You have heard the DMARC message. You have published the record, you are working toward p=reject, and your mail is authenticating cleanly. You are ahead of 91% of domains on the internet.
But here is what no compliance checklist tells you: authentication proves your email is legitimate — it does nothing to make that legitimacy visible to the human being staring at their inbox.
That gap between technical authentication and human trust is exactly what BIMI was designed to close. And in 2026, with AI-powered phishing campaigns surging to levels that were unthinkable two years ago, closing that gap has become a strategic imperative — not a nice-to-have.
The Threat Numbers Are Staggering
Microsoft’s security telemetry registered 8.3 billion email-based phishing threats in just the first quarter of 2026. AI-powered phishing campaigns — featuring prose indistinguishable from legitimate executive communications, vendor invoices, and IT helpdesk alerts — rose 204% year-over-year. One malicious email was detected every 19 seconds.
The danger is not just volume. It is quality. In 2024, you could spot a phishing email by its awkward phrasing or generic greeting. In 2026, AI-generated phishing passes every grammar check and often mimics the exact tone of the sender it is impersonating. The only reliable signal left for a recipient is the sender’s identity itself — and that is precisely what brand indicators make trustworthy at a glance.
Phishing-as-a-Service (PhaaS) kits — pre-built attack infrastructure that any low-skill actor can rent — now power 90% of high-volume phishing campaigns. If your domain is recognizable, it is a target. If your DMARC policy is still at p=none, your brand identity is effectively an open resource for any PhaaS operator who wants to impersonate you.
What Is BIMI?
BIMI stands for Brand Indicators for Message Identification. It is a DNS-published standard that instructs mailbox providers to display your official brand logo directly inside the inbox — next to the sender name, before the recipient even opens the message.
Think of it as a verified badge for your email identity. When a BIMI-enabled mailbox (Gmail, Yahoo, Apple Mail, Fastmail) receives your authenticated message, it fetches the logo you have published in DNS and renders it in the sender avatar position. Your customers see your logo. Every email you send carries a visual trust signal that phishers cannot replicate — because BIMI requires passing DMARC at enforcement level to activate.
The requirement is intentional: BIMI only works if your domain has p=quarantine or p=reject. A malicious sender cannot fake a logo that requires proof of domain ownership to unlock. The logo is the authentication made visible.
Who Supports BIMI Today?
Provider support has expanded significantly. As of 2026, BIMI logo display is active in:
- Gmail (requires a Verified Mark Certificate or Common Mark Certificate for the verified checkmark)
- Yahoo Mail (supports logos without a VMC, though certificates are recommended)
- Apple Mail (iOS 16+ and macOS Ventura+)
- Fastmail
- AOL
One important caveat: Microsoft Outlook, Hotmail, and Office 365 do not yet support BIMI. Microsoft has not published a short-term roadmap for adoption. For senders whose list skews heavily toward consumer Outlook addresses, this limits BIMI’s immediate reach — but Gmail and Yahoo together represent the majority of consumer inboxes globally, and Apple Mail is the dominant mobile client in many markets.
The Two Certificate Types
When Gmail displays a BIMI logo, it requires one of two certificate types to show the verified blue checkmark:
VMC (Verified Mark Certificate): The original BIMI certificate type. Requires that your logo design is a registered trademark in the relevant jurisdiction. Issued by a small number of certification authorities (DigiCert, Entrust). Costs typically range from $1,000 to $1,500 per year.
CMC (Common Mark Certificate): The newer, more accessible option. Does not require a registered trademark. Designed to bring BIMI within reach of organizations that use logos without formal trademark registration. CMCs follow the same technical process as VMCs and provide equivalent inbox display.
For organizations that already hold registered trademarks, the VMC is the natural choice. For everyone else — including most SMBs, startups, and nonprofits — the CMC removes the single largest barrier to BIMI adoption.
Why Only 9% of Eligible Domains Have BIMI
A Validity analysis of 13,000 domains found that 90.85% had no BIMI record at all. Most recipients in BIMI-capable inboxes see a grey circle with a letter initial rather than a recognizable brand logo — even when emailing customers who know the brand well.
The reasons for low adoption track the reasons for low DMARC enforcement: the prerequisites feel complex, the technical steps are unfamiliar, and the business case is not always obvious to teams focused on pure deliverability metrics.
But the math on the business case is becoming clearer. Studies from Validity and Litmus show that emails displaying brand logos in the inbox receive 10–30% higher open rates compared to the same messages without logo display. For a list of 100,000 subscribers with a 25% open rate, a 20% lift on opens is 5,000 additional engaged reads — per send, every time.
The BIMI Implementation Path
BIMI is not a single switch to flip. It is the last mile of a multi-step authentication journey. Here is the sequence:
Step 1 — DMARC at enforcement. Your domain must have p=quarantine or p=reject. BIMI will not activate on a p=none policy. If you are not there yet, this is your starting point.
Step 2 — Aligned SPF and DKIM. All legitimate mail streams must authenticate and align. BIMI requires consistent passing authentication — sporadic DMARC passes are not enough for logo display.
Step 3 — Create an SVG logo. BIMI requires your logo in a specific SVG format: a square-ratio, solid-background, SVG Tiny 1.2 file. Most existing SVG files need minor adjustments to meet the spec.
Step 4 — Host the SVG at a public HTTPS URL. The file must be accessible via HTTPS at a stable, permanent URL on your domain.
Step 5 — Publish the BIMI DNS record. Add a TXT record at default._bimi.yourdomain.com pointing to your SVG location and optionally to your VMC or CMC certificate.
Step 6 — Obtain a certificate (for Gmail verified display). For the full verified checkmark in Gmail, obtain a VMC or CMC from a participating certificate authority.
The technical effort is modest — typically a few hours of work spread across DNS, design, and certificate procurement. The ongoing maintenance is minimal once the record is live.
BIMI as a Deliverability Signal
Beyond the visible brand trust, BIMI carries a secondary benefit that matters to email marketers: it signals to mailbox providers that your sending domain is mature, well-managed, and committed to authentication best practices.
Inbox placement is driven by a combination of authentication signals, engagement history, and sender reputation. Domains that have invested in the full authentication stack — SPF, DKIM, DMARC at enforcement, plus BIMI — consistently outperform domains that stop at the compliance floor. The investment in BIMI is simultaneously an investment in the reputation signals that drive inbox placement over time.
The Window for Competitive Advantage Is Still Open
With fewer than 10% of eligible domains having published a BIMI record, early movers gain a visible differentiation that is difficult to replicate quickly. Your logo in the inbox before a competitor’s is — literally — the first impression your brand makes in email.
As AI-generated phishing floods inboxes with convincingly crafted fakes, recipients will increasingly rely on visual identity cues to decide what is safe to open. The senders who have established those visual trust signals early will have a meaningful trust advantage as the threat environment intensifies.
Ready to implement BIMI and take your email authentication to the next level? Excello Mail walks you from p=reject through BIMI setup — including SVG preparation, DNS publishing, and certificate guidance — in one managed workflow. Start your free trial at excello.email →