Deliverability · Brand & authentication
BIMI Adoption in 2026: Where Verified Logos Actually Show
BIMI adoption in 2026 is real but uneven: Gmail, Apple Mail, Yahoo, AOL, and Fastmail display verified sender logos, while Microsoft Outlook and Microsoft 365 still do not. To show a logo you need DMARC at enforcement (p=quarantine or p=reject), a compliant SVG logo, and — for Gmail and Apple — a VMC or CMC certificate. Yahoo, AOL, and Fastmail accept free self-asserted logos with no certificate, so the entry point is attainable, but the genuine work is getting DMARC to enforcement first.
Key takeaways
- Coverage is partial. Gmail, Apple Mail, Yahoo, AOL, and Fastmail support BIMI; Outlook and Microsoft 365 still don’t.
- DMARC enforcement is the gate. No p=quarantine or p=reject, no logo — and that’s the hard part, not BIMI itself.
- VMC vs CMC. VMC needs a trademark and earns Gmail’s blue check; CMC (since early 2025) needs only 12 months of logo use and is cheaper.
- Free entry exists. Self-asserted logos display on Yahoo, AOL, and Fastmail with no certificate at all.
- Apple is VMC-only. Apple Mail does not accept CMC, and Apple Business Connect is a supplement, not a BIMI replacement.
BIMI — Brand Indicators for Message Identification — puts your verified logo next to authenticated messages in supported inboxes, and it has moved from novelty to a recognised trust signal driven by the AuthIndicators Working Group. But “supported inboxes” is doing a lot of work in that sentence, and the certificate landscape shifted in the last year. This guide lays out where BIMI actually displays in 2026, what it costs, and why the certificate is the easy part of the project.
What is BIMI, and why does it matter?
BIMI is a standard that lets a brand publish its logo in DNS so that participating mailbox providers can display it beside authenticated email. When a message arrives, the provider runs its usual SPF, DKIM, and DMARC checks; if the mail is DMARC-compliant and the provider supports BIMI, it looks up your BIMI record and shows your logo in the inbox list and the open view.
It matters for two reasons that pull in the same direction. For recipients, a verified logo is a fast visual cue that a message is genuinely from you and not a phishing impersonation — useful precisely because email spoofing remains common. For senders, that recognition tends to lift engagement and reinforces the authentication work you have already done. BIMI does not improve deliverability on its own; it is a trust and recognition layer that sits on top of a properly authenticated domain.
How widely is BIMI adopted in 2026?
Broadly among the consumer providers, with one large hole. Gmail displays BIMI logos across desktop, web, and mobile. Apple Mail and iCloud Mail support it on a roughly 58–60% share of mobile opens, which makes Apple alone a major reason to bother. Yahoo and AOL — the same infrastructure now — support it, as do Fastmail and early European adopters like La Poste. Between Gmail and Apple, a correctly configured logo reaches a large majority of consumer inboxes.
The conspicuous exception is Microsoft. As of mid-to-late 2026, Outlook and Microsoft 365 still do not support BIMI on desktop or webmail, and Microsoft has signalled interest without committing to a timeline. ProtonMail and Thunderbird also lack native support. For a B2B sender whose audience lives in Outlook, that gap is the single biggest limit on BIMI’s reach — worth weighing honestly before you budget for a certificate.
Put in reach terms, the picture is encouraging for consumer senders and mixed for B2B. Apple Mail commands roughly a 60% share of email opens and Gmail around 30%, so a correct implementation covering both reaches the bulk of consumer mail — but those are the same two providers that demand a certificate. Yahoo and AOL together are a smaller slice, perhaps 3–4% of the market, yet they are the providers that ask for nothing beyond a self-asserted logo. The result is a sensible adoption order: claim the free reach on Yahoo, AOL, and Fastmail first, then decide whether the Gmail-and-Apple majority justifies the certificate spend for your particular audience.
What do you need to qualify for BIMI?
Three things, in order, and the first is the one that takes real effort. You need email authentication with DMARC at enforcement: SPF and DKIM in place, and a DMARC policy of p=quarantine or p=reject at pct=100 on your domain. A policy of p=none will not display a logo anywhere — providers treat enforcement as the price of admission, and it must hold on both the parent domain and any sending subdomain, with proper alignment.
Second, you need a BIMI-compliant logo: an SVG in the Tiny PS (Portable/Secure) profile, square, clean, with no scripts or external references, hosted over HTTPS. Gmail adds its own rules on top of the base spec — a minimum of 96×96 pixels, with dimensions specified in absolute pixels rather than percentages. Third, you publish a BIMI TXT record at the default._bimi selector pointing to that logo, and — for Gmail and Apple — to a certificate.
# 1. Is DMARC at enforcement? (p=none will NOT show a logo) $ dig +short TXT _dmarc.example.com “v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com” # 2. Is the BIMI record published at the default selector? $ dig +short TXT default._bimi.example.com “v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem” # l= points to the SVG Tiny PS logo; a= points to the VMC/CMC PEM. # No a= = self-asserted: shows on Yahoo/AOL/Fastmail, ignored by Gmail.
VMC vs CMC: the two certificate options
The certificate is what unlocks Gmail and Apple, and since early 2025 there are two kinds. A Verified Mark Certificate (VMC) requires a registered trademark for your logo, is issued by DigiCert or Entrust, costs roughly €850–2,000 per year, and takes two to four weeks. Its payoff is the strongest trust signal: Gmail’s blue checkmark and Yahoo’s purple checkmark next to your name.
A Common Mark Certificate (CMC), which Google introduced in early 2025, removes the trademark barrier — you only prove the logo has been in public commercial use for at least twelve months. It is faster (around one to three weeks) and cheaper, which opened BIMI to the many SaaS and e-commerce brands without a registered mark. The trade-off is that Gmail displays a CMC logo without the blue checkmark, and — importantly — Apple Mail does not accept CMC at all as of May 2026, requiring a VMC for its logo display. So if Apple is core to your audience, the CMC shortcut doesn’t reach it.
Whichever you choose, the mechanics are the same. The certificate authority issues an entity certificate as a PEM file with your SVG logo and the certificate embedded; you append the intermediate and root CA certificates in the order issued, host the combined PEM on your public web server over HTTPS, and reference its URL in the a= parameter of your BIMI record alongside the l= logo URL. Both certificate types are issued only by the small set of authorities the BIMI Working Group recognises — currently DigiCert and Entrust — so there is no shopping around for a cheaper issuer, and renewal is annual. Budget for the certificate as a recurring line item, not a one-time setup cost.
Can you do BIMI without paying for a certificate?
Yes, partially, and it’s an underused starting point. A self-asserted BIMI record — one with no a= certificate parameter — is perfectly valid and will display your logo on Yahoo, AOL, and Fastmail at zero certificate cost. The setup is identical to a full implementation minus the certificate, so it’s a low-risk way to get the authentication and logo pipeline working before you commit budget. The catch is that without a VMC, Gmail ignores your BIMI record entirely and falls back to a sender initial or Google profile picture.
Apple offers a separate free path worth knowing about: Apple Business Connect lets you show your logo and brand name in Apple Mail and iCloud independently of BIMI, at no cost. It is a supplement rather than a replacement, though — Apple Mail still needs a VMC for the BIMI logo specifically, so Business Connect complements a full implementation rather than substituting for one. For a no-spend reach test, self-asserted plus Business Connect covers a meaningful slice of inboxes.
The DMARC enforcement is the real work
Here is the part the certificate vendors understate: BIMI is the last mile, and DMARC enforcement is the marathon before it. Reaching p=reject safely means first inventorying every legitimate system that sends mail as your domain — your ESP, your CRM, your helpdesk, your invoicing tool — and authenticating each one, because the moment you enforce, anything unaligned gets quarantined or rejected. Rushing to enforcement without that inventory is how organisations accidentally block their own transactional mail.
For most teams this is a six-to-eight-week project of reading DMARC aggregate reports, fixing alignment, and moving from p=none to p=quarantine to p=reject in deliberate steps. It is genuinely worth doing for its own sake — enforcement is what actually stops impersonation — and BIMI is the visible reward at the end. Our DMARC enforcement rollout guide covers that sequence, and the broader sender rules in Gmail and Yahoo requirements overlap heavily with what BIMI needs anyway.
What BIMI does for engagement — and what it doesn’t
The vendor research is consistently positive and worth treating as directional rather than precise, since most of it comes from companies that sell BIMI services. Reported figures include large jumps in consumer confidence, open-rate lifts in the low single digits to mid-single digits, meaningful click-through and brand-recall improvements, and higher purchase rates for brands showing logos versus those that don’t. A frequently cited example, TalkTalk, reports a 4–6% engagement improvement after implementing BIMI.
What BIMI does not do is fix a weak sending program or rescue poor deliverability — it presupposes you are already authenticated and landing in the inbox. Treat the engagement numbers as a reason to finish the last mile once the hard authentication work is done, not as a standalone growth lever. The honest framing is that BIMI converts existing trust into a visible signal; it does not manufacture trust you haven’t earned through good sending practice. The more defensible benefit may be the security one rather than the engagement one: a logo that only appears on properly authenticated mail gives recipients a quick way to spot impersonation, and that anti-phishing value holds up even if the open-rate numbers prove softer than the vendor studies suggest.
Why your logo isn’t showing: common BIMI failures
Almost every “I set it up and nothing appears” case traces to a short list of causes, and they tend to depend on each other, so check them in order. The most common is DMARC still sitting at p=none — without enforcement, no provider will show a logo, full stop. Next is failing SPF or DKIM alignment, which you confirm by reading real message headers from a test send to verify DMARC actually passes against your visible From domain.
After authentication, the usual culprit is the SVG itself: a file with scripts, external links, or the wrong profile gets refused, and Gmail’s extra 96×96-pixel, absolute-dimension rule trips up otherwise valid logos. Finally, check the mechanics of the record — the correct default._bimi selector, the logo URL, and the certificate PEM link. Even when everything is right, give it a few days: providers cache BIMI results, so a correct logo can take time to appear rather than showing instantly.
Rolling out BIMI: a practical sequence
The order that avoids wasted effort is consistent. Get SPF and DKIM correct for every legitimate sender first; publish DMARC and move it deliberately to enforcement, validating each sender as you go; prepare a compliant SVG Tiny PS logo; decide between self-asserted, CMC, or VMC based on your audience and whether you hold a trademark; publish the BIMI record; then test against real Gmail, Apple, and Yahoo accounts and monitor DMARC reports as your sender mix changes. The detailed record-by-record walkthrough lives in our BIMI setup guide.
One practical note for senders running their own infrastructure: controlling your sending stack makes the authentication groundwork far cleaner, because you can sign mail correctly and keep streams aligned without fighting a shared platform’s defaults. BIMI is also one of several shifts reshaping technical infrastructure in 2026 — the parallel moves toward sovereign cloud and new hardware architectures like Arm and RISC-V servers reflect the same pressure toward verifiable control over the systems you run. Treat BIMI as the visible badge on top of email infrastructure you actually govern.