Want to protect your emails from phishing and boost brand visibility? Combining BIMI and DMARC is the way to do it. Here’s a quick guide to secure your domain and display your brand logo in inboxes:
- Set Up SPF and DKIM: Authenticate your emails to prevent spoofing.
- Implement DMARC: Enforce policies like
quarantineorrejectto protect your domain. - Prepare Your Logo: Convert your logo to BIMI-compliant SVG format.
- Get a Verified Mark Certificate (VMC): Authenticate your logo with a trusted provider.
- Publish Your BIMI Record: Add a DNS TXT record to display your logo in supported email clients.
Quick Tip: Only 0.14% of top domains use BIMI, so this is your chance to stand out. Combining DMARC and BIMI not only strengthens security but also enhances email engagement by up to 10%.
Let’s break down each step to get you started.
Related video from YouTube
Step 1: Set Up SPF and DKIM
Before you can deploy BIMI, you need to set up SPF and DKIM authentication. Recent data shows that around 40% of senders fail to implement both SPF and DKIM correctly , which can hurt email security and deliverability.
SPF Setup Guide
SPF (Sender Policy Framework) is a protocol that helps prevent email spoofing by specifying which IP addresses are allowed to send emails on behalf of your domain. To set up SPF, identify all your email-sending sources (like internal servers, ESPs, and third-party services) and create an SPF record. Here are some examples:
| Email Service Provider | Recommended SPF Record |
|---|---|
| Google Workspace Only | v=spf1 include:_spf.google.com ~all |
| Google + Amazon SES | v=spf1 include:_spf.google.com include:amazonses.com ~all |
| Google + GoDaddy | v=spf1 include:_spf.google.com include:secureserver.net ~all |
Tips for SPF setup:
- Keep the record under 255 characters.
- Limit include statements to 10 or fewer.
- Start with
~allfor testing, then switch to-allonce ready. - Use a single, unquoted record.
DKIM Setup Guide
DKIM (DomainKeys Identified Mail) verifies that your emails haven’t been tampered with by adding a digital signature. Marcel Becker, Senior Director of Product at Yahoo, highlights its importance:
"The end goal is ideally a policy of p=reject. That’s what DMARC is for. Ensuring that your domain cannot be spoofed and protecting our mutual customers from abuse."
Steps to set up DKIM:
- Generate 2048-bit DKIM keys.
- Add a DNS TXT record with the correct formatting to avoid errors related to key length or selectors.
- Enable DKIM and verify it using DNS checker tools.
Here’s a real-world example: Spotify, a Mailchimp client, saw their bounce rate drop from 12.3% to 2.1% in just 60 days after implementing SPF and DKIM. This boosted their email deliverability by 34% and contributed $2.3M in additional revenue.
Make sure SPF and DKIM are fully configured before moving on to DMARC setup. Once these are in place, you’re ready for Step 2.
Step 2: Set Up DMARC
With SPF and DKIM in place, the next step is implementing DMARC to strengthen email authentication and enable BIMI.
DMARC Policy Setup
To set up DMARC, you’ll need to add a TXT record to your DNS. This record follows a specific format with required and optional tags. Here’s a quick breakdown of the key DMARC components:
| Tag | Purpose | Example Value |
|---|---|---|
| v | DMARC Version | v=DMARC1 |
| p | Policy Action | p=none, p=quarantine, or p=reject |
| rua | Aggregate Reports | mailto:[email protected] |
| pct | Enforcement Percent | pct=100 |
According to EasyDMARC‘s 2023 case studies, DMARC has proven effective in reducing unauthorized email attempts.
DMARC Policy Settings
To successfully integrate BIMI, your DMARC policy must enforce either ‘quarantine’ or ‘reject’ with 100% enforcement. Start with p=none to monitor email traffic. After 2–4 weeks of analysis, move to p=quarantine and eventually to p=reject for full protection.
"If an email doesn’t come from an approved domain, the DMARC alerts the receiver systems and tells them how to respond – isolating any potential threats."
Key Requirements for BIMI:
Before implementing BIMI, ensure your DMARC record includes:
- A policy set to p=quarantine or p=reject
- pct=100 for full enforcement
- A valid reporting address to monitor activity
With these settings in place, you’re ready to analyze DMARC reports and proceed with BIMI integration.
DMARC Report Analysis
Once your DMARC policy is active, you’ll start receiving reports that provide valuable insights into your email authentication:
- Aggregate Reports: These daily summaries help you identify legitimate email sources, detect spoofing attempts, and spot authentication issues.
- Failure Reports: These real-time notifications give detailed information about specific authentication failures, helping you quickly address unauthorized senders or configuration errors.
Send DMARC reports to a dedicated mailbox and use a monitoring service to turn them into actionable insights. This step ensures you can fine-tune your email authentication strategy effectively.
Step 3: Format Your Logo
Once you’ve set up DMARC, the next step is to ensure your logo meets BIMI’s technical requirements. Getting your logo ready according to BIMI standards is key to completing your email authentication process.
BIMI Logo Standards
To comply with BIMI, your logo needs to meet specific technical guidelines. Here’s what you need to know:
| Requirement | Description |
|---|---|
| Format | SVG Tiny Portable/Secure (SVG P/S) |
| File Size | Maximum 32 KB |
| Aspect Ratio | Square (1:1) |
| Background | Solid color |
| Hosting | Must be on an HTTPS-enabled domain |
| Accessibility | Must include a <desc> element |
Make sure your logo is centered within the square canvas to ensure it looks consistent across all email clients.
Logo Format Conversion
To convert your logo into a BIMI-compliant SVG P/S format, follow these steps:
-
Start with a vector version
Use a high-quality vector file like.ai,.eps,.pdf, or.svgfor the best results. -
Export as BIMI-compliant SVG
Use design tools like Adobe Illustrator to export your logo. Include the necessary XML elements, such as:<svg version="1.2" baseProfile="tiny-ps"> <title>Your Company Name</title> <desc>Brief description of your logo</desc> <!-- Logo content here --> </svg> -
Validate and Optimize
Use official tools to ensure your logo meets BIMI standards. Tools like EasyDMARC’s BIMI Logo Converter simplify the process by handling technical details .
Key adjustments to check:- Remove
xandyattributes from the root<svg>tag. - Keep the
<title>element under 64 characters. - Center the logo properly.
- Ensure the file size is under 32 KB.
Tools like Valimail‘s BIMI Checker and Mailhardener BIMI Validator are great for verifying compliance .
- Remove
Getting your logo right is just as important as the technical setup for email authentication. Once validated, you’ll be ready to move on to securing your Verified Mark Certificate in Step 4.
sbb-itb-f42cab2
Step 4: Get a VMC
Once your logo is ready, the next step is to secure a Verified Mark Certificate (VMC). This certificate helps authenticate your brand in email inboxes.
VMC Requirements
Before applying for a VMC, make sure you meet these key conditions:
| Requirement | Description |
|---|---|
| DMARC Policy | Must be set to quarantine or reject (not none) |
| Logo Trademark | Requires active trademark registration (government entities are exempt) |
| Logo Format | Must be in SVG format (as outlined in Step 3) |
| Domain Ownership | You need verified control of the sending domain |
| Brand Identity | Provide documented proof of brand ownership |
Government organizations can use official seals instead of trademarks.
How to Apply for a VMC
Here’s how to get your VMC:
-
Choose an Authorized Provider
Providers like DigiCert, Entrust, and GlobalSign issue VMCs. For instance, DigiCert offers VMCs for $1,499 with a validity of 397 days . -
Complete Identity Validation
The validation process includes:- A face-to-face confirmation via video call with the provider’s team
- Verification of a government-issued ID
- Review of your organization’s documents
- Confirmation of trademark ownership
"In order to get a VMC, organizations must go through a series of validation procedures similar to getting an EV SSL certificate. During the process, an individual’s identity validation is required as well as face-to-face confirmation by a notary, lawyer or via a video call directly with a member of DigiCert’s validation team."
-
Implement the Certificate
Once approved, you’ll receive a PEM-encoded certificate chain along with hosting and HTTPS setup instructions. Many VMC providers can host these files for you, making implementation easier .
Pro Tip: If you have a prior-use trademark, consider a Common Mark Certificate (CMC). For added features, like Gmail’s blue "authenticated" checkmark, opt for a VMC .
With your VMC in place, you’re ready to move on to Step 5 and set up your BIMI record.
Step 5: Add BIMI Record
Once you’ve obtained your VMC in Step 4, it’s time to publish your BIMI DNS record. This step allows email clients to display your logo next to your emails.
BIMI Record Format
A BIMI record includes three key parts:
- Version identifier
- Logo URL
- VMC certificate URL (if applicable)
Here’s how the BIMI TXT record should look:
| Component Type | Record Format | Example |
|---|---|---|
| With VMC | v=BIMI1;l=;a=[certificate URL] |
v=BIMI1;l=;a=https://images.solarmora.com/brand/certificate.pem |
| SVG Only | v=BIMI1;l=[logo URL] |
v=BIMI1;l=https://images.solarmora.com/brand/bimi-logo.svg |
Pay close attention to the syntax – mistaking similar characters (like "1", "I", or "l") can lead to errors.
Once you’ve created your BIMI record, you’ll need to update your DNS settings accordingly.
DNS Record Setup
After acquiring your VMC, follow these steps to update your domain’s DNS settings:
- Log in to your domain provider’s control panel.
-
Create a new TXT record:
Field Required Value Type TXT Host/Name default._bimiValue Your BIMI record (formatted as shown above) TTL 3,600 seconds (1 hour) - Review your entries and save the record.
Important: Your DMARC policy must be set to "quarantine" or "reject" for your BIMI logo to display correctly.
Allow up to 48 hours for DNS propagation. During this time, your logo may not consistently appear in email clients.
Troubleshooting Tips
If your logo isn’t showing up after 48 hours, double-check the following:
- Your DMARC policy is set to "quarantine" or "reject."
- The URLs in your BIMI record are accessible.
- Your logo complies with the SVG Tiny PS format specifications.
- The recipient’s email provider supports BIMI.
Note: Certain providers, like Gmail, may require a PEM file reference. When possible, include both PEM and SVG files to meet these requirements.
Testing and Fixes
Once your BIMI record is set up, it’s time to test its functionality and ensure everything is working as expected.
BIMI Test Tools
Here are some tools to help you verify your BIMI setup:
- EasyDMARC BIMI Lookup: This tool quickly checks your BIMI record, logo, and VMC certificate. It also shows how your logo will appear in different scenarios .
- Valimail BIMI Checker: A free tool that identifies issues such as:
- Missing VMC certificates
- Errors in BIMI record syntax
- Incorrectly formatted logos
- Non-compliance with HTTPS for logo and VMC URLs
- MxToolBox: Provides BIMI record verification to confirm your DNS setup is correct .
"Once you enter your domain, it retrieves your BIMI record from the DNS, finds and validates your logo and the VMC, and shows you how the logo looks in different conditions. If anything is missing from the list, our BIMI lookup tool gives a warning and a recommendation on how to fix it." – EasyDMARC
Common BIMI Problems
Here are some frequent BIMI issues and how to address them:
| Problem | Solution | Verification Method |
|---|---|---|
| DMARC Not Enforced | Set DMARC policy to p=quarantine or p=reject |
Use a BIMI checker to confirm DMARC status |
| Invalid Logo Format | Convert your logo to SVG Tiny PS format with a 1:1 aspect ratio | Use BIMI lookup tools to validate |
| Missing/Invalid VMC | Obtain a valid VMC from an authorized provider | Check the certificate using a BIMI checker |
| Incorrect BIMI Record | Review and fix errors in DNS record syntax | Use DNS record lookup tools |
| HTTPS Not Used | Update logo and VMC URLs to HTTPS | Verify URLs with a BIMI checker |
Troubleshooting Tips
- Allow up to 48 hours for DNS changes to propagate.
- If you’re using a provider like Yahoo! that doesn’t require a VMC, make sure your domain’s reputation is strong .
- For Gmail, ensure you have a valid VMC certificate.
"This kind of tool is extremely useful because BIMI readiness involves getting a lot of small details right." – Valimail
Provider-Specific Considerations
Keep in mind that not all email providers support BIMI yet. If you encounter issues, review the specific BIMI requirements for the provider you’re using.
Once you’ve tested and resolved any issues, you’re ready to finalize your BIMI setup.
Email Verification with Bouncebuster
Keep your sender reputation intact with precise email verification. Bouncebuster offers tools designed to align with your email authentication approach.
Bouncebuster Features
Here’s how Bouncebuster’s features can benefit your email campaigns:
| Feature | How It Helps BIMI/DMARC | Results Achieved |
|---|---|---|
| Real-time Verification | Blocks invalid email addresses | Cuts bounce rates by up to 8% |
| Spam Trap Detection | Shields sender reputation | Boosts deliverability by 15–20% |
| Bulk Verification | Cleans entire email lists | Drops bounce rates from 10% to 2% |
| REST API Integration | Streamlines verification processes | Ensures steady delivery rates |
These results are supported by data and statistics from .
"The end goal is ideally a policy of p=reject. That’s what DMARC is for. Ensuring that your domain cannot be spoofed and protecting our mutual customers from abuse." – Marcel Becker, Senior Director of Product at Yahoo
Using Bouncebuster
Here’s how to integrate Bouncebuster into your email strategy:
- Use the bulk verification tool to clean up your email lists.
- Set up the REST API at points where emails are captured to enable real-time checks.
- Perform regular verifications to stay ahead of identity fraud trends .
Companies combining thorough email verification with BIMI often experience better delivery rates and stronger sender reputations .
Conclusion
Summary
Organizations that enforce DMARC experience a 10% improvement in deliverability and open rates . Adding BIMI to the mix can further boost open rates by another 10%, as emails displaying brand logos tend to grab more attention, according to Verizon Media .
By following a five-step process – from setting up SPF and DKIM to creating a BIMI record – you can create a strong email authentication system. Interestingly, only 0.14% of the top 10 million global domains have published a BIMI record, making this an excellent chance to stand out .
With this knowledge in hand, you’re ready to take the necessary steps to secure your email systems.
Getting Started
Here’s a breakdown of the key phases to implement BIMI and DMARC:
| Phase | Key Actions | Expected Outcome |
|---|---|---|
| Initial Setup | Deploy SPF and DKIM authentication | Establishes a security base |
| DMARC Implementation | Set policy to p=quarantine or p=reject | Strengthens domain protection |
| BIMI Preparation | Create an SVG logo and get a VMC | Adds visual brand recognition |
| Monitoring | Analyze DMARC reports regularly | Ensures ongoing optimization |
"BIMI gives brands an opportunity to reinforce their logo while building trust as a sender of authentic messages." – dmarcian.com
Regularly reviewing DMARC reports can help you catch and resolve issues quickly, ensuring your brand maintains high deliverability while protecting recipients from email fraud . Tools like Bouncebuster can further enhance your email security and strengthen trust with your audience.
