BIMI — Brand Indicators for Message Identification — went from “experimental nice-to-have” in 2020 to “table-stakes signal for serious senders” by 2026. The combination of DMARC enforcement and verified brand logo display in inboxes turns email from a generic anonymous channel into a branded surface where legitimate senders are visually distinguished from impersonators. For European brands, the trademark requirement layers in EUIPO and national patent office considerations that US-focused guides skip over.
This is the implementation guide that covers the actual sequence: how to combine DMARC enforcement work with BIMI prep to minimize total time, what the VMC issuance process looks like in 2026 (after some procedural changes from DigiCert and Entrust), and the gotchas specific to European trademarks.
What BIMI actually does
BIMI publishes a TXT record at default._bimi.yourdomain.com that points to two URLs: an SVG file containing your logo, and a Verified Mark Certificate (VMC) PEM file binding that logo to your registered trademark. Receivers that support BIMI (Gmail, Yahoo, Apple Mail, Fastmail, La Poste) check those URLs when they receive a DMARC-passing message from your domain. If everything validates, they display the logo next to your sender name in the inbox.
The trust chain:
- DMARC at enforcement protects against spoofing.
- VMC verifies the logo is yours via registered trademark.
- SVG Tiny PS specification ensures rendering safety (no script execution, no external resources).
The visible result: your brand logo appears in the inbox, distinguishing legitimate mail from generic-icon spoofing attempts. The invisible result: receiver-side reputation systems treat BIMI-validated senders as higher-trust, which improves inbox placement marginally but consistently.
Prerequisites: the work that must already be done
BIMI is the last step, not the first. The prerequisites:
1. DMARC at p=quarantine or p=reject
This is a hard requirement. BIMI does not display when DMARC is at p=none. The full sequence to enforcement is covered in our DMARC enforcement guide; typical timeline is 6-8 weeks for clean implementation.
2. Registered trademark for the logo The CAs verify against trademark registries. For European brands the relevant authorities are EUIPO (EU Trademark), individual national patent offices (DPMA Germany, OEPM Spain, INPI France, INPI Brazil), UK IPO (post-Brexit), and others. The trademark must be registered (not pending), the logo image must match the registered mark, and the trademark holder entity must match the certificate applicant.
3. SVG Tiny PS-compliant logo file The “Tiny Portable/Secure” subset of SVG. Specific constraints: no JavaScript, no external references, fixed viewBox, fixed dimensions. Most marketing-team SVGs need adaptation by a designer who knows the spec.
4. HTTPS-accessible hosting for the SVG and PEM files Both files need to live on stable, HTTPS-served URLs that the receivers can fetch reliably. Uptime matters — if the SVG returns 503, BIMI does not display.
VMC issuance process (Q2 2026)
The two approved CAs are DigiCert and Entrust. Both are US-incorporated, which would normally raise a Schrems II flag — but the VMC itself is a public certificate binding a logo to a trademark, not a sub-processor relationship handling personal data, so the GDPR analysis is different from typical sub-processor reviews.
Steps with DigiCert (most common path)
- Submit application via DigiCert portal. Provides organization details, trademark registration number, jurisdiction, and the SVG file.
- DigiCert verifies trademark against the relevant patent office database. For EUIPO this is automated; for some national offices it requires manual lookup.
- DigiCert verifies organization identity. Standard EV-style verification: official registration, physical address, signing authority.
- DigiCert verifies SVG matches trademark. The image rendered by your SVG must match the image in the trademark registration. This is where SVG Tiny PS conversions sometimes fail — the conversion process changed visual details enough that the CA flags the mismatch.
- VMC issued. PEM file delivered, valid for one year, renewable.
Total time: typically 1-4 weeks. Faster if the trademark verification is automated and the organization is already verified for other DigiCert products.
Entrust process
Functionally similar to DigiCert. Pricing is comparable. Some European brands prefer Entrust for the EU subsidiary contracting. Both work.
SVG Tiny PS preparation
The SVG Tiny PS spec is restrictive. Common failure modes:
Failure: external font references
Marketing SVG often references web fonts. Tiny PS forbids this. Solution: convert all text to paths (Object → Path in Illustrator).
Failure: script elements Animations, interactivity, anything dynamic. Tiny PS forbids all of this. Solution: flatten to static SVG.
Failure: viewBox missing or malformed Tiny PS requires viewBox attribute. Solution: ensure it is set explicitly.
Failure: invalid filter or mask references Some SVG features are not in the Tiny subset. Solution: rasterize complex effects to base64-embedded PNG, accept fidelity loss.
Failure: file size Tiny PS limits file size. The cap is generous but easy to exceed with high-detail logos. Solution: simplify paths, reduce control points.
For most marketing teams, the fastest path is to commission an SVG specialist (€150-€500 one-time) to produce the Tiny PS version. Trying to convert internally usually costs more in iterations than the specialist fee.
Combining DMARC and BIMI work efficiently
If you are starting from scratch (no DMARC, no BIMI), the optimal sequence:
Weeks 1-4: DMARC inventory and progression to p=quarantine
- Week 1: inventory sources
- Weeks 2-3: authentication for known sources
- Week 4: move to p=quarantine pct=10, ramp to pct=100
Parallel weeks 1-6: trademark and VMC prep
- Week 1: confirm trademark registration; if not registered, start application (6-month delay)
- Weeks 2-3: SVG Tiny PS preparation by specialist
- Weeks 3-4: VMC application submission to DigiCert
- Weeks 4-6: VMC issuance (depending on CA backlog)
Week 7: BIMI DNS publication
- Publish BIMI TXT record pointing to SVG and VMC URLs
- Verify with BIMI Group’s lookup tool
Week 8: validation and stabilization
- Confirm logo displays in Gmail, Yahoo, Apple Mail
- Monitor for any DMARC alignment regressions that would knock BIMI offline
If you already have DMARC at p=quarantine, you can skip the first 4 weeks and start at trademark/VMC work directly. Total time from “we want BIMI” to “logo visible in inbox” is 4-8 weeks if DMARC is already in place, 8-12 weeks from a cold start.
DMARC policy interaction with BIMI
A subtle point that catches operators: BIMI displays only when the individual message passes DMARC, not just when your policy is at enforcement. If a particular message fails DMARC alignment (because some sending source is misconfigured), that message does not show the logo.
This means BIMI is also a continuous monitoring signal. If you publish DMARC at p=quarantine and BIMI but a sending source breaks alignment, the operational symptom may be “BIMI logo stopped appearing for some recipients.” That is a real signal to investigate.
The mature pattern is to monitor both:
- DMARC aggregate report alignment percentages (slow signal)
- BIMI display presence in seed test inboxes (fast signal)
If alignment drops below a threshold (we use 99.5%), you know something is broken before customers notice.
What BIMI does not do
To set expectations correctly:
BIMI does not improve placement materially Receivers treat BIMI-validated senders as marginally more trustworthy. The actual placement improvement is small — maybe 1-3% in our measurements. The value is brand visibility and customer trust, not deliverability.
BIMI does not work everywhere Major receivers support: Gmail (Workspace and consumer), Yahoo, Apple Mail (iOS and macOS), Fastmail, La Poste, MailHub. Microsoft Outlook does not support BIMI as of Q2 2026 (frequently asked, frequently disappointing answer for senders with Outlook-heavy audiences).
BIMI is not anti-phishing by itself BIMI displays only when DMARC passes. Phishing emails that successfully bypass DMARC (rare) would not show BIMI either. The anti-phishing protection comes from DMARC enforcement; BIMI just makes the legitimate-mail signal visible.
BIMI does not work for personal addresses The trademark requirement means consumer email senders (“Maria’s cake business”) cannot get a VMC unless they register a trademark, which makes BIMI primarily a tool for organizational senders.
The European-specific considerations
For brands operating in Europe, a few specifics:
Trademark jurisdiction matters If your trademark is registered in EUIPO, it covers all EU member states. If registered nationally (e.g., DPMA only), it covers that country. The CA verifies against the jurisdiction you specify; ensure it is the correct one for your business operations.
UK trademarks post-Brexit UK IPO trademarks are valid for VMC issuance. EU trademarks no longer cover UK. Brands operating in both need separate registrations.
Translation of trademark holder name The trademark registration uses your formal legal entity name. The VMC will use the same. If marketing materials use a translated brand name (“Acme España” vs registered “Acme Spain SL”), the VMC reflects the registered name, not the marketing one.
National patent office processing speed EUIPO is fast (4-6 months for trademark registration). Some national offices are slower (DPMA can be 6-9 months). If you are starting from no trademark, the registration timeline determines the BIMI timeline more than the VMC issuance does.
When BIMI is worth it (and when it is not)
BIMI is worth the investment for:
- Consumer-facing brands where logo recognition affects email engagement
- Brands frequently impersonated in phishing (banks, e-commerce, SaaS with consumer end-users)
- Brands where trust signals demonstrably affect open rates
- Brands with mature DMARC posture who want visible signal of email security investment
BIMI is not worth it for:
- B2B-only brands sending to corporate inboxes (Outlook majority, no BIMI display)
- Brands without registered trademarks (registration cost + delay outweighs benefit)
- Brands at low send volumes where €1K-€1.5K annual VMC fee plus implementation cost is disproportionate
- Brands that have not done DMARC enforcement work (BIMI has no value at p=none)
For our European clients, BIMI is most valuable for:
- Banks and fintechs (high phishing target, brand trust matters, DMARC discipline already in place)
- Consumer e-commerce (engagement uplift on transactional emails)
- SaaS with consumer-facing communication (account confirmation, password reset)
For B2B SaaS clients targeting enterprise buyers, we usually recommend skipping BIMI in favor of investing in DMARC monitoring and other visible trust signals more relevant to enterprise buyers.
Frequently asked questions
Which email clients actually show the BIMI logo in 2026?
Gmail, Apple Mail, Yahoo, and Fastmail display it; Microsoft Outlook still does not. That gap matters, because most B2B mail lands at Microsoft, so the logo earns its value in consumer and mixed inboxes and does little for a pure-Outlook B2B audience. Weigh the cost against where your recipients actually read mail.
Do I need a registered trademark to get a logo in the inbox?
For a Verified Mark Certificate, yes — the VMC requires a registered trademark, which is the larger expense for a brand starting from scratch. The Common Mark Certificate route added support for marks that are not registered trademarks, at a lower assurance level, and Gmail accepts it, so an unregistered logo can display while a trademark application is still pending.
Does BIMI improve deliverability?
No. The logo appears only after your mail reaches the inbox, so BIMI is a display feature, not a placement signal. The deliverability gain comes from the DMARC enforcement it requires as a prerequisite; the logo itself lifts open rates and recognition.
Bottom line
DMARC and BIMI together are the visible trust signal for legitimate senders in 2026. The implementation is well-defined. The bottlenecks are organizational (trademark registration, marketing approval of Tiny PS logo) more than technical.
For European brands, the trademark layer adds complexity but is also a one-time cost: once registered, the trademark is yours. For brands that have or are willing to register a trademark, BIMI is a meaningful brand investment. For brands without that infrastructure, focus on DMARC enforcement first; BIMI is an add-on, not a replacement.
Our managed DMARC product covers the implementation work for both DMARC enforcement and BIMI activation, with the SVG Tiny PS preparation handled through a partner specialist and VMC procurement through DigiCert as default CA.