What BIMI Is and Why SES Senders Should Care in 2026
Open your Gmail inbox and you will notice that a handful of brands have replaced the generic coloured initial with a crisp, circular logo. That is BIMI, Brand Indicators for Message Identification, in action. The specification lets mailbox providers display a brand's logo next to authenticated email messages, turning an invisible authentication stack into a visible trust signal that recipients see before they decide whether to open.
For Amazon SES senders, BIMI matters for two practical reasons. First, the inbox providers that support it cover a substantial share of consumer email: Gmail, Yahoo Mail, Apple Mail, Fastmail, and several regional providers. Second, the requirement to earn that logo forces you to complete the authentication work that many SES accounts leave half-finished. Research by Red Sift and Entrust found that logo display in email lifted open rates by up to 39 percent. That is a meaningful commercial outcome, and it flows only to senders who have earned it through clean, consistent sending.
Most SES senders who know BIMI exists treat it as a one-time DNS task: add a TXT record, upload an SVG, done. That framing is wrong. BIMI is better understood as the visible reward for a continuously healthy sending reputation. The DNS records and the logo file unlock the door, but your ongoing bounce rate, complaint rate, DMARC alignment, and sender reputation are what keep it open. This article walks you through every layer of the stack, from the SES configuration prerequisites through to the ongoing monitoring that keeps your logo appearing day after day.
How BIMI Works
BIMI is an email specification that sits on top of SPF, DKIM, and DMARC, acting as the visible layer of an authentication stack that most recipients never see. When a supporting mailbox provider receives a message, it checks whether the message has passed DMARC and then looks up a DNS TXT record at default._bimi.yourdomain.com. That record points to two things: a URL for your SVG logo file and, when present, a URL for your mark certificate in PEM format. If everything checks out, the provider fetches the logo and displays it next to your message in the inbox.
The causation here matters: the logo appears because your authentication passed, not the other way around. BIMI does not directly improve your deliverability or sender reputation. Deliverability is primarily determined by your sending behaviour, things like complaint rates, bounce rates, list hygiene, and sending to engaged recipients. BIMI is a visual trust signal layered on top of existing authentication. Understanding this correctly is what separates teams who implement BIMI successfully from those who publish a record and spend weeks wondering why nothing appears.
The BIMI Prerequisite Stack for Amazon SES
Amazon SES documentation identifies four prerequisites that must all be in place before BIMI will function. Miss any one of them and the logo will not appear; you will receive no error message or bounce notification explaining why.
Custom MAIL FROM Domain
You must have a custom MAIL FROM domain configured in SES, with both an SPF TXT record and an MX record published for that subdomain. By default, SES uses its own domain in the Return-Path, which means SPF alignment passes against amazonses.com rather than your own domain. That arrangement satisfies basic deliverability requirements but breaks the SPF alignment that BIMI demands. Configuring a custom MAIL FROM domain, typically a subdomain such as mail.yourdomain.com, moves the Return-Path under your control so that SPF can align with your From domain. Your SPF TXT record for that subdomain must include include:amazonses.com, and the MX record must point to the SES feedback SMTP endpoint for your region.
Easy DKIM
You must configure Easy DKIM for your sending domain in SES. Easy DKIM uses 2048-bit RSA keys and generates three CNAME records that you publish in DNS. SES then rotates the underlying keys automatically, so you do not need to manage key expiry manually. DKIM alignment is particularly important for SES senders because DKIM is often the primary alignment mechanism when SPF alignment is difficult to achieve across all sending paths. A misaligned DKIM signature is one of the most common reasons that DMARC fails silently for SES senders using third-party tools alongside their own sending infrastructure.
DMARC at Enforcement
BIMI requires DMARC at the enforcement level, not monitoring mode. Policies set to p=none do not qualify. Your DMARC record must specify either p=quarantine or p=reject. If you are sending from a subdomain, the parent domain must also carry an enforcement policy, and any DMARC record published specifically for that subdomain must match the same enforcement level. BIMI requires that the policy applies to 100 percent of messages, so avoid using pct values below 100 once you are targeting BIMI eligibility.
Moving from p=none to p=reject Safely
For accounts currently running at p=none, the move to enforcement needs to be deliberate and staged. Jumping straight to p=reject without first auditing every legitimate sending source is one of the most reliable ways to lose deliverability overnight. The correct sequence is: start at p=none with aggregate reporting enabled, read those DMARC reports to identify every source sending mail from your From domain, ensure each source has properly aligned SPF or DKIM, then move to p=quarantine and monitor for two to four weeks, and finally advance to p=reject once you are confident the volume of failing mail is accounted for.
During the quarantine phase, watch your SES sending statistics closely. A spike in bounces during this transition often indicates that a sending source previously coasting on a weak SPF match has now been correctly identified as misaligned. That is useful information, but it can temporarily expose list quality problems. Verify your email list before implementing DMARC enforcement. Remove invalid, disposable, and spam trap addresses, because high bounce rates from poor contact data damage sender reputation independently of authentication changes.
SVG Logo Requirements
Your logo must be a Scalable Vector Graphics file, and the specific SVG profile required by BIMI is SVG Tiny Portable/Secure, commonly written as SVG Tiny P/S or SVG Tiny 1.2. This is a restricted subset of the SVG standard that forbids scripts, external references, embedded raster images, and most animation. A logo exported from Adobe Illustrator or Figma as a standard SVG will almost certainly fail BIMI validation without further processing, because design tools routinely include elements or attributes that SVG Tiny P/S prohibits.
The most common conversion failure is an SVG that contains an embedded raster image encoded as a base64 data URI. The file looks like an SVG from the outside but is really a PNG wrapped in an XML container. You can check for this by opening the SVG in a text editor and searching for data:image/png;base64. If you find it, you need a true vector conversion, not a format rename. Other common problems include complex gradients and transparent backgrounds. Keep the logo centred in a square frame, use a solid background, and keep the file size under 32 kilobytes.
Host the SVG file publicly over HTTPS. Amazon S3 paired with a CloudFront distribution is a practical choice for SES users: S3 provides durable object storage and CloudFront handles TLS termination, caching headers, and global edge delivery. Ensure the URL is stable. If you move the file or let the CloudFront distribution expire, the logo stops displaying silently across every inbox that has cached your BIMI record.
VMC vs CMC: Which Certificate Do You Need?
The certificate question is where most BIMI planning conversations get complicated, and the answer depends on which inbox providers matter most to your audience and whether your logo is a registered trademark.
A Verified Mark Certificate (VMC) is the higher-tier option. It requires that your logo be a registered trademark with a recognised intellectual property office, and the certificate authority verifies that registration during issuance. VMCs are issued by a small number of approved certificate authorities; active issuers as of mid-2026 include DigiCert, GlobalSign, Sectigo, and SSL.com. Direct pricing varies between issuers and resellers, broadly ranging from around $750 to $1,700 per year; check each CA's current pricing directly, as figures change. The VMC is what unlocks the blue verification checkmark next to your logo in Gmail, a signal that tells recipients the sender has had trademark ownership verified by a certificate authority. Treat the annual renewal as a recurring operating cost, not a one-off setup fee.
A Common Mark Certificate (CMC) is the lower-cost alternative for organisations whose logo is not yet a registered trademark. Gmail began accepting CMCs in September 2024. A CMC displays your logo in Gmail but without the blue checkmark. For Apple Mail, a VMC is required; CMC support for Apple Mail has not been confirmed as of mid-2026. Yahoo Mail and Fastmail will display a self-asserted logo, meaning no certificate at all, as long as DMARC is at enforcement and authentication passes. A CMC requires validation work: the certificate authority verifies at least 12 months of consistent public use of the logo, typically by checking web archive sources. CMC pricing from issuers generally ranges from around $650 to $1,100 per year at direct and reseller pricing, though you should confirm current rates with your chosen CA.
If your logo is not yet trademarked and Gmail is your primary audience, a CMC is the right starting point. If you want the Gmail blue checkmark and Apple Mail support, a VMC is required. If your audience is predominantly Microsoft 365 inboxes, note that Microsoft does not currently render BIMI logos at all and has built its own separate proprietary brand-display system; no certificate will change that.
Publishing the BIMI DNS Record
Once your SVG is hosted and your certificate PEM file is accessible via HTTPS, you publish a DNS TXT record at default._bimi.yourdomain.com. The record follows this structure:
v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/certificate.pem
The l= tag contains the HTTPS URL for your SVG logo. The a= tag contains the HTTPS URL for your certificate PEM file. If you are running a self-asserted record for initial testing on Yahoo and Fastmail, you can omit the a= tag entirely, but this will not satisfy Gmail or Apple Mail. For subdomains, confirm that your DMARC record on the parent domain is at enforcement, as BIMI requires the parent domain policy to apply.
After publishing, validate the record using the BIMI Inspector tool at bimigroup.org. The inspector checks the DNS record structure, fetches and validates the SVG file, checks the certificate chain if an a= value is present, and reports any issues. Allow up to 48 hours for DNS propagation before drawing conclusions from validation results. Send test messages to Gmail, Yahoo, and Apple Mail accounts to confirm actual logo rendering in the inbox, because a passing inspector result does not guarantee provider-level display.
Inbox Provider Support Matrix
Understanding which providers support BIMI, and under what conditions, is essential for setting realistic expectations.
Gmail requires a VMC or CMC for logo display. Self-asserted BIMI without a certificate will not show a logo in Gmail. A VMC adds the blue verification checkmark; a CMC displays the logo without the checkmark. Gmail also applies its own reputation and volume heuristics, so even a technically perfect setup may not display the logo immediately on a new or low-volume domain.
Yahoo Mail supports logo display without requiring any certificate, making it useful for early testing of a self-asserted record. Fastmail behaves similarly. Apple Mail introduced BIMI support with iOS 16 and macOS Ventura and requires a VMC from an approved certificate authority for logo display; CMC support at Apple Mail has not been announced as of mid-2026, though this may change. AOL shares infrastructure with Yahoo and broadly follows Yahoo's behaviour.
Microsoft Outlook, Outlook.com, Hotmail, Exchange Online, and Microsoft 365 do not currently render standard BIMI logos. As of mid-2026, Microsoft has not announced a timeline for BIMI support and has instead built a separate proprietary brand-display system of its own. For a B2B sender whose list is predominantly Microsoft 365 inboxes, this is a significant limitation. For a consumer or direct-to-consumer brand, Apple Mail, Gmail, and Yahoo together cover the overwhelming majority of engaged recipients, making BIMI worthwhile despite the gap.
BIMI Is a Reputation Reward, Not a Deliverability Fix
This distinction is worth stating plainly because it is frequently misunderstood. BIMI does not improve your sender reputation or inbox placement. It is the visible output of an already-healthy authentication and reputation profile. The causation runs one way: clean sending produces a good reputation; a good reputation combined with correct BIMI configuration produces logo display. You cannot reverse it. A sender with a poor reputation and a technically correct BIMI record will still not see the logo, because mailbox providers apply their own reputation thresholds before deciding whether to render it.
Gmail's internal thresholds are not published, but they are known to include factors such as sender trust scores, domain age, complaint signals, and sending volume consistency. If your domain is new, your complaint signals are rough, or your reputation is uneven across campaigns, the provider may decide not to display the logo even though your DNS record is technically correct. The two foundational factors for sustained BIMI display are a DMARC policy at enforcement and a clean sending reputation built on high engagement, low bounces, and minimal spam complaints.
Keeping Your BIMI Logo Live: The Monitoring Imperative
Here is the operational reality that most BIMI guides ignore: the logo can disappear after you have set it up, with no notification from any mailbox provider. Several things can cause this, and they all come back to the sending metrics that SES exposes through its reputation dashboard and event streams.
A bounce rate spike is one of the fastest ways to lose logo display. Amazon SES will pause sending if your bounce rate climbs above its acceptable threshold, and mailbox providers suppress BIMI display well before that point. A list that was clean at launch can degrade over time: email lists decay at roughly 22.5 percent annually, meaning addresses that were valid 18 months ago may now be recycled into spam traps.
A complaint rate increase is equally damaging. Google's own guidance for bulk senders requires that complaint rates stay below 0.1 percent to avoid deliverability issues and below 0.3 percent to avoid sending being blocked. Complaint rates in this range will suppress BIMI display in Gmail before they trigger any formal block. Because SES complaint data flows through the SES reputation dashboard and through SNS notifications when you have bounce and complaint handling configured, there is no excuse for being surprised by a complaint rate problem, provided you are watching the data.
DMARC alignment failures are a subtler threat. If a new sending source is added, a subdomain is spun up for a marketing campaign, or a third-party tool starts sending on your behalf without proper DKIM configuration, DMARC will start failing for that traffic. You will not see an immediate delivery failure, because messages may still reach inboxes through a combination of reputation and other signals, but BIMI will stop displaying for any message that fails DMARC. DMARC aggregate reports reveal these failures, but only if someone is reading them.
Certificate expiry is another silent risk. VMCs and CMCs must be renewed annually, with a maximum validity period of 397 days. If the certificate at your a= URL expires or becomes unreachable, the BIMI record becomes invalid and logo display stops. Calendar reminders and automated certificate monitoring are essential operational safeguards.
This is where real-time monitoring of your SES sending metrics becomes more than a good practice. Tools such as SES Monitor surface bounce rates, complaint rates, and sending reputation metrics in real time, so that a sudden list quality problem or a newly misconfigured sending source shows up as an alert rather than as a mystery about why the logo stopped appearing three weeks ago. The connection between operational monitoring and BIMI uptime is direct: the metrics that monitoring catches are precisely the metrics that determine whether the logo displays.
Conclusion
BIMI is the visible proof that your sending reputation is healthy. Getting the logo to appear in Gmail, Yahoo, and Apple Mail is not primarily a DNS exercise; it is the end state of a correctly configured authentication stack, a logo converted to SVG Tiny P/S format, the right mark certificate from an approved certificate authority, and a sustained pattern of clean sending that keeps bounce rates low, complaint rates lower, and DMARC passing for every message that leaves your domain.
For Amazon SES senders, the prerequisite work is straightforward: enable Easy DKIM, configure a custom MAIL FROM domain to achieve SPF alignment, move your DMARC policy from p=none to p=quarantine and then to p=reject, host your logo on S3 and CloudFront, obtain the right certificate for your audience and trademark status, and publish the DNS record at default._bimi.yourdomain.com. Validate with the BIMI Inspector, send test messages, and confirm rendering in the inboxes that matter to your audience.
Then monitor continuously. The sending metrics that keep your logo displaying are the same ones that protect your overall deliverability: bounce rate, complaint rate, DMARC alignment, and sender reputation. SES Monitor exists to surface those signals in real time, so that the work you put into earning BIMI does not quietly unravel the moment a campaign hits a stale list or a new sending source joins your domain without proper authentication. Treat BIMI as a living indicator of programme health, not a configuration you complete once and forget, and it will reward you with the brand visibility and recipient trust it was designed to deliver.