DNS Record Explainer

v=BIMI1
Version tag. Specifies BIMI spec version 1. Required; always set this.

l=https://example.com/logo.svg
Logo URL. Points to an SVG file that mail clients display next to your sender identity (in inbox, compose, etc.). Must be HTTPS. The SVG should be square, under 32KB, and use only embedded fonts/data—external resources won't load. Clients may cache aggressively, so plan for slow refresh cycles.

a=https://example.com/vmc.pem
VMC (Verified Mark Certificate) URL. Points to a PEM-encoded certificate that cryptographically binds your logo to your organization. Issued by BIMI-authorized CAs (DigiCert, Entrust, etc.). Proves you own the mark; without this, logos often won't render in major clients (Gmail, Yahoo, etc.). Must be HTTPS.

• Both URLs must be publicly accessible and respond quickly—mail servers time out slow endpoints.
• SVG file size matters: oversized logos get rejected silently.
• VMC is effectively mandatory for Gmail/Yahoo display. A BIMI record without the `a=` tag will work in some clients but most major providers require it. If you omit it, expect limited adoption.
• The VMC must match your sending domain exactly (or be a parent-domain cert). Mismatches = no rendering.
• SVG attacks exist: ensure your logo file is clean and doesn't embed JavaScript or unusual entities. Clients may sanitize or reject malformed SVGs.
• BIMI record must live in DNS as a TXT record under `default._bimi.yourdomain.com`.

BIMI is for brand authentication and visual identity in email. Mail clients query this record to fetch and validate your logo. Without it, senders appear as generic initials or default avatars. The VMC adds legal/cryptographic weight—it's what makes the difference between "logo shown as courtesy" and "logo shown as trusted brand mark." Missing BIMI breaks mailbox experience for your brand; missing the VMC means the logo rarely displays at scale.