BIMI is the visible payoff for getting email authentication right - your logo in the inbox. But it only appears when every prerequisite underneath it is in place, which is why a "valid" BIMI record still often shows no logo.
What the BIMI Checker Validates
The checker pulls the TXT record at default._bimi.yourdomain.com and inspects its two tags: l=, the HTTPS URL of your logo, and a=, the URL of your Verified Mark Certificate. It confirms the record is well-formed, the logo is reachable, and - crucially - that your domain has a DMARC policy at enforcement, because BIMI does nothing without it.
Why Your BIMI Logo Isn't Showing
Almost every "logo not appearing" case comes down to one of these:
- DMARC isn't at enforcement. BIMI requires
p=quarantineorp=reject; it will never display underp=none. - No VMC, and you're testing in Gmail. Gmail and Apple Mail require a Verified Mark Certificate to show the logo. Without one, some clients display it and Gmail won't.
- Wrong logo format. The logo must be SVG Tiny PS - a standard SVG export is rejected.
- Logo not served correctly. It must be on HTTPS and allow cross-origin fetches.
- Record at the wrong host. It belongs at
default._bimi, not the apex or_bimi.
The BIMI Setup Order
Build it bottom-up: first reach DMARC enforcement (which itself requires passing, aligned SPF or DKIM), then prepare an SVG Tiny PS version of your logo hosted over HTTPS, then publish the default._bimi record pointing to it, and finally add a VMC if you need the logo in Gmail. Skip a step and the checker will flag exactly which prerequisite is missing.
Reading the BIMI Record
A BIMI record looks like this:
v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem
The l= tag is required and points to the logo; a= is optional but needed for Gmail and Apple Mail display.
BIMI Is the Capstone of Authentication
Because BIMI depends on enforced DMARC, and DMARC depends on a passing, aligned SPF or DKIM result, the fastest path to a logo in the inbox is a healthy authentication stack. Run the domain authentication checker to see every layer, raise your policy with the DMARC checker, and let AutoSPF keep your SPF record valid and under the 10-lookup limit so DMARC stays at enforcement.