{{ summaryTitle }}
{{ summaryFigure }}
{{ summaryDetail }}
{{ analysis.summaryBadge }} {{ analysis.evidenceBadge }} {{ analysis.providerLabel }} {{ analysis.dmarcBadge }}
{{ summaryCopyHelp }}
{{ summaryCopyStatus }}
Domain BIMI Evidence
Enter a domain such as example.com. Protocols, paths, and trailing dots are normalized.
The default selector publishes at default._bimi.example.com.
Use an HTTPS URL ending in .svg or .svgz. Host the Tiny PS/SVG profile asset before publishing.
Most production rollouts use a VMC or CMC certificate URL. Declination publishes l=; a= for this selector.
Use the publicly reachable PEM or evidence document URL supplied by your mark certificate authority.
Choose the current policy state so readiness checks reflect the deployment gate.
Use brand to prefer the BIMI logo when a provider also has a personal avatar.
Select the DNS UI or zone-file format you plan to paste into.
{{ analysis.ownerName ? 'Results update as fields change.' : 'Fix the domain and selector to build the DNS owner.' }}
Use a shorter TTL during rollout, then raise it after validation passes.
seconds
Some runbooks prefer a trailing semicolon for tag-value records; DNS does not require it.
Disable this to rely on the implicit avp=brand default when preference is not needed.
The spec treats a missing a= as empty; keeping a= makes the no-evidence posture obvious in reviews.
Use lps= only when your outbound local-parts intentionally map to additional BIMI selectors.
Example: brand-indicator-,offers-. Invalid prefixes block copying until fixed.
BIMI values are usually short; enable this for long URLs or strict BIND formatting.
Field Value Use Copy
{{ row.label }} {{ row.value }} {{ row.note }}
Provider field Value to paste Note Copy
{{ row.label }} {{ row.value }} {{ row.note }}
Gate Status Next action Copy
{{ row.label }} {{ row.status }} {{ row.detail }} {{ row.action }}
Tag Value Meaning Copy
{{ row.tag }} {{ row.value }} {{ row.meaning }} 
{{ formattedJson }}
Tags: DNS, Email, Security
DKIM DNS Record Generator Build a DKIM TXT record from selector, domain, and public key input, with copy-ready DNS fields, split strings, key checks, and a route preview.
DMARC DNS Record Generator Build a DMARC DNS TXT record for a domain, stage policy rollout, normalize report URIs, and flag external-report authorization.
SPF Record Generator Generate an SPF TXT record from sender sources, provider includes, IP ranges, A/MX choices, and rollout checks for lookup budget and policy risk.
Email Header Analyzer Analyze raw email headers for relay delays, SPF, DKIM, DMARC alignment, ARC context, sender mismatch, and browser-side spoof-risk clues.
Customize
Advanced
:

Brand Indicators for Message Identification, or BIMI, lets participating mailbox providers find a domain's preferred logo through DNS after the message passes aligned email authentication. The visible logo is not controlled by a single TXT record alone. It depends on the sending domain's DMARC posture, the BIMI DNS owner name, the logo URL, optional evidence such as a Verified Mark Certificate or Common Mark Certificate, and the receiver's own display policy.

A BIMI record is published as a DNS TXT record below a selector owner such as default._bimi.example.com. The record starts with v=BIMI1, points l= at an HTTPS SVG or SVGZ logo asset, and may include a= for certificate or authority evidence. Optional tags such as avp= and lps= can express avatar preference or local-part selector behavior where receivers support them.

Diagram showing a domain, BIMI TXT record, logo, evidence URL, and DMARC dependency.

BIMI is closely tied to DMARC because receivers need a way to trust that the sender domain is authenticated and aligned before showing a brand mark. Many deployments require a strong DMARC policy such as quarantine or reject with enough coverage, plus working SPF or DKIM alignment. Even when the DNS syntax is correct, a receiver may suppress the logo if the message stream, certificate, SVG profile, or authentication history does not meet its local policy.

The DNS owner name also matters. The default selector is common, but non-default selectors can be used when mail includes a BIMI-Selector header. That can help separate brands, campaigns, or local-part prefix behavior, but it also adds more moving parts to test. A clean BIMI rollout usually starts with one default owner, a public HTTPS logo asset, an evidence decision, and a validation pass after DNS propagation.

Piece Role Common failure
Domain The organizational or visible From domain where the BIMI owner is published. Publishing under the wrong zone or including _bimi twice.
Selector The leftmost label before ._bimi, commonly default. Using a non-default selector without a matching BIMI-Selector header.
Logo URL The HTTPS SVG or SVGZ brand indicator location. Using a raster image, blocked URL, or SVG that is not suitable for BIMI receivers.
Evidence URL Optional certificate or authority document location. Expecting display where a receiver requires verified evidence.

How to Use This Tool:

Use the generator to build the BIMI TXT value, provider-specific publication rows, and readiness checks before editing DNS.

  1. Enter the Domain without protocol or paths. The owner name is built from the selector and domain.
  2. Set Selector. Use default unless your outbound mail will send a matching BIMI-Selector header.
  3. Enter the Logo SVG URL. It must be HTTPS and should end in .svg or .svgz for current receiver expectations.
  4. Choose Evidence profile: certificate evidence URL, no evidence URL yet, or an explicit declination record.
  5. Set DMARC posture. Strict DMARC receives the full readiness score; pilot or unknown posture creates review or blocker rows.
  6. Choose DNS provider format to get rows for generic DNS, Cloudflare, Route 53, Google Cloud DNS, GoDaddy, cPanel, or BIND.
  7. Open BIMI TXT Record, then check DNS Provider Steps, BIMI Readiness Checks, BIMI Tag Ledger, and JSON.

The primary copy action stays unavailable for sample values and blocking input problems. Replace example.com assets, fix blockers, and then copy the generated TXT value into the provider field shown in the publication rows.

Interpreting Results:

The summary can show a publication owner, a declination record, a review state, or input blockers. The readiness score is a checklist score for publication preparation, not a promise that every mailbox provider will display a logo. Receiver policy, message authentication, sending reputation, certificate acceptance, and logo conformance can still affect display.

  • BIMI TXT Record gives the owner name, record type, TXT value, and BIND-style zone line.
  • DNS Provider Steps translates the same record into provider field names without changing the TXT value.
  • BIMI Readiness Checks shows gates for owner name, selector, logo, evidence, DMARC, and publication format.
  • BIMI Tag Ledger lists each generated tag, its value, and why it appears.
  • BIMI Evidence Chart visualizes the readiness score and gate weights.

A Copy-ready state still needs DNS publishing and live validation. A Declination state is intentional only when you want the selected owner to decline BIMI display rather than publish a logo.

Technical Details:

BIMI records are DNS TXT assertions. They do not send the logo inside the email message. They publish a location where participating receivers can fetch a brand indicator after the message passes authentication and receiver-side checks. The owner name follows the selector pattern selector._bimi.domain, and the TXT value is a semicolon-separated tag list.

The generator validates DNS-safe domain and selector syntax, requires HTTPS logo URLs for non-declination records, checks that logo paths use .svg or .svgz, requires an HTTPS certificate URL when certificate evidence is selected, and scores the declared DMARC posture. It also prepares provider-specific rows because DNS interfaces disagree about whether the user should enter a relative owner, a fully qualified owner, or a zone-file line.

Record Core:

Tag When it appears Meaning
v=BIMI1 Always Version tag and first tag in the record.
l= Logo or declination HTTPS logo URL, or an empty value when declining BIMI for the selector.
a= Certificate, empty authority, or declination Evidence URL, explicit empty authority value, or required empty value for declination.
lps= Optional Local-part selector prefixes for receivers that support selector derivation.
avp= Optional non-declination records Avatar preference such as brand or personal.

Readiness Score:

The readiness score sums gate scores out of 100. A blocker can still appear even if some gates pass.

readiness = DNS + selector + logo + evidence + DMARC + publication
Gate Maximum What can block it
DNS owner 15 Invalid domain or owner name.
Selector 10 Invalid selector labels.
Logo location 20 Missing HTTPS logo URL or non-SVG extension for a logo record.
Evidence document 20 Missing HTTPS certificate URL when certificate evidence is selected.
DMARC gate 20 Pilot, monitor, unknown, or unverified DMARC posture.
Publication format 15 Blocking input errors before DNS rows can be trusted.

Limitations and Privacy Notes:

The generator builds and checks record text from the values you enter. It does not fetch the logo, inspect the SVG profile, validate a VMC or CMC, query DNS, test DMARC records, or confirm receiver display.

  • Validate DMARC, SPF, DKIM alignment, DNS propagation, logo reachability, and certificate status with live tools after publishing.
  • Use a short TTL during rollout so DNS corrections propagate faster.
  • Receiver display can vary even when the record syntax and readiness checks look good.

Worked Examples:

Default selector with certificate evidence

Enter example.com, selector default, an HTTPS SVG logo URL, VMC or CMC evidence URL, an HTTPS certificate URL, and Strict DMARC in place. BIMI TXT Record should show default._bimi.example.com, TXT, and a value containing v=, l=, and a=.

Pilot DMARC rollout

If DMARC pilot or monitor mode is selected, BIMI Readiness Checks should mark the DMARC gate as review. Publish only when authentication is aligned and the domain is ready for a strict policy expected by receivers.

Explicit declination

Choose Decline BIMI for this selector when the desired output is an empty-logo declaration. The TXT value should contain empty l= and a= tags, and the summary should show a declination state rather than a logo publication target.

FAQ:

Will this make my logo appear in every inbox?

No. The generator builds the DNS record and readiness checks, but display depends on receiver policy, message authentication, DNS propagation, logo conformance, certificate evidence, and sending reputation.

What should I use for the selector?

Use default unless your mail stream sends a matching BIMI-Selector header. Non-default selectors add DNS and sending-side coordination.

Why is the copy button unavailable?

The copy action is unavailable for sample values and blocking input errors. Replace example domains and asset URLs, then fix any readiness blockers before copying the TXT value.

Should I include an empty a= tag?

Use it when you want the record to explicitly state that no authority evidence URL is disclosed. If a receiver requires certificate evidence for display, add a valid HTTPS evidence URL instead.

Glossary:

BIMI
Brand Indicators for Message Identification, a DNS-based way for participating receivers to discover a sender's brand indicator.
DMARC
Domain-based Message Authentication, Reporting, and Conformance, the policy and alignment layer that BIMI relies on.
Selector
The DNS label before ._bimi, commonly default.
VMC
Verified Mark Certificate, certificate evidence used by some BIMI receivers.
CMC
Common Mark Certificate, another certificate evidence option referenced in BIMI deployments.

References: