DNS Record Explainer

v=BIMI1
Version tag. BIMI is at version 1. This is required and must appear first. If you see v=BIMI0, that's obsolete—upgrade immediately.

l=https://example.com/logo.svg
Logo URL. Points to your SVG brand logo. This is what mail clients display next to your messages in supported inboxes (Gmail, Yahoo, etc.). Must be HTTPS, must be valid SVG, and should be square aspect ratio. Without this, BIMI provides no visible benefit to end users.

a=https://example.com/vmc.pem
Authority URL. Points to your Verified Mark Certificate (VMC)—a credential from an authorized issuer (DigiCert, Entrust, etc.) that cryptographically proves you own the brand/trademark. This prevents impersonators from spoofing your logo. Without it, BIMI is "logotype-only" mode and most major mailbox providers won't render your logo (they require VMC for security).

• VMC is missing in practice for most orgs. You likely don't have a=https://... yet. That's fine for testing, but production BIMI is pointless without it—your logo won't display in Gmail, Yahoo, etc.
• Logo URL must be accessible and fast. If the SVG 404s or times out, clients won't display it. Test it.
• No size limits specified in the record, but keep SVG under 100KB and under ~500x500 pixels for performance.
• BIMI record goes in DNS as a TXT record at domain `default._bimi`.

BIMI (Brand Indicators for Message Identification) is display-layer authentication. It doesn't affect deliverability, but it does stop phishing—your authenticated mail gets your logo in the inbox, making spoofing obvious. Gmail won't show your logo without a valid VMC and passing DMARC alignment. Yahoo requires both. This record is only useful if you've already hardened DMARC (p=quarantine or p=reject) and obtained a VMC from an approved CA.