DNS Record Explainer

v=BIMI1
Version tag. Currently only BIMI1 exists. Required in every record.

l=https://example.com/logo.svg
Logo URL. Points to an SVG file that mail clients display next to your sender identity in the inbox. Must be HTTPS. The SVG should be square, under 32KB, and follow BIMI logo requirements (no animations, solid colors preferred). This is the visual asset—without it, BIMI won't render anything.

a=https://example.com/vmc.pem
Assertion URL. Points to a PEM-encoded VMC (Verified Mark Certificate) file. This proves you own the trademark/logo and authenticates the logo to mail clients. VMCs are issued by BIMI-authorized CAs (DigiCert, Entrust) and cost money. Without this, BIMI is "logotype only" mode—logo shows but with lower trust. Most deployments include this.

• Both URLs must be reachable and return valid content. 443 timeouts or 404s silently fail BIMI.
• HTTPS is required; HTTP will not work.
• The SVG file must be valid; malformed SVG breaks rendering.
• VMC must match the domain in the BIMI record and your organization's legal entity name.
• If you're testing, make sure your SPF/DKIM/DMARC are passing first—BIMI won't authenticate without them.
• Some mail clients (Gmail, Yahoo, etc.) cache BIMI records; changes take 24–48 hours to propagate.

BIMI is a DNS TXT record published at `_bimi._report.yourdomain.com` (or `_bimi.yourdomain.com` depending on spec version). It tells mail servers where to fetch your logo and proof of ownership. Gmail, Yahoo Mail, and other providers check this during message delivery. Without BIMI, your sender avatar in inboxes is a generic letter or silhouette. With it, your brand logo appears—but only if SPF/DKIM/DMARC align properly (DMARC pass is the gate). The VMC is what separates "logo display" from "authenticated logo display"; it's the trust layer that stops phishing actors from spoofing your logo alongside a forged domain.