DNS Record Explainer

v=BIMI1
Version tag. Locks the record to BIMI version 1. Required, non-negotiable. If you're reading this record five years from now and BIMI2 exists, you'll still be stuck with v1 semantics unless you publish a new record.

l=https://example.com/logo.svg
Logo URL. Points to your SVG brand mark. This is what mail clients will fetch and display next to your messages if authentication passes. Must be HTTPS, must be valid SVG, must be reachable without auth. Clients typically cache it, so don't expect instant updates if you replace the file.

a=https://example.com/vmc.pem
Authority/VMC (Verified Mark Certificate) URL. Points to your PEM-encoded certificate proving you own the trademark/brand. This is the trust anchor—without it, the logo claim is unverified. Also HTTPS-only. Optional in the spec, but practically required if you want mail clients to actually use the logo (Gmail, Yahoo, etc. require it).

• Certificate validation is strict. Your VMC must chain to a recognized root CA (DigiCert or Entrust currently). Self-signed won't work.
• Logo URL must be reachable from mail provider networks. Test from multiple locations; some corporate firewalls block external image loads.
• SVG has security constraints. Avoid scripts, external resources, or complex animations. Most clients strip them anyway.
• BIMI record sits in DNS at default location (_bimi._default.example.com for your main domain). Multiple subdomains need separate records.
• Common mistake: publishing BIMI without fixing DKIM/SPF/DMARC alignment first. BIMI requires DMARC pass; misaligned domains won't authenticate.

BIMI is presentation layer on top of DMARC. It doesn't authenticate anything—it just says "if this email passes DMARC, render my logo." Without it, you lose visual brand presence in inboxes where competitors have logos. Without DMARC passing, the record is useless; clients ignore it.