BIMI Validation Report

Domain:

Enter one visible From or BIMI author domain, such as example.com.

Selector:

Use default unless your brand publishes another selector, e.g. holiday.

Resolver:

Switch resolver when propagation or cache differences are part of the review.

Evidence posture:

Use Auto for discovery, Require PEM for provider reviews, or Allow self-asserted for logo-only checks.

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Tag	Value	Meaning	Copy
{{ row.tag }}	{{ row.value }}	{{ row.meaning }}

Artifact	Result	Notes	Copy
{{ row.artifact }}	{{ row.result }}	{{ row.note }}

Check	Status	Notes	Copy
{{ row.label }}	{{ row.status }}	{{ row.note }}

Gate	Score	Status	Basis	Copy
{{ row.gate }}	{{ row.score }}%	{{ row.status }}	{{ row.basis }}

No BIMI gate score rows are available for the current validation report.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A mailbox logo is not just an image upload. Brand Indicators for Message Identification, usually shortened to BIMI, depends on an authenticated mail domain, a DNS assertion record, a compatible SVG logo, and sometimes a certificate document that connects the brand indicator to a verified mark path.

The chain is useful because it gives mailbox providers a way to separate a sender-controlled image from a logo attached to mail that is already passing aligned authentication. It also creates several places where a rollout can stall. The DNS record may exist under the wrong selector, DMARC may still be at p=none, the logo may render in a browser but fail SVG Tiny PS checks, or the certificate evidence may be missing, expired, or unrelated to the domain being reviewed.

DMARC enforcement shows that the organizational domain is asking receivers to quarantine or reject failing mail rather than only monitor it.
Selector publication places a TXT record such as default._bimi.example.com in DNS, with l= pointing to the logo and a= pointing to evidence when used.
Logo profile checks whether the public SVG or SVGZ file is secure, reachable, square enough for mailbox display, and compatible with the BIMI profile.
Mark evidence reviews a PEM certificate path, commonly a Verified Mark Certificate or Common Mark Certificate, when a provider requires certificate-backed BIMI.

Selectors deserve careful attention because many examples use default, but BIMI does not require every sender to use that label. A brand can publish another selector for a campaign, business unit, or seasonal logo. Checking the wrong selector can look like a missing deployment even when the intended owner name is correct.

Mailbox display remains a provider decision. Passing public evidence can still be followed by provider-specific certificate rules, cached assets, abuse signals, reputation checks, or interface limits. That is why a BIMI validation report is best read as an evidence and fix list, not as a promise that every recipient will see a logo.

The practical value is ownership. A clear review tells the DNS administrator, email-authentication lead, logo designer, web-hosting team, certificate contact, or mailbox-provider support path what needs to change next.

How to Use This Tool:

Check one author domain and one selector at a time. Start with the DNS identity that mail actually uses, then read the report from evidence collection to fix notes.

Enter Domain from the visible From address or BIMI author domain, such as example.com. When a subdomain is entered, the report also derives the organizational domain for the main DMARC check.
Leave Selector as default unless the mail stream uses a BIMI-Selector header or DNS publishes another selector such as holiday-logo.
Open Advanced when propagation or resolver differences matter. Resolver switches TXT lookups between Cloudflare DNS and Google Public DNS.
Set Evidence posture before judging the result. Auto review treats missing PEM evidence as review, Require PEM evidence makes it blocking, and Allow self-asserted accepts logo-only publication for limited checks.
Choose Validate BIMI. If the page reports an invalid domain or selector, fix the input before relying on the readiness score.
Open BIMI Evidence Chain for the owner name, publication mode, DMARC record, indicator URL, evidence URL, resolver, posture, overall status, and Readiness score.
Use BIMI Validation Notes and BIMI Gate Scores to identify the first failed gate before changing DNS, uploading another SVG, or asking for certificate changes.

For handoff, copy the failed note, not just the summary. Needs attention is useful triage, but the note usually names the exact record, policy, asset, or evidence problem to fix.

Interpreting Results:

The summary is a readiness triage result for the checked domain, selector, resolver, and evidence posture. It is not a display guarantee for Gmail, Yahoo, Apple Mail, Fastmail, or any other provider.

BIMI status labels and interpretation
Status	What it means	What to check next
Deployable	No blocking or review notes were found under the selected evidence posture.	Confirm provider certificate, reputation, cache, and display requirements before treating it as launch-ready.
Review recommended	The public evidence is not blocked, but one or more checks need review before rollout.	Common causes include self-asserted publication in `Auto review` or SVG presentation hints that need cleanup.
Needs attention	At least one core requirement failed.	Start with `BIMI Validation Notes`, then confirm whether the failed item belongs to DNS, DMARC, the logo file, or PEM evidence.
Missing BIMI record	No BIMI TXT record was found for the requested selector owner name.	Check selector spelling and DNS placement before assuming BIMI is absent for the whole domain.
Declined publication	The selector explicitly publishes empty `l=` and `a=` values.	Treat this as an intentional non-publication signal unless the empty tags were accidental.

BIMI Gate Scores separate four areas: BIMI TXT publication, DMARC enforcement, logo SVG asset, and certificate evidence. A high score in one area does not cancel a blocking note in another. A perfect logo asset still cannot overcome organizational DMARC at p=none.

When resolver views disagree, treat the result as a propagation clue. Compare owner name, DNS status, TTL, and selected record in BIMI Asset Fetch Ledger, then wait for caches or fix authoritative DNS before re-testing.

Technical Details:

A BIMI assertion record is a TXT record under a selector owner name such as default._bimi.example.com. The record starts with v=BIMI1. The l= tag points to the brand indicator file, and the a= tag points to a PEM evidence document when certificate-backed publication is used. Empty l= and a= values are treated as an explicit decline to publish an indicator.

DMARC is the policy gate because BIMI depends on messages already being authenticated and aligned with the author domain. Organizational-domain DMARC is the main gate, with exact-domain DMARC shown separately for subdomain inputs. BIMI readiness expects enforcement rather than monitoring, so p=quarantine or p=reject passes only when full application is in effect and sp=none is not relaxing subdomain enforcement.

DMARC's 2026 core RFC defines the protocol under a newer standards-track document, while BIMI guidance and provider setup pages still describe full application with pct=100. A missing pct tag is treated as 100 for this check, and an explicit value below 100 prevents the DMARC enforcement gate from passing.

Rule Core:

BIMI validation rule core
Gate	Pass condition	Review or blocking signals
BIMI TXT publication	Exactly one selector record starts with `v=BIMI1` and contains an `l=` location or an explicit decline.	No record, multiple records, version not first, missing `l=`, or incomplete publication.
DMARC enforcement	Organizational-domain DMARC uses `p=quarantine` or `p=reject`, applies to all mail, and does not publish `sp=none`.	No DMARC record, duplicate records, monitoring policy, partial rollout, or subdomain policy that relaxes enforcement.
Logo SVG asset	The `l=` value is HTTPS, fetchable, parseable as SVG or SVGZ, and fits BIMI profile, safety, and presentation expectations.	Non-HTTPS URL, failed fetch, invalid SVG, missing Tiny PS markers, script or animation content, external references, non-square artwork, missing title, missing absolute pixel dimensions, or oversized file.
Certificate evidence	The `a=` value is HTTPS, returns PEM certificate blocks, and exposes a usable leaf certificate with BIMI-relevant signals.	Missing evidence under a strict posture, failed fetch, parse failure, no matching certificate name, expired certificate, missing BIMI extended key usage, or missing logotype extension.

Formula Core:

The Readiness score is a triage score over validation notes. It starts at 100, subtracts more for blocking notes than review notes, and floors at 0. Explicit publication decline is handled as a special 35% state.

Readiness score = \max (0, 100 - 14 \times Needs attention notes - 6 \times Review notes)

A report with two Needs attention notes and three Review notes scores 54%: 100 - 14 x 2 - 6 x 3. That number helps compare repeated runs, but the status label is still driven by blocking and review notes.

Gate Score Construction:

BIMI gate score construction
Gate score	How the score is built	Interpretation boundary
`BIMI TXT publication`	Missing publication starts at `0`; duplicate records score `35`; explicit decline scores `40`; a single usable record earns points for version shape, `l=`, and publication path.	A valid TXT shape does not prove the logo file or certificate is usable.
`DMARC enforcement`	Missing DMARC scores `0`; duplicate records score `35`; an enforcement policy that fails another full-application check scores below `100`.	The score reflects BIMI readiness, not whether the domain's entire mail program is safe to move to reject.
`Logo SVG asset`	A reachable HTTPS file starts from the fetch result, then gains points for parse success, Tiny PS profile markers, safety cleanup, and presentation hints.	A visually correct logo can still fail because SVG rules are stricter than ordinary browser rendering.
`Certificate evidence`	Missing `a=` scores differently by evidence posture. A fetched PEM gains points for a usable leaf certificate, matching domain names, valid dates, BIMI extended key usage, and logotype extension.	The score does not decide trademark rights or replace certificate-authority validation.

Certificate name matching checks the selector owner name, author domain, and organizational domain against DNS names in the leaf certificate. The certificate profile review also reports validity dates, public-key summary, SHA-256 fingerprint, BIMI extended key usage, and logotype-extension signals when they can be read from the PEM evidence.

Privacy and Limits:

Validation requires live network requests. The selected public DNS resolver sees the BIMI and DMARC owner names being queried. Public logo and PEM URLs are fetched for inspection, and some asset fetches may be relayed so the browser can read cross-origin files.

Avoid entering private internal names or unpublished asset URLs. A clean report cannot force logo display, prove brand ownership, evaluate every mailbox-provider rule, or replace legal and certificate-authority review for mark eligibility.

Worked Examples:

Certificate-backed rollout

A sender checks example.com with selector default. BIMI Evidence Chain shows publication mode Mark certificate, organizational DMARC at p=reject, an HTTPS Indicator URL, and an HTTPS Evidence URL. If SVG and PEM checks pass, Overall status can read Deployable with healthy rows in BIMI Gate Scores.

Self-asserted discovery

A test domain publishes v=BIMI1; l=<HTTPS logo SVG> with no a=. In Auto review, BIMI Validation Notes can mark the missing PEM as review and leave Certificate evidence below a certificate-backed score. Switching to Require PEM evidence turns the same missing evidence into a blocking problem.

Logo passes while DMARC blocks

The indicator fetch returns HTTP 200, the SVG Tiny PS profile is healthy, and presentation hints are acceptable. The organizational DMARC record is still p=none or publishes pct=50. DMARC enforcement remains Needs attention, so the fix belongs to DMARC rollout rather than another logo upload.

Selector mismatch

The DNS team publishes holiday-logo._bimi.example.com, but the first run leaves Selector as default. The report shows Missing BIMI record for default._bimi.example.com. Re-running with holiday-logo checks the intended owner name and can reveal the real record, logo, and evidence state.

FAQ:

Which domain should I enter?

Enter the author domain for the mail stream, commonly the visible From domain. If you enter a subdomain, the report derives the organizational domain for the main DMARC enforcement check.

Why does a present BIMI record still fail?

The record can fail because the version tag is not first, multiple BIMI records exist, the logo URL is missing or not HTTPS, DMARC is not enforcing, the SVG fails profile or safety checks, or PEM evidence is missing under the selected posture.

Why does the report show pct as 100 when I did not publish pct?

A missing pct value is treated as full application for this check. An explicit pct below 100 is different because it says only part of failing mail is subject to the policy.

Does Deployable mean the logo will appear everywhere?

No. Deployable means the checked public evidence has no review or blocking notes under the selected posture. Providers can still apply certificate, reputation, anti-abuse, caching, and interface rules.

What information leaves the page during validation?

The domain and selector-derived DNS names are sent to the selected public resolver. Published logo and PEM URLs are fetched for inspection, and some asset fetches may be relayed so the browser can read the files.

Glossary:

BIMI: Brand Indicators for Message Identification, a DNS-based mechanism for publishing a preferred brand indicator for authenticated mail.
BIMI assertion record: The TXT record under a selector owner name that publishes the BIMI version, logo location, and optional evidence location.
Selector: The label before ._bimi., such as default or holiday-logo, that chooses which BIMI assertion record to query.
Organizational domain: The registrable parent domain used for the main DMARC policy check when a subdomain is entered.
DMARC enforcement: A DMARC posture that has moved beyond monitoring and asks receivers to quarantine or reject mail that fails aligned authentication.
SVG Tiny PS: The portable and secure SVG profile used for BIMI logo compatibility checks.
PEM evidence: The certificate document referenced by a=, used for certificate-backed BIMI publication paths.
VMC or CMC: Mark certificate types used to connect a domain and logo to third-party evidence for supported mailbox providers.

References:

Brand Indicators for Message Identification, IETF Internet-Draft, May 2026.
Fetch and Validation of Verified Mark Certificates, IETF Internet-Draft, May 2026.
RFC 9989: Domain-Based Message Authentication, Reporting, and Conformance (DMARC), RFC Editor, May 2026.
FAQs for Marketers and ESPs, BIMI Group.
Set up BIMI, Google Workspace Help.