BIMI Decoded: Why Your Logo Shows in Yahoo but Not Gmail
You passed all the BIMI checks, but your logo is missing in Gmail—here’s the brutal truth about provider-specific enforcement, reputation, and caching.

You did everything right. Your DMARC policy is `p=quarantine`, your SPF and DKIM align, and your BIMI record points to a perfect SVG hosted on an HTTPS server. You even shelled out for a Verified Mark Certificate (VMC). Your logo pops up beautifully in Yahoo Mail, a small but satisfying branding win. Then you check Gmail. Nothing. Just a stubborn, gray initial.
This isn't a bug; it's a feature of a decentralized email ecosystem. The BIMI 'standard'—codified in RFC 9091—is more of a framework than a strict protocol. It defines *what* a BIMI record is and *how* a mail receiver *can* use it. It doesn't, and can't, mandate enforcement.
The truth is that each mailbox provider (MBP) is a sovereign kingdom with its own rules of entry. Getting your logo to display isn't a simple DNS lookup. It's an audition, and each provider is a different casting director.
The Standard vs. The Street
Think of RFC 9091 as the blueprint for a car engine. It specifies the parts, their dimensions, and how they should connect. But it doesn't tell Ford, Toyota, or Ferrari how to build the actual car around it. They decide the chassis, the aerodynamics, and, most importantly, the performance thresholds the engine must meet before they'll put their badge on the hood.
Mailbox providers treat BIMI the same way. The RFC provides the mechanism: a `default._bimi` TXT record in the DNS of the author's domain, which points to a logo. But the decision to fetch and display that logo is left entirely to the receiver. This discretion is where the trouble starts.
A provider's BIMI validation logic is a black box, but we can infer its inputs. These include the technical validity of the BIMI record itself, the DMARC policy (a hard prerequisite), and a host of 'softer' signals like domain reputation, sender volume, and user engagement. While one provider might be content with a passing DMARC check, another might require months of positive reputation signals before it even considers fetching your SVG.
Cache Forensics: The Ghosts in the DNS Machine
When your BIMI logo fails to appear, your first instinct is to check your DNS record. But you're not just fighting your own configuration; you're fighting the caching behavior of every resolver and server between you and the mailbox provider.
DNS TTLs and Negative Caching
If a provider like Gmail attempts to look up your `default._bimi` record and fails—maybe you had a typo, or the record hadn't propagated yet—it will cache that failure. This is called negative caching. The duration of this cache is determined by the `SOA` record's Minimum TTL, and it can sometimes be hours. During this period, even if you fix the record, Gmail's resolvers won't check again. They'll just serve the 'does not exist' answer from their cache.
This is why BIMI changes can feel agonizingly slow. You fix a problem, but the negative cache at the provider's end means you won't see the result until it expires. Patience is a diagnostic tool.
SVG Fetch User-Agents
Is anyone even trying to fetch your logo? Your web server logs hold the answer. Mailbox providers that support BIMI will attempt to retrieve the SVG file specified in your DNS record. They identify themselves with a specific `User-Agent` string. By grepping your access logs, you can confirm which providers are making the attempt.
If you see requests from Yahoo's user-agent but dead silence from Google's, it's a strong signal that the issue isn't your SVG file or web server. The problem lies with Gmail's upstream decision-making process. They've decided not to even try, which points directly toward a reputation or policy gate you haven't passed.
Gmail's Gauntlet: Reputation, Engagement, and the VMC
Gmail is the strictest of the BIMI validators, and the most common reason your logo appears elsewhere but not here. They layer their own proprietary trust metrics on top of the public BIMI standard. Passing requires more than just correct DNS records.
Reputation Is Everything
Gmail has a long memory. A domain's sending history, volume, spam complaint rates, and user engagement (opens, clicks, replies) all contribute to an internal reputation score. A brand-new domain, even with perfect DMARC and BIMI configuration, will almost certainly not display a BIMI logo in Gmail. It has no history, no established trust. You have to earn it by sending legitimate email that people want over a significant period.
This is a critical anti-abuse measure. If BIMI were just a technical checkbox, spammers and phishers could easily configure it for throwaway domains, lending false legitimacy to their campaigns. Gmail uses reputation as a barrier to entry, ensuring that only established, trusted senders can benefit from the brand logo.
The Verified Mark Certificate (VMC) Mandate
While the BIMI specification (RFC 9091) makes the VMC optional, for Gmail, it's a de facto requirement. A VMC is a digital certificate issued by a Certificate Authority that proves your organization has the legal right to use the logo. It ties your visual brand identity to your authenticated email domain.
Other providers like Yahoo may display a logo without a VMC (often called 'self-asserted'). Gmail does not. If you want your logo in a Gmail user's inbox, you must purchase a VMC and reference it in your BIMI record. No VMC, no logo. It's that simple.
The Yahoo, Fastmail, and Apple Ecosystems
If Gmail is the final boss, other providers are earlier levels with different mechanics. Their less stringent requirements are often why an analyst sees a logo 'working' in one place but not another, leading to a frustrating search for a universal problem that doesn't exist.
Yahoo Mail (and AOL, by extension) has historically been the most permissive major provider. They were a driving force behind BIMI's creation and are more likely to display a self-asserted logo without a VMC, provided DMARC is in place and the domain isn't actively malicious. For many organizations, Yahoo is the first place a BIMI logo successfully appears, serving as a valuable first-step validation.
Fastmail and other smaller providers have their own validation logic, but generally fall into a similar camp as Yahoo, often honoring self-asserted logos. Apple's implementation is unique; in addition to DMARC, their Mail client in iOS 16/macOS Ventura also displays a 'Digitally Certified' message, leveraging the VMC to provide an even stronger signal of authenticity. Their focus is less on broad reputation and more on the cryptographic proof offered by the certificate.
Authentication-Results: mx.google.com; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=yourbrand.com; bimi=pass (v=BIMI1; l=https://yourbrand.com/logo.svg)
Seeing a `bimi=pass` verdict in an `Authentication-Results` header is a huge win. It confirms the provider successfully parsed your DNS record, fetched the SVG, and validated it against their policies. If you see this header but still no logo, the final decision to render it might be blocked by a user-specific setting or a very subtle client-side issue, but your server-side configuration is sound.
Building a Universal Baseline for the Strictest Judge
You can't control the internal reputation scores of mailbox providers. But you can control every technical element to ensure you pass the strictest possible inspection. The goal isn't to satisfy Yahoo; it's to satisfy Gmail. If you meet Gmail's requirements, you will, by definition, meet the requirements of almost everyone else.
Start by using a comprehensive BIMI checker tool. These validators go far beyond a simple DNS lookup. A good one will fetch your SVG and inspect its XML, ensuring it complies with the 'SVG Tiny Portable/Secure' profile—a restricted subset of SVG that forbids scripts, external references, and other potential vectors. They will check your VMC's trust chain and validate your DMARC policy is at enforcement (`p=quarantine` or `p=reject`).
Fix every single error and warning the checker flags. Is your SVG missing a `<title>` element? Fix it. Is your DMARC policy `p=none`? Change it. Is your VMC not correctly bundled or hosted? Correct the file. By creating a 'perfect' configuration according to the most rigorous public tools, you eliminate all unforced errors. The only remaining variable is the one you can only influence over time: reputation.
The takeaway
The mystery of the missing BIMI logo is rarely a single, catastrophic failure. It's a game of inches—a battle against caching, a quiet wait for reputation to build, and a concession to the specific demands of each mailbox provider. Your logo's appearance in Yahoo isn't proof of success, but a single data point. Its absence in Gmail isn't proof of failure, but a demand for a higher standard of trust.
BIMI is not a fire-and-forget record. It's the capstone on a well-maintained pyramid of email authentication and reputation. Before you even worry about logo display, you must ensure your DMARC infrastructure is solid, as it's the non-negotiable foundation. Using a platform like MailSleuth.AI to monitor DMARC aggregate reports is the first, and most critical, step to ensure you're even eligible to play the BIMI game.
We dissect phishing campaigns and email infrastructure so you don't have to.


