Brand Indicators for Message Identification (BIMI) is an email standard introduced in 2021 that enables businesses to show their brand logo in the avatar slot of the Domain-based Message Authentication, Reporting and Conformance (DMARC) authenticated emails they send. This means businesses can proactively protect recipients of their email from bad actors. If you're a technical administrator, marketer, or business leader, implementing BIMI will mean you reap the benefits of better deliverability and higher open rates.

BIMI helps organizations to stand out against the noise of the inbox using either a Verified Mark Certificate (VMC) or Common Mark Certificate (CMC). In 2025, Google announced that they will adopt the use of a CMC as an assertion document, which no longer requires a trademark, providing your logo has been in use for the last year, giving organizations the option to use a CMC over a VMC. Alternatively, you can now also use an existing trademark and only use elements of it.

By adopting BIMI, businesses can showcase their brand logo directly in supportive inboxes (such as Google and Yahoo) and strengthen email authentication. Pair it with DMARC of p=reject (essential for BIMI), SPF, and DKIM, and organizations can block domain impersonation, tighten security, and boost recognition. 

If you don’t already have DMARC enforcement, Red Sift makes it easy, helping organizations transition to a DMARC policy of p=reject in just 6-8 weeks, making BIMI adoption a breeze.

BIMI inserts your logo next to your email address at participating providers. It doesn’t prevent business email compromise (BEC)—that’s DMARC’s job—however, if someone tried to spoof you when you have BIMI in place, your logo won’t appear, and depending on your DMARC policy, the email may not even arrive. 

Implementing BIMI can significantly increase your brand recognition and email engagement, which are crucial factors for marketing success. With BIMI, your company's logo is displayed directly in the recipient’s inbox next to your email, helping your messages stand out among the clutter. This enhanced brand visibility establishes trust and credibility with your audience, leading to higher open rates and click-through rates. 

A recognizable logo can immediately evoke trust and familiarity, which is a key advantage in increasing email engagement metrics. By adopting BIMI, you create a consistent visual identity across your email communications, helping your brand gain a competitive edge.

From an email security perspective, DMARC—the protocol that powers BIMI—plays a vital role in reducing phishing attacks and email spoofing, providing better protection for your brand and recipients. Beyond its importance to email security, BIMI offers a host of other benefits for businesses, including improved brand visibility, increased trust in email legitimacy, and better brand recall. It’s even been shown to have an impact on consumer buying behavior.

When implemented using a Mark Certificate, BIMI has many benefits for businesses of all shapes and sizes. Showing a verified logo in email using a VMC, GMC or CMC can help businesses enjoy:

• Increased brand recall by 44%

After exposure, brands that had applied a logo increased their recall by up to 44%. The stronger the brand, the higher the recall increase, up to 120%.

• Improved open rates by 39%

Open rates see up to a 39% increase in both transactional and promotional emails.

• Improved average purchase increase by 32%

The email open uplift carried over to purchasing decisions with an average buying increase of up to 32%.

• 90% increase in confidence in an email's legitimacy

Using BIMI increased consumer confidence in the legitimacy of an email by as much as 90%.

BIMI is not just designed to boost brand awareness and enhance security, but also offers an advantage for today’s marketers looking to stand out against the noise. With the average consumer receiving around 120 emails every day, making an impression in the inbox is hard. However, by putting the email fundamentals in place, you’ll put your brand in a prime position to reap the revered reward that is ROI. 

Learn how BIMI can be a game changer with high ROI for your business. Hear from our VP of Marketing, Rebecca Warren.

Four Ways to Boost Email Marketing ROI in 2025

In partnership with Entrust, Red Sift commissioned research into the impact of a visible logo in an email’s avatar location on open rates, brand recall, and buying behavior.

The research focused on organizations based in the UK and US. Results showed a 9% increase in transactional open rates for a leading US investment firm, compared to a 10% decrease for a competitor that didn’t make use of BIMI. Further data showed an increase in market share by 38% for a UK energy provider, up from 6% while a similar competitor without BIMI experienced an 11% drop.

For businesses trying to sell products and services, promotional email open rates are crucial. In such a crowded market it is hard to break through against leading brands. However, when comparing a competitor’s promotional emails with BIMI implemented versus a leading brand without BIMI, US, and UK leading businesses lost 15% and 18% share of opens, while the competitors saw uplifts of 14% and 39% respectively.

In addition, Red Sift and Entrust found that overall, when a brand’s emails had a logo but a competitor’s did not, opens increased by 21% in the US and 39% in the UK. What’s perhaps most interesting is that these findings appear to be irrespective of market share or brand size.

In both the US and UK, we compared how logo visibility impacted purchasing decisions on emails from a selection of leading and competitor food delivery service brands. In the US, businesses without a logo within their email communications experienced a 24% loss, compared with a 34% gain for competitors who did have a logo enabled.

In the UK, a leading brand lost 39% of sales share due to the lack of a visible logo, whereas a competitor with a visible logo gained an impressive 32% sales increase.

To implement BIMI, you need to have a DMARC record in place and your organization’s sending and apex domains must be DMARC compliant (in a policy of quarantine or reject). 

Organizations are required to use a Mark Certificate (MC) from an authorized Certificate Authority (CA), which works alongside an organization’s DMARC policy that is required at enforcement (either quarantine or reject) and a BIMI record. 

A MC can either be a Verified Mark Certificate (VMC) with a registered trademark, a Government Mark Certificate (GMC) for government agencies, or now, the newly introduced Common Mark Certificate (CMC) for established brands.

Read our detailed guide on the key considerations before implementing BIMI.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a security protocol that protects businesses from exact domain impersonation and its harmful effects. 

When correctly configured, it works using existing security protocols SPF and DKIM to tell any receiving servers that an email coming from your domain is legitimate, and stops unauthenticated and unauthorized email. This stops hackers using your domain for phishing attempts against your customers, employees and suppliers and has also been shown to improve email deliverability and placement.

A Mark Certificate is a specialised digital certificate, issued by a trusted Certificate Authority (CA), that cryptographically links a trademarked logo to the domain authorised to send email on behalf of that brand. It serves as the “evidence document” referenced in a BIMI DNS record, allowing participating mailbox providers such as Gmail and Yahoo to display the brand’s verified logo next to authenticated messages.

• Brand integrity: Only legally verified logos are shown, reducing the risk of phishing campaigns that impersonate your brand.
• Higher trust and engagement: Consistent, verified branding in the inbox signals authenticity to recipients, helping lift open-rates and conversions.
• Security alignment: Mark Certificates complement DMARC, SPF and DKIM, forming a layered defence against domain spoofing and business-email compromise.

In short, a Mark Certificate provides the cryptographic proof mailbox providers need to display your brand logo safely and confidently, turning strong authentication into a visible trust signal for every email you send.

A Verified Mark Certificate (VMC) is a digital certificate issued by an authorized certification authority that enables organizations to display their registered logo next to their email messages in supported email clients. It is part of the broader Brand Indicators for Message Identification (BIMI) standard, which aims to provide visual confirmation of the email sender’s identity, thereby building trust and increasing email security.

A Government Mark Certificate (GMC) is a digital certificate designed specifically for government agencies and entities to authenticate their email communications. Similar to Verified Mark Certificates (VMCs) used by commercial organizations, GMCs help government bodies establish trust and provide visual identity assurance when sending emails to the public and other stakeholders.

• Verified brand logo in inbox: VMC and GMC enables the display of a verified brand logo in email inboxes through BIMI, making emails easily identifiable to recipients.
• Strengthened brand trust: When used with BIMI, VMC and GCMC reassures customers that the email is authentic and from a trusted source, reducing the risk of phishing.
• Higher email open rates: Displaying the verified brand logo increases the likelihood of recipients opening the email, as BIMI logos are highly visible and convey trust.
• Enhanced security: VMC or a GMC with BIMI requires DMARC enforcement, improving email security and reducing the risk of spoofing.

Common Mark Certificates (CMC) are the newest MC, enabling organizations to utilize BIMI in Gmail without requiring a registered trademark like VMC or GMC. This means businesses who have established use of a known logo but haven’t gone through the registered trademark process can utilize best practices in email communications by incorporating their brand into the inbox.

• Global recognition and accessibility: Common Mark Certificates can be recognized across Gmail’s global domains, making the BIMI mark understandable and trustworthy for a broad audience.
• Simplicity in cross-border compliance: Common Mark Certificates simplify compliance with BIMI's requirements, especially for multinational brands looking to present a consistent image in various jurisdictions.
• Improved brand perception: Displaying a logo via a CMC through BIMI promotes the brand as a standard bearer of quality, which appeals to recipients seeking consistency and reliability. Customers are more likely to interact with emails, increasing engagement and click-through rates.
• Eases international email delivery compliance: A Common Mark Certificate aids brands in meeting DMARC and BIMI requirements for international email platforms, enhancing deliverability and visibility.

Understanding the distinctions between VMCs and CMCs is crucial for organizations considering BIMI adoption. Both certificates play a role in displaying brand logos in email clients, but they have different requirements, recognition, and use cases.

Below is a clear comparison of the main differences between VMCs and CMCs:

Understanding how your logo with BIMI implemented will appear on both desktop and mobile is an important step to ensuring your brand’s impact with cross-platform users.

See below our guide to how a logo display is likely to appear, note on a mobile enabled platform like the Gmail app the logo will appear in the inbox preview, on desktop the logo appears in the message preview. 

Note: Both mobile and desktop view in Gmail only shows the verification mark enabled through a VMC in the message preview.

As outlined by the bimigroup.org in their Minimum Security Requirements for Issuance of Mark Certificates document, section 3.2.15, as part of the issuance process, the CA MUST check for CAA records and follow the processing instructions found. CAs must not issue certificates unless permitted to do so by the CAA record, if one is present. 

It allows a domain name holder to specify one or more Certification Authorities (CA's) authorized to issue certificates for that domain. CAA records allow a Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.

The answer is it depends. CA’s are only required to check to see if there is a CAA record and if you have permitted the CA to issue a certificate for the FQDN in question.

If you do not list a CAA Record, all CA’s will be able to issue certificates for the FQDN.​

Setting up a CAA record is up to you and your organization to decide if you only want a certain set of CA's to be able to issue certificates on your behalf and narrow down your exposure.

By default, a VMC on the organizational domain will cascade to all subdomains. However, if you’d like to use a different trademarked logo on a subdomain, you can do so. Keep in mind this will require a separate VMC chargeable at the current rate as each VMC is tied to a specific logo.

• DMARC Policy: Your domains must be DMARC-compliant, with an enforced policy (quarantine or reject).
• Trademarked Logo: The logo you wish to display must be a registered trademark.
• Certified Authority (CA): The VMC must be issued by an authorized CA, such as Entrust or DigiCert.
• BIMI TXT Record: You need to publish a BIMI TXT record in your DNS, which includes the URL to your SVG logo file.

• Employee verification: The CA will verify your employment with the Higher Authority and/or your HR team
• Video ID verification: Video call with a specialist that will verify your identity with a government ID
• Domain validation: Verify you own domain by entering a TXT record in your DNS zone

• Authorization contact: Provides the CA with authorization to issue VMC certificates for their organization. They will need to grant consent by email. 
• Contract signer: They will accept the subscriber agreement on behalf of their organization. The agreement is online and is accepted as a click-through. This person can be the same as the Authorization Contact to simplify the process.
• Higher authority: Also known as “Independent Confirmation” – they confirm that the Authorization Contact and Contract Signer are employed with the organization and authorized to act in these roles.

The time it takes to deploy BIMI can vary from business to business. One of the most important steps is ensuring your domain is DMARC compliant. At Red Sift, we streamline this process through Red Sift OnDMARC, where the average time taken to get to p=reject is 6-8 weeks. 

It’s worth noting that exact time will depend on the number of sources that need configuring and the speed at which you can implement the needed changes.  

Additional factors include your organization’s size, the complexity of your infrastructure, and whether you are opting for a VMC or GMC. It can take anywhere from 3-6 months to get a registered logo trademark, depending on the country you’re in, versus a CMC where adoption time is expected to be shorter.

If you meet all the requirements, the actual verification process takes on average 7-10 business days.

Currently, the list of mailbox providers that support BIMI includes Google, Apple, Yahoo, and Fastmail, Zoho, web.de, among others. Check the full list here.

Learn more about the only integrated BIMI and VMC application available on the market today, Red Sift OnDMARC's BIMI feature.

Apple has announced changes to its Business Connect function, including how a brand name or brand logo will be displayed in iPhone apps related to phone, email, and payments. 

It’s true that Apple’s update resembles some similarities to BIMI, but there remain significant differences. These include the setup process, logo requirements, and cost. While Apple’s option is essentially free, the logo display is limited only to iCloud Mail.

Red Sift OnDMARC’s BIMI feature is the only integrated BIMI with VMC or CMC solution available on the market. It helps users take care of their MC application end to end, including obtaining a VMC/CMC without having to go directly to the Certificate Authority (CA).

Red Sift OnDMARC offers seamless integration with Entrust, enabling users to easily transfer application data between the two platforms via API. This streamlined process eliminates the need for managing multiple platforms, allowing customers to achieve the necessary DMARC policy and BIMI readiness in one place. By centralizing these tasks, users benefit from a simplified experience with full guidance from industry experts, making it easier to implement both DMARC enforcement and VMC or CMC acquisition through a single interface.

Beyond BIMI implementation, Red Sift OnDMARC offers a wide variety of additional benefits including:

• Streamlined email security management: OnDMARC consolidates DMARC, SPF, DKIM, MTA-STS, and BIMI into a single platform, significantly reducing the complexity of managing email security across multiple systems. 
• Close security gaps with automated protection: OnDMARC’s automated subdomain discovery ensures that every domain and subdomain sending email is protected, closing gaps that attackers could exploit. This full coverage minimizes the risk of phishing and spoofing attacks originating from unmonitored subdomains.
• Stop email security threats that bypass DMARC: OnDMARC protects against email threats that can bypass DMARC. Through continuous monitoring for misconfigurations and forgotten records in DNS, OnDMARC ensures that email authentication remains effective and that gaps attackers might exploit are closed before they become issues. 
• Reduce manual tasks and time consumption with Red Sift Radar: OnDMARC’s LLM-powered assistant (Radar) cuts down on manual tasks and gives security teams immediate, actionable insights to address email security issues. Real-time alerts flag misconfigurations, authentication issues, and unusual activity right away, so teams can respond faster. 
• Dedicated support for fast DMARC implementation: The Red Sift team provides dedicated, hands-on 24/7 support throughout the setup and implementation process for OnDMARC. From initial configuration to ongoing adjustments, the team helps streamline the adoption of DMARC, SPF, DKIM, and MTA-STS, ensuring organizations achieve strong email security without delays or misconfigurations.

Red Sift OnDMARC offers validation that your logo is using the correct BIMI format, even prior to submitting an application. 

1. Click on “start application” within the BIMI section of Red Sift OnDMARC dashboard
2. Drag and drop or browse for your logo and OnDMARC will provide a validation. If your logo meets the criteria you will see confirmation of this on the screen, any errors with the logo will also be highlighted.