, Yahoo, Fastmail, Microsoft documentation

Mailbox provider VMC accepted CMC accepted Self-asserted Visual differentiator
Gmail YES YES since Sept 2024 NO Logo displays for both. Blue authenticated checkmark only with VMC. DigiCert or Entrust certificates accepted.
Apple Mail DigiCert only NO NO Apple stopped accepting Entrust VMCs issued on or after 15 Nov 2024. DigiCert is the only safe choice for Apple Mail.
Yahoo Mail + AOL YES YES YES Logo displays from any source. No display advantage between self-asserted and certificate-backed.
Fastmail YES YES YES Logo displays from any source. Smaller audience but technically supportive.
Outlook / Microsoft 365 NO NO NO No BIMI support as of 2026. Microsoft has not announced timeline. Senders with Outlook-heavy audience see no BIMI return.

The audience composition of the sending brand determines whether BIMI investment pays back. For consumer brands with Gmail-heavy or Apple Mail-heavy audiences (ecommerce, B2C subscriptions, financial services with retail customers), the BIMI investment delivers measurable brand recognition lift and phishing protection. For B2B SaaS or enterprise software targeting Microsoft 365 corporate inboxes, BIMI delivers no benefit because Microsoft 365 does not honor the record. EMP runs a free audience composition analysis during discovery to determine which segment the brand falls into before recommending VMC, CMC, or no BIMI at all.

5 Certificate Authorities · pricing, validation timeline, strengths

The CA choice is not interchangeable in 2026.

Five Certificate Authorities issue BIMI certificates as of 2026: DigiCert, Entrust, Sectigo, GlobalSign, SSL.com. Despite identical technical specifications, the practical choice differs meaningfully based on Apple Mail audience exposure, pricing pressure, and existing CA relationships. The five cards below summarize each option.

DigiCert

~$1,499/yr · 2-4 weeks

First VMC issuer, largest production volume. Default choice for Apple Mail support since Apple Mail trust incident in late 2024. Dedicated BIMI validation team.

Entrust

~$1,499/yr · 2-4 weeks

Major enterprise CA. Functionally identical to DigiCert.

⚠ Apple Mail rejects Entrust VMCs issued on/after 15 Nov 2024

Sectigo

~$749/yr · 2-4 weeks

Lowest VMC pricing through reseller network. Best value for brands without Apple Mail dependency. Slightly slower validation in some cases.

GlobalSign

~$1,200/yr · 3-5 weeks

Strong European presence. Useful for brands with primary EU operations and existing GlobalSign TLS relationship.

SSL.com

~$1,100/yr · 3-5 weeks

Mid-tier pricing with full BIMI support. Newer entrant in the BIMI CA space; smaller production volume than DigiCert or Entrust.

Two operational points on CA selection. First, if Apple Mail audience matters at all to the brand, DigiCert is the only safe choice as of 2026. The Entrust trust incident is not a hypothetical concern; Apple actively rejects Entrust VMCs issued on or after 15 November 2024. Brands with existing Entrust VMCs from before that date continue working until natural expiration. Second, for brands without Apple Mail dependency (typical for B2B with Gmail Workspace primary audience), Sectigo at $749/year is half the price of DigiCert at $1,499/year for technically equivalent VMC. The pricing differential is meaningful for multi-domain deployments where the brand may need 3-5 certificates across subsidiaries, regional entities, or product brands; the cumulative annual savings can reach $3,750 per pool. EMP coordinates with all five CAs and recommends per case based on audience composition and budget profile.

When BIMI does not pay back

B2B SaaS selling to Microsoft 365 corporate inboxes should not invest in BIMI in 2026.

For B2B SaaS or enterprise software companies whose audience composition is dominated by Microsoft 365 corporate inboxes, BIMI delivers no measurable return because Microsoft 365 does not support BIMI as of 2026. The recipient never sees the logo regardless of how perfectly the BIMI chain is configured. The budget allocated to VMC procurement, SVG preparation, and certificate renewal management is better invested in DMARC enforcement (which works against phishing impersonation independent of BIMI) and dedicated IP reputation. EMP runs the audience composition analysis during discovery; if the brand is more than 65 percent Microsoft 365 by recipient count, the discovery call ends with a recommendation to skip BIMI and focus on DMARC enforcement plus deliverability. Microsoft has not announced timeline for BIMI support and announcements from Microsoft on this topic over 2022-2026 have not materialized in product. Revisit when Microsoft publishes a concrete date.

Implementation · 5 phases · 3 to 22 months depending on start state

How a BIMI deployment actually gets to a Gmail blue checkmark.

Phase 01
Week 1-2

Audience analysis + DMARC audit

Mailbox composition by recipient. Current DMARC state. Trademark inventory. Go / no-go decision based on Microsoft 365 share. Discovery output.

Phase 02
Week 2-16

DMARC migration to enforcement

Skip if already at quarantine or reject. Otherwise: sender inventory, alignment fixes, p=quarantine pct=10, 50, 100, then p=reject. Hard prerequisite.

Phase 03
Week 14-16

SVG Tiny P/S preparation

Convert existing brand logo to Tiny P/S compliance. Square 600×600, under 24-32 KB, solid background, no scripts. BIMI Group validator pre-check.

Phase 04
Week 16-20

Certificate procurement

VMC or CMC application to selected CA. Trademark documentation review. Domain validation. PEM file issued. Hosting prepared on HTTPS.

Phase 05
Week 20-22

DNS publish + verification

BIMI TXT record published. Cross-verification against Gmail, Apple Mail, Yahoo, Fastmail seed accounts. Renewal calendar entry at 60 days before expiration.

Transparent pricing · BIMI VMC + CMC setup

Four tiers including standalone Health Audit.

Certificate cost is billed separately by the issuing CA (VMC $749-$1,688/yr, CMC $650-$1,100/yr). EMP setup fees cover the engineering work to deliver the four-layer chain end-to-end. The Multi-Brand tier serves brands operating multiple subsidiary domains with shared BIMI architecture. Health Audit is standalone for brands wanting validation of existing BIMI deployment without commitment.

CMC Setup

No trademark, faster.

$1,850 USD setup
  • Common Mark Certificate
  • SVG Tiny P/S preparation
  • DMARC enforcement if needed
  • DNS + PEM hosting
  • 12-month renewal management
  • CMC cost billed by CA separately
Request CMC

VMC Setup

Registered trademark.

$2,950 USD setup
  • Verified Mark Certificate
  • Gmail blue checkmark + Apple Mail
  • 5 CAs coordinated
  • Trademark documentation review
  • 397-day renewal management
  • VMC cost billed by CA separately
Request VMC

Multi-Brand

Subsidiary domains.

$7,800 USD + $1,200/mo
  • Up to 5 BIMI records
  • Up to 5 certificates coordinated
  • Multi-CA strategy if needed
  • Quarterly health reports
  • Cross-brand alignment review
  • Certificates billed separately
Talk Multi-Brand

Health Audit

Standalone validation.

$680 USD one-time
  • Existing BIMI deployment review
  • DNS + SVG + cert + DMARC checks
  • URIports 53.6% error rate audit
  • Remediation roadmap
  • 5 business days delivery
  • No deployment commitment
Run Audit
What the marketing lead, CMO, and IT director ask

The real questions when a brand evaluates BIMI.

"Our brand does not have a registered trademark yet. Can we still deploy BIMI?"

Yes, two paths. CMC does not require registered trademark; CA validates 12 months prior use. Pricing $650-$1,100/year. Accepted by Gmail (Sept 2024+), Yahoo, Fastmail. NOT accepted by Apple Mail. Gmail blue checkmark requires VMC. Pragmatic path: deploy CMC now, file trademark in parallel (USPTO $250-350, 6-18 months), upgrade to VMC when trademark issues. SVG, DMARC, DNS infrastructure all transfer.

"We are on Microsoft 365 with mostly corporate audience. Does BIMI make sense for us?"

Honest answer: probably not. Microsoft 365 and Outlook do not support BIMI as of 2026, no announced timeline. If recipient list is 65%+ Microsoft 365 (typical B2B SaaS, enterprise), BIMI delivers no return because recipients never see the logo. Better investments: DMARC p=reject (protects against phishing independent of BIMI), dedicated IP reputation (improves inbox at Microsoft), SPF flattening under 10-lookup ceiling. EMP runs audience analysis in discovery before recommending.

"How do I know if my existing SVG logo works for BIMI?"

Run it through the BIMI Group free validator at svgcheck.fastmail.com before paying for any certificate. The validator checks the Tiny P/S profile compliance: file size under 32 KB, square aspect ratio, no scripts, no external references, no embedded fonts, no raster images, proper title tag, served over HTTPS. The most common failure mode is an SVG created in Figma or Adobe Illustrator for web use which contains CSS classes (not allowed in Tiny P/S), gradient fills with multiple stops (allowed but often misconfigured), or text elements with web font references (not allowed). Conversion from web SVG to Tiny P/S typically requires 2-4 hours of designer work: inline all styles, remove CSS classes, replace gradient fills with solid colors where the gradient is decorative, convert text elements to paths, validate file size. EMP includes this conversion in the setup fee; the brand designer or marketing team does not need to be involved beyond providing the source logo.

"What is the realistic engagement lift after BIMI is deployed correctly?"

Honest numbers from Validity, dmarcian, Google research 2023-2025: open rate lift 10-20% for brands with previously generic sender icons; click rate lift smaller (3-8%) because open is mainly recognition. Brand-dependent: high prior recognition sees lower percentage lift; weaker prior recognition higher lift. Phishing impersonation reduction harder to measure directly but research suggests recipients less likely to fall for spoofs when trained to look for verified logo. ROI: high-volume + weak recognition sees payback 60-90 days; low-volume + strong recognition sees payback through phishing protection and brand consistency rather than engagement lift.

"Can we deploy different logos per product line or per region?"

Yes, BIMI supports the "selector" mechanism for multiple logos per organizational domain. The default selector at default._bimi.brand.com provides the primary logo. Additional selectors at selector1._bimi.brand.com, selector2._bimi.brand.com etc. provide alternative logos for specific senders or product lines. The selector is chosen by the sender via the BIMI-Selector header in outgoing mail. Practical use cases: seasonal variations of the logo (holiday version, anniversary version), regional variations for multi-country brands, product-line variations for portfolio brands. Each selector requires its own certificate if VMC is pursued (the certificate binds to the specific logo file), which adds cost. CMC is more flexible across selectors. Apple Mail support for selectors is somewhat limited compared to Gmail. EMP runs the multi-logo architecture review during setup for brands considering this approach; the recommendation depends on the brand portfolio and budget.

"What happens during the 397-day renewal cycle and can we automate it?"

Automated renewal is supported by all five CAs but the trademark verification step is not fully automatable; if the brand legal status changes (acquisition, rebranding, trademark transfer), manual re-validation is required. EMP renewal management runs against a 60-day reminder window: at 60 days before VMC expiration, the renewal process initiates with the issuing CA; documentation refresh confirmed by the brand legal team if anything has changed; the new PEM is staged at 30 days before expiration; the swap happens at 14 days before expiration with cross-verification against Gmail and Apple Mail seed accounts. No client-visible downtime in the standard flow. If renewal lapses, the BIMI logo stops displaying in Gmail and Apple Mail within hours to days depending on cache behavior. Yahoo and Fastmail continue showing self-asserted logo if the BIMI record points to one as fallback. The renewal management is included in the setup tier annual fee.

BIMI frequently asked questions

What CMOs, marketing leads, and IT directors ask during evaluation.

What is the difference between VMC and CMC for BIMI?

Two certificate types:

  • VMC: registered trademark required (USPTO, EUIPO, UKIPO, CIPO, JPO, IP Australia). Gmail blue checkmark. Only certificate Apple Mail accepts. $749-$1,688/year.
  • CMC: no trademark; 12 months prior use validated. Gmail (since Sept 2024), Yahoo, Fastmail. Not Apple Mail. $650-$1,100/year.

Decision: trademark + Apple Mail support → VMC. No trademark or faster deployment → CMC.

Which mailbox providers actually display BIMI logos in 2026?

Four providers display BIMI as of 2026:

  • Gmail: VMC or CMC; blue checkmark only with VMC
  • Apple Mail: VMC only; DigiCert is safe choice since Apple rejects Entrust VMCs issued after 15 Nov 2024
  • Yahoo Mail + AOL: any source (self-asserted, VMC, CMC)
  • Fastmail: any source

Outlook / Microsoft 365: no BIMI support as of 2026, no announced timeline.

What is the real failure rate for BIMI deployments and what causes it?

URIports 2025 analysis: 53.6% of BIMI records contain at least one error preventing logo display.

Failure modes per Validity 2025 survey:

  • 84% of failures: DMARC still at p=none (hard prerequisite never completed)
  • SVG does not conform to Tiny P/S profile (Figma/Illustrator artifacts)
  • Certificate expired or domain-mismatched
  • BIMI domain alignment errors with DMARC organizational domain

EMP BIMI Health Audit identifies which bucket applies; remediation roadmap in 5 business days.

How long does the full BIMI deployment actually take?

Depends on the brand starting state:

  • DMARC already at enforcement + registered trademark: VMC in 2-4 weeks, CMC in 1-3 weeks
  • DMARC at p=none: migration adds 8-16 weeks
  • No registered trademark, pursuing VMC: trademark registration runs 6-18 months in parallel
  • SVG prepared for web rather than BIMI: conversion adds 2-4 hours designer work

Realistic total from scratch: 8-22 months if pursuing trademark + VMC. 3-6 weeks if DMARC reject + trademark already in place.

What does the SVG Tiny Portable Secure profile actually require?

SVG Tiny P/S is a constrained subset of SVG 1.2 Tiny designed for BIMI.

Hard requirements:

  • File size under 24-32 KB (CAs vary slightly)
  • Square aspect ratio (recommended 600×600 pixels)
  • Solid background color (no transparency, no background gradients)
  • No JavaScript or scripted content
  • No external references (stylesheets, images, fonts)
  • No raster images embedded
  • Title tag with company name
  • Served over HTTPS only (HTTP rejected)

BIMI Group publishes free validator at svgcheck.fastmail.com.

What happens if the firm chose Entrust before the Apple Mail trust incident?

Apple stopped accepting Entrust VMCs issued on or after 15 November 2024. Entrust VMCs issued before that date continue working in Apple Mail until 397-day expiration.

EMP recommendation:

  • Apple Mail audience matters → do NOT renew Entrust, switch to DigiCert at renewal
  • Apple Mail audience small → Entrust renewal workable with constraint
  • Migration uses same trademark docs and SVG; only PEM changes
  • Migration timeline 2-4 weeks coordinated with DigiCert validation team
Can BIMI be deployed on a subdomain or only the root domain?

Any subdomain provided alignment requirements are met.

Key points:

  • BIMI record at default._bimi.subdomain.brand.com or selector._bimi.subdomain.brand.com
  • DMARC enforcement must apply to BIMI domain via standard inheritance
  • From address must match BIMI domain
  • Separate certificates per subdomain if VMC (certificate binds to specific domain)
  • CMC scope more flexible across subdomains

EMP runs subdomain BIMI architecture review during setup.

What is the renewal cycle and what happens if it lapses?

VMC has 397-day max validity per CA/Browser Forum baseline. CMC follows same ceiling.

EMP renewal management against 60-day reminder window:

  • 60 days before expiration: renewal initiated with CA
  • 30 days before: new PEM staged and tested
  • 14 days before: swap with cross-verification (Gmail, Apple seed)

If renewal lapses: BIMI logo stops displaying in Gmail and Apple Mail within hours to days. Yahoo and Fastmail continue with self-asserted fallback if configured.

BIMI discovery. Audience analysis · 48 hours · free first call.

The first call requires three data points: estimated mailbox composition of the recipient list (Gmail share, Apple Mail share, Outlook share, Yahoo share), current DMARC policy state (p=none / quarantine / reject), trademark status of the primary brand. With those three points EMP determines whether BIMI investment makes sense and which path (VMC, CMC, defer) fits the brand audience and budget. If the audience is more than 65 percent Microsoft 365, the call ends with a recommendation to skip BIMI and invest elsewhere; we say so explicitly rather than sell unnecessary work.

BIMI discovery DMARC migration first
Bilateral NDA in 48h · Mon-Fri 9-18 GMT-5 · Atrium Tower Floor 15