BIMI, VMCs, and SVG Hell: Why Your Logo Isn't Showing Up in Inboxes

You did everything right. The DMARC policy is at `p=reject`, the SVG is pixel-perfect, and the Verified Mark Certificate (VMC) is signed and paid for. You send a test email to your Gmail account, open it, and… nothing. Just that same generic initial staring back at you. What went wrong?

Brand Indicators for Message Identification, or BIMI, promises to put your logo in front of millions of users, serving as a powerful visual cue of authenticity. But it isn't a feature you simply enable. It’s the final reward for running a tight ship on email authentication, a mark of trust granted only after you've passed a series of rigorous, unforgiving checks.

This isn't just about DNS. It’s a chain of custody for your brand's identity that stretches from your DMARC policy all the way to a legally registered trademark. We'll walk through each link in that chain and diagnose why it so often breaks.

DMARC Enforcement Isn't a Suggestion—It's the Cover Charge

Before you even think about logos, you have to talk about DMARC. BIMI is built directly on top of the Domain-based Message Authentication, Reporting, and Conformance framework defined in RFC 7489. Without a strong DMARC policy, a BIMI logo would be meaningless—just decoration on a potentially spoofed email. Mailbox providers like Google and Apple use BIMI as an incentive for senders to lock down their domains against phishing and BEC attacks.

Why `p=quarantine` Is the Bare Minimum

A DMARC policy of `p=none` is effectively a monitoring-only mode. It tells receivers to report authentication failures but take no action. For BIMI, this won't cut it. You need to signal that you have enough confidence in your authentication to request that unauthenticated mail be junked (`p=quarantine`) or blocked entirely (`p=reject`).

Furthermore, the policy must apply to 100% of your mail. A phased rollout like `p=quarantine; pct=50` won't qualify. The mailbox provider needs to see that you're willing to enforce the policy across your entire email stream. Anything less undermines the trust signal.

Alignment Is the Real Hurdle

This is the part that trips up even seasoned admins. A passing DMARC evaluation doesn't just require SPF and DKIM to produce a `pass` verdict. It demands *alignment*. This means the domain used for the SPF check (the `Return-Path` or `MAIL FROM` domain) or the domain in the DKIM signature (`d=`) must match the domain in the visible `From:` header.

Imagine your marketing team sends a newsletter via a third-party platform. The email `From:` header shows `newsletter@yourbrand.com`. But if the platform uses its own domain for DKIM signing (`d=thirdparty-mailer.net`), DKIM will pass authentication but fail DMARC alignment. No alignment, no logo. The fix is to configure that platform to use a custom DKIM signature with your own domain, a feature most enterprise email service providers offer.

Your Logo File Is a Security Asset, Not Just a Graphic

You can't just upload any logo file. BIMI requires a specific, highly restricted format: SVG Tiny Portable/Secure (SVG Tiny PS). It's a subset of the Scalable Vector Graphics standard designed to be safe for rendering in a security-sensitive context like an email client. A full-fat SVG file can contain scripts, external resources, animations, and other interactive elements—all of which are potential attack vectors. SVG Tiny PS strips them all away.

Meeting the 'SVG Tiny PS' Specification

Creating a compliant SVG is notoriously tricky. Your file must adhere to several strict rules. It cannot contain any scripts, embedded raster images, or external links. The file must declare its profile explicitly in the root `<svg>` element. You also need a `<title>` element containing your company name, as this is used for accessibility purposes.

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100" version="1.2" baseProfile="tiny-ps">
<title>ExampleCorp</title>
<path fill="#D0021B" d="M..."/>
</svg>

Don't just 'Save As' from a graphics editor and assume it's compliant. Most editors add extra metadata or use features that are forbidden by the Tiny PS profile. You often need to export using a specific profile (Adobe Illustrator has one) or manually clean the XML to remove invalid elements and attributes. Always run your final SVG through one of the official BIMI Group validation tools before publishing.

The VMC: A Digital Notary for Your Brand's Logo

While the BIMI specification (RFC 9091) describes a 'self-asserted' path where you can publish a BIMI record without any extra certificate, this is mostly theoretical. The major mailbox providers that drive adoption—namely Google and Apple—require a Verified Mark Certificate (VMC). A VMC is a special type of X.509 certificate that proves your organization has the legal right to use the logo associated with your domain.

The VMC Gauntlet: Trademarks and Certificate Authorities

Getting a VMC is a significant undertaking that blends technical validation with legal verification. You can't just request one. You must first have a registered and active trademark for the exact logo you want to display. This trademark must be registered with a recognized intellectual property office, such as the USPTO in the United States or the EUIPO in Europe.

Certificate Authorities (CAs) like DigiCert or Entrust are responsible for issuing VMCs. During the application process, they will perform a rigorous validation. They'll verify your organization's identity, confirm your control over the domain, and, most importantly, check your trademark registration. This process can take days or even weeks and represents a real financial and administrative investment. It's the highest barrier to entry for most organizations.

The VMC itself contains a hash of your compliant SVG file. This cryptographically binds your verified legal trademark to that specific logo file, preventing anyone from hijacking your BIMI record and pointing it to a different logo.

Publishing the Records and Reading the Tea Leaves

With your DMARC policy in place, your SVG perfected, and your VMC issued, you can finally publish the BIMI DNS record. This is a TXT record located at the `default._bimi` selector for your domain.

default._bimi.example.com. 3600 IN TXT "v=BIMI1; l=https://media.example.com/logo.svg; a=https://media.example.com/vmc.pem;"

Let's break that down. The `v=BIMI1` tag specifies the version of the BIMI standard. The `l=` tag points to the public URL of your SVG logo file; this MUST be an HTTPS URL. The `a=` tag provides the URL for your VMC in PEM format, which is also required to be HTTPS. While the `a=` tag is technically optional in the spec, it's mandatory for providers like Gmail that require a VMC.

Following the Validation Trail

When an email from your domain arrives, the receiver's mail server executes a precise sequence of checks:
1. It validates the email passes DMARC with an aligned identifier.
2. It performs a DNS lookup for your `default._bimi` record.
3. It fetches the SVG from the `l=` URL and the VMC from the `a=` URL.
4. It verifies the VMC certificate chain is valid and trusted.
5. It calculates the hash of the downloaded SVG file and confirms it matches the hash embedded within the VMC.
6. It confirms the domain in the VMC subject matches the domain sending the email.

If any one of these steps fails, the process stops and no logo is displayed. The result of this process is often logged in the `Authentication-Results` header of the email, which is the first place you should look when troubleshooting.

Your Logo Is Missing. Now What?

So you've done everything, but the logo is still a no-show. It's time to start triaging. The failure could be in one of many places, and mailbox providers are not always forthcoming with specific error reasons.

Checklist for a Missing BIMI Logo

First, check DNS propagation. Use a tool like `dig` to confirm your `default._bimi` TXT record is published correctly and visible from outside your network. TTLs can cause delays, so give it time.

Next, scrutinize the `Authentication-Results` header in a recent email received by a provider like Gmail. Look for a `bimi` entry. You might see a `bimi=fail` verdict with a reason, such as `'invalid_svg'` or `'vmc_cert_invalid'`. This is your single most valuable piece of diagnostic data. If there's no `bimi` entry at all, it likely means the DMARC check failed first, so the server never even proceeded to the BIMI lookup.

A common and frustrating failure point is an SVG/VMC hash mismatch. If you regenerate or even slightly tweak your SVG file *after* the VMC has been issued, the hash will no longer match, and validation will fail. You must use the *exact* SVG file that you submitted to the CA during the VMC application process.

Finally, consider provider-specific policies and reputation. Some providers maintain their own reputation systems that can influence BIMI display. A new domain, even with perfect configuration, might not have its logo displayed immediately. Check the postmaster pages for Google, Apple, and Yahoo for any specific requirements or known issues.

The takeaway

BIMI is not a feature you switch on. It's the visible outcome of a deliberate, sustained effort to secure your email identity. The complexity is the point; the gauntlet of DMARC enforcement, SVG validation, and trademark verification is what gives the logo its meaning. The logo isn't the real prize—the authenticated, trustworthy channel is. The logo is just the proof.

When you're stuck digging through raw `Authentication-Results` headers to find that one `bimi=fail` reason for a specific mail stream, it can feel like looking for a needle in a haystack. This is where analysis tools like MailSleuth.AI become invaluable, parsing those dense headers to pinpoint the exact link in the chain that broke, whether it's DMARC alignment on a forwarded meeting invite or a VMC hash mismatch from your marketing platform.