What this tool does
The BIMI Checker runs four chained operations on the domain you submit:
- DNS lookup on
default._bimi.<domain>to retrieve the TXT record and detect duplicates or a forbidden CNAME. - SVG logo download and validation pointed by the
l=tag: format, SVG Tiny-PS compliance (RFC 9043), square viewBox, reasonable size. - VMC download and parsing pointed by the
a=tag: issuing authority, validity period, BIMI trustmark presence, expiry date. - DMARC lookup on
_dmarc.<domain>to verify the strict prerequisite (p=quarantineorp=rejectwithpct=100).
The result aggregates findings into a 0 to 100 score, six dimensions, priority-sorted recommendations and a compact VMC card.
How BIMI works
BIMI (Brand Indicators for Message Identification, RFC 9043) lets a domain associate its official logo with the messages it sends. Three components must align:
- A DNS TXT record published at
default._bimi.<domain>in the formv=BIMI1; l=<svg_logo_url>; a=<vmc_url>(thea=tag is optional per the spec but required in practice). - An SVG logo compliant with the Tiny-PS profile: square viewBox, no scripts, no external references, no unauthorized embedded fonts.
- A VMC or CMC certificate (Verified Mark Certificate or Common Mark Certificate) issued by DigiCert or Entrust, signed by a recognized mark CA, containing a "BIMI Indicator Trustmark" OID.
The non-negotiable prerequisite: the domain's DMARC policy must be p=quarantine or p=reject with pct=100. With p=none or a partial pct, Gmail, Apple Mail and Yahoo do not display the logo regardless of how clean the BIMI record is.
DKIM or SPF alignment (depending on adkim and aspf modes) is still required on the sending side so messages pass DMARC and trigger logo rendering.
When to use the BIMI Checker
- After DNS publication to confirm the record has propagated and is readable by receivers.
- When the logo does not appear in Gmail, Apple Mail or Yahoo despite a supposedly complete deployment.
- Before the annual VMC renewal to measure remaining lifetime and plan ordering with the CA.
- Brand audit on a secondary domain (marketing subdomain, subsidiary domain) before publication.
- End-to-end verification (record, logo, VMC, DMARC) after a logo vendor or CA migration.
The six score dimensions
| Dimension | Weight | What is measured |
|---|---|---|
| Record | 20 pts | TXT presence at default._bimi.<domain>, no duplicate, no CNAME |
| Syntax | 15 pts | Recognized tags (v=BIMI1, l=, a=), valid HTTPS URLs |
| Strict DMARC | 20 pts | p=quarantine or p=reject with pct=100 on the analysed domain |
| Logo | 20 pts | Successful fetch and SVG Tiny-PS compliance (RFC 9043) |
| VMC | 15 pts | Successful fetch, not expired, BIMI trustmark present |
| Hygiene | 10 pts | Reasonable URLs, optional sha256, DKIM/SPF alignment |
A syntactically invalid record caps the score at 30. A DMARC policy at p=none also caps at 30 and forces the critical verdict: the BIMI chain is technically published but inoperative.
Common diagnostics and fixes
Record missing
The tool found no TXT at default._bimi.<domain>. Create the record with at minimum v=BIMI1; l=https://captaindns.com/bimi/logo.svg. Publish in DNS and wait for propagation.
DMARC too loose
The tool detects p=none or a pct below 100. BIMI is inoperative on Gmail, Apple Mail and Yahoo. Tighten the DMARC policy, ideally to p=reject; pct=100, after an observation phase using rua reports.
VMC missing
The a= tag is absent from the record while l= is present. Modern renderers require a VMC to display the logo. Order a VMC from DigiCert or Entrust (expect USD 1000 to 1500 per year and 2 to 4 weeks of vetting), host the PEM over HTTPS and add a=<url> to the record.
Logo not compliant
The downloaded SVG contains forbidden elements (scripts, foreignObject, external references, non-square viewBox). Use the BIMI Validator to identify each item to fix, then republish the cleaned-up SVG.
VMC expiring soon
The valid certificate expires within 60 days. Plan the renewal with the CA ahead of time. An expired VMC instantly suppresses logo rendering with no alert on the webmail side.
Limitations and technical notes
- Webmail logo caching: a logo change may take several days to appear for recipients. This is not a BIMI bug but a caching behavior.
- Selector: the spec allows selectors other than
defaultvia theBIMI-Selectorheader. This tool queriesdefault._bimi.<domain>, which covers almost all deployments. - CMC versus VMC: Common Mark Certificates (non-registered marks) are supported only by some webmails. The VMC remains the reference for Gmail and Yahoo.
- DKIM signature: the
a=tag in the BIMI record points to the VMC, not a DKIM key. Do not confuse the two components. - Apple Mail displays the BIMI logo even without a VMC when DMARC is strict, unlike Gmail and Yahoo.
Related tools
| Tool | Purpose |
|---|---|
| BIMI Validator | Validate a BIMI record syntax before DNS publication |
| BIMI Generator | Build a compliant BIMI record from scratch |
| BIMI SVG Converter | Convert an SVG into the BIMI Tiny-PS profile |
| BIMI Hosting | Host the SVG logo and VMC for free |
| DMARC Record Check | Check the DMARC policy, the indispensable BIMI prerequisite |
Frequently asked questions
Q: Why is my BIMI logo not showing?
A: Five common causes: DMARC policy is p=none or pct is below 100, the VMC certificate is missing or expired, the SVG logo is not SVG Tiny-PS compliant (scripts, external references, non-square viewBox), the logo URL is not reachable over HTTPS, or the BIMI record itself is not published at default._bimi.<domain>. The BIMI Checker diagnoses each of these.
Q: What is the difference between BIMI Checker and BIMI Validator?
A: The Checker queries DNS to inspect the published record on your domain, downloads the logo and VMC, verifies DMARC. The Validator analyses the syntax of a record you paste before publishing. Recommended workflow: Validator before publication, Checker after.
Q: What does the 0 to 100 score mean?
A: The score measures BIMI-readiness, i.e. the likelihood that the logo will render in Gmail, Apple Mail and Yahoo. 90 to 100 = inbox-ready. 75 to 89 = correct configuration with minor adjustments. 50 to 74 = blockers to address (missing VMC, DMARC not strict). Below 50 or invalid state = critical.
Q: Which six dimensions are evaluated?
A: Record (DNS presence, 20 points), syntax (parseable record, 15 points), strict DMARC (p=quarantine or p=reject with pct=100, 20 points), logo (SVG Tiny-PS compliant, 20 points), VMC (valid certificate, not expired, with trustmark, 15 points), hygiene (reasonable URLs, sha256, alignment, 10 points).
Q: Is a VMC mandatory for BIMI?
A: RFC 9043 does not require it, but Gmail and Yahoo will not display the logo without a valid Verified Mark Certificate. Apple Mail accepts a deployment without VMC. Without a VMC, the logo stays hidden for the majority of recipients.
Q: What does the tool check about DMARC?
A: The tool performs a lookup on _dmarc.<domain>, reads the p policy, pct, the subdomain policy sp and the alignment modes. The BIMI prerequisite is p=quarantine or p=reject with pct=100. Anything below caps the BIMI score at 30 and triggers a critical recommendation.
Q: What does 'logo not Tiny-PS compliant' mean?
A: The SVG logo contains elements prohibited by the SVG Tiny PS profile defined in RFC 9043: JavaScript scripts, foreignObject elements, external references (xlink:href to other URLs), unauthorized embedded fonts, or a non-square viewBox. The BIMI Validator lists each item to fix.
Q: How long until BIMI changes show up?
A: Two delays stack: DNS propagation (1 to 4 hours with TTL 3600, 24 to 48 hours with TTL 86400) and webmail logo cache (several hours to several days). Reduce the TTL before any change to speed up propagation.
Useful resources
- RFC 9043 - SVG Tiny Portable/Secure (SVG Tiny PS) (official SVG profile for BIMI)
- RFC 7489 - DMARC (strict DMARC prerequisite)
- IETF Brand Indicators for Message Identification draft (BIMI specification in standardisation)
- BIMI Group (AuthIndicators Working Group, documentation and current drafts)
- DigiCert Verified Mark Certificates (mark CA for VMCs)
- Entrust Verified Mark Certificates (mark CA for VMCs)
- Gmail BIMI requirements (Google Workspace requirements)