Email security has come a long way in recent years. Most businesses are now familiar with SPF, DKIM and DMARC as the foundations of protecting their domain from spoofing and phishing. But there’s a newer standard gaining attention: BIMI.
BIMI promises better brand recognition, improved trust, and a visual stamp of authenticity in your customers’ inboxes. Sounds great… but is it actually realistic for small businesses right now?
Let’s break it down.
What is BIMI?
BIMI (Brand Indicators for Message Identification) allows your organisation’s logo to appear next to emails you send in supported inboxes (such as Gmail and Yahoo).
Instead of just seeing a sender name or generic initial, recipients can see your verified brand logo alongside your email. This helps users quickly recognise legitimate messages and reduces the risk of phishing.
In short:
- Stronger brand visibility
- Increased trust with recipients
- Clearer separation from spoofed or fraudulent emails
But BIMI isn’t just a logo upload. It’s tightly linked to email authentication and security standards.
The Prerequisites for BIMI
The Prerequisites for BIMI
Before BIMI is even an option, your email domain must meet strict security requirements:
So far, all reasonable… until we get to the biggest barrier.
1. DMARC enforcement
1. DMARC enforcement
Your domain must have DMARC set to p="quarantine" or p="reject.
This means:
- SPF and DKIM must be correctly configured
- You must be confident that legitimate mail won’t be blocked
- Any unauthorised senders are actively rejected or quarantined
You can read more about DMARC here.
2. A compliant BIMI logo
2. A compliant BIMI logo
Your logo must be:
- In SVG Tiny 1.2 format
- Square and properly optimised
- Hosted securely and publicly accessible
This isn’t a standard SVG export and often requires specialist design or conversion work.
3. A BIMI DNS record
3. A BIMI DNS record
A DNS record is added to your domain that:
- Points to your logo
- References your Verified Mark Certificate (VMC)
So far, all reasonable… until we get to the biggest barrier.
The Blocker: Verified Mark Certificates (VMCs)
The Blocker: Verified Mark Certificates (VMCs)
To display a BIMI logo in major inboxes like Gmail, you need a Verified Mark Certificate.
A VMC:
- Proves you own the logo
- Confirms you have the legal right to use it
- Is issued by a recognised Certificate Authority (such as DigiCert)
Why this is a problem for small businesses
VMCs come with two major costs:
- Trademark registration - Your logo must be a registered trademark. This alone can cost hundreds to thousands of pounds and take months to complete.
- Annual certificate fees - VMCs typically cost £800–£1,500+ per year, depending on the provider.
For large brands, this is a reasonable investment.
For most small businesses, it simply isn’t.
Is BIMI worth it right now?
Is BIMI worth it right now?
For enterprise organisations and well-known brands, BIMI makes sense:
- They already have trademarks
- The cost is marginal relative to marketing budgets
- Brand impersonation is a serious risk
For small and growing businesses, the reality is different.
While BIMI is technically impressive, it’s currently:
- Expensive to implement
- Dependent on trademark ownership
- Limited in inbox support
- Hard to justify compared to other security improvements
Right now, BIMI is more of a “nice to have” than a necessity for most SMEs.
What should small businesses focus on instead?
What should small businesses focus on instead?
If your goal is email trust and security, your effort is usually better spent on:
- Properly configured SPF, DKIM and DMARC
- Gradually moving DMARC to enforcement (quarantine → reject)
- Monitoring DMARC reports to prevent legitimate mail issues
- Reducing spoofing and phishing risks at the domain level
These steps deliver real security benefits without the high costs attached to BIMI.
Our View
Our View
BIMI is a great idea, but it’s not yet accessible for most small businesses.
As the ecosystem matures and costs come down, we expect BIMI to become far more achievable. Until then, getting your email authentication right is the most effective way to protect your brand and your customers.
If you’re unsure where your domain stands - or want help tightening up your email security - we can help you get there, without unnecessary complexity or expense.
