Loading...
WebShield Audit
BIMI (Brand Indicators for Message Identification) Checker
Verify your brand logo will render in conformant inbox providers.
Hands off to the full WebShield scanner, which covers this check alongside every other header, DNS and email auth probe.
BIMI is what puts your brand logo next to your email in Gmail, Yahoo, Apple Mail and Fastmail. It is also one of the unforgiving protocols: your DMARC has to be at quarantine or reject, your SVG has to be SVG Tiny PS (not regular SVG), and Gmail/Apple demand a Verified Mark Certificate (VMC) from a CA. WebShield checks every link in that chain.
What this tool checks
- default._bimi.<domain> TXT record with v=BIMI1
- l= URI pointing to a publicly fetchable SVG
- a= URI pointing to a VMC (PEM) if present
- SVG Tiny PS compliance (baseProfile="tiny-ps")
- SVG is square, no embedded raster images or scripts
- VMC issuer is a BIMI-approved CA (Entrust, DigiCert)
- DMARC policy at p=quarantine or p=reject (BIMI prerequisite)
- DMARC pct=100 (required; partial policies disqualify BIMI)
Why it matters
Two things BIMI buys you: trust (the logo is a visible signal your mail is authenticated), and brand consistency (every authenticated message carries the mark, not a grey avatar). Two things it costs you: your DMARC has to be real, not p=none cosmetic - and your VMC costs money and requires a trademark. That trade-off is worth auditing before you commit.
How WebShield tests this
WebShield looks up default._bimi.<domain> TXT, parses l= and a= URIs, fetches the SVG and verifies Tiny PS compliance (no scripts, no external references, baseProfile, viewBox, square dimensions). If a VMC is present, the scanner fetches the PEM and checks the issuing CA against the BIMI group's approved list. DMARC is resolved and the policy/pct pair are validated as BIMI-eligible.
Paste-ready fixes
DNS (minimal BIMI)
default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/bimi/logo.svg"DNS (with VMC)
default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/bimi/logo.svg; a=https://example.com/bimi/vmc.pem"SVG Tiny PS (template)
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg"
version="1.2" baseProfile="tiny-ps"
viewBox="0 0 64 64">
<title>Example Brand</title>
<!-- vector paths only - no raster, no script, no external refs -->
<rect width="64" height="64" fill="#0B0E14"/>
<path d="M20 20 h24 v24 h-24z" fill="#2DD4BF"/>
</svg>DMARC prerequisite
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]"Frequently asked
Do I need a VMC?
Gmail and Apple Mail require a VMC before they render the logo; Fastmail does not. A VMC costs roughly USD 1,500 per year per brand from Entrust or DigiCert and requires a registered trademark. Without a VMC, you can still publish BIMI and render in supporting clients - but not Gmail or Apple.
What is SVG Tiny PS?
A subset of SVG 1.2 Tiny with additional BIMI constraints: no scripts, no external references, no raster embeds, a <title> element, square viewBox, and baseProfile="tiny-ps". Regular SVGs exported from Illustrator almost never comply without manual cleanup.
Why does BIMI require DMARC enforcement?
BIMI's threat model assumes the message is authenticated and aligned. p=none doesn't enforce alignment, so attackers could spoof your domain and steal the logo. BIMI-issuing clients won't render the logo unless DMARC is at quarantine or reject with pct=100.
Can I use multiple logos for different subdomains?
Yes - publish separate default._bimi.<subdomain> records. You can also use selectors (e.g. selector._bimi.<domain>) referenced in the BIMI-Selector header in outgoing mail to rotate logos for campaigns.
Related
Knowledge base
Missing DMARC Policy
High severity · Email
Knowledge base
Missing DKIM Signature
High severity · Email
Knowledge base
Missing SPF Record
High severity · Email
Deep guide
DMARC: From p=none to p=reject, Safely
The alignment work between p=none and p=reject is the real DMARC project.
Tool
MTA-STS Checker
Check your SMTP TLS policy the way receiving MTAs do.
Tool
TLS-RPT Checker
See the TLS failures your mail server never tells you about.
Tool
DNSSEC Checker
Follow the chain of trust from the root down to your zone.