BIMI inspector,
logo + cert + DNS.

Failure mode 1 — DMARC at p=none

BIMI requires DMARC at p=quarantine or p=reject. p=none means BIMI silently does not display the logo, even though the record is published, the SVG is reachable, the certificate is valid. We see this most often when teams publish BIMI in advance of completing DMARC migration — the BIMI work is invisible until DMARC reaches enforcement, sometimes months later. Fix: complete the DMARC ramp first; publish BIMI second.

Failure mode 2 — SVG profile is wrong

BIMI mandates SVG Tiny Portable/Secure (Tiny PS), a stripped-down SVG profile that bans scripts plus external references plus animations plus several attributes regular SVG editors emit by default. The most common source of malformed SVGs is exporting from Figma or Illustrator or Sketch directly — these tools produce full SVG with xlink:href, <script>, <style> blocks, and other elements Tiny PS strips. The file must declare baseProfile="tiny-ps" in the root <svg> tag, must use a square viewBox (typically 0 0 1024 1024), and must stay under 32KB. Fix: use the BIMI Group's open-source svg-tiny-ps validator and converter before publishing.

Failure mode 3 — VMC missing or expired

Gmail requires a VMC (Verified Mark Certificate) for the blue verification checkmark and, since September 2024, accepts CMC (Common Mark Certificate) for the logo without the checkmark. Apple Mail still requires VMC and does not accept CMC. Yahoo requires neither. The cert is published as a separate PEM file at the URL specified in the BIMI record's a= tag. Three common failures: the URL returns 404, the cert has expired (annual renewal), or the cert was issued for a different domain than the BIMI record's domain. Fix: monitor cert expiration with 30-day advance alerts; pre-stage renewal a month before the deadline.

Failure mode 4 — wrong selector or subdomain mismatch

BIMI records live at default._bimi.{domain}. Custom selectors are part of the spec — marketing._bimi.{domain}, transactional._bimi.{domain} — but Gmail and Yahoo only honour the default selector in 2026. Publishing a custom selector and expecting the logo to render is a common misconfiguration. The other half of this issue is subdomain mismatch: a BIMI record at default._bimi.example.com applies to mail from example.com, not from marketing.example.com. Each subdomain that sends mail needs its own BIMI record.

Failure mode 5 — logo not hosted over HTTPS

The l= tag in the BIMI record points to the logo URL. RFC 9495 requires HTTPS — providers will not fetch over plain HTTP. The cert at the logo's host must be valid CA-signed (not self-signed, not expired), and the response must include the file as image/svg+xml content-type. CDNs sometimes break this on logo redeploys when content-type negotiation gets misconfigured.

The BIMI inspector returns five checks per domain — the BIMI DNS record at default._bimi.{domain}, the SVG logo file at the URL specified in the record, the SVG conformance to the BIMI Tiny SVG profile, the optional VMC certificate at the path specified, and the upstream DMARC enforcement state at p=quarantine or stricter. The first four are about BIMI itself. The fifth is the gate — if DMARC is not enforced, BIMI does not render regardless of how correctly everything else is configured.

The DMARC gate is the operator detail most prospects miss. BIMI specification requires that the publishing domain has DMARC at p=quarantine or p=reject with at least pct=100. Domains at p=none can publish a BIMI record and host a beautiful SVG, but the logo will not render at any major receiver. The validator surfaces the DMARC state precisely because that is the most common reason for BIMI deployments not visually appearing in the inbox. The fix is not in BIMI configuration. The fix is in DMARC progression, which usually takes longer than the BIMI deployment itself.

The VMC question is more nuanced than the validator can capture. A Verified Mark Certificate is required for Gmail rendering and increasingly required across major receivers. The certificate costs €1,000-€1,500 per year through DigiCert or Entrust depending on certificate type, and the application process takes 4-8 weeks because it requires trademark verification. The validator checks if a VMC is published and parses correctly. It does not validate the trademark chain or the issuer's authority — those are out of scope for a remote inspector and require manual verification through the certificate's chain. For most use cases, BIMI without VMC renders at Yahoo and a handful of smaller receivers but not at Gmail, which is the deployment most operators actually want.

Five findings account for most BIMI deployments that look broken. Each row maps a finding to a remediation. Most are dependency mistakes — BIMI sits on top of DMARC, and DMARC sits on top of properly configured SPF and DKIM. A BIMI deployment without the foundation underneath is the marketing equivalent of a logo painted on a building that does not have plumbing.

#	Finding	What to do	Time to fix	Frequency
01	BIMI published, DMARC at p=none	The most common BIMI failure. Logo never renders. Fix DMARC first — read 30 days of aggregate reports, identify all senders, move to p=quarantine.	2-4 weeks DMARC progression	44%
02	SVG not BIMI Tiny SVG conformant	Standard SVG logo published. BIMI requires the Tiny SVG 1.2 PS profile — no scripts, no animations, no external references, square aspect ratio. Convert via vendor tooling.	1-2 hours design work	21%
03	No VMC, expecting Gmail rendering	Gmail requires Verified Mark Certificate. Without VMC the logo renders at Yahoo and Apple Mail but not Gmail. Procure VMC through DigiCert or Entrust.	4-8 weeks VMC procurement	17%
04	SVG content-type misconfigured	Web server returns SVG as application/octet-stream instead of image/svg+xml. Receivers reject. Configure correct MIME type in nginx/Apache/CDN.	15 minutes	11%
05	VMC expired and not renewed	VMC has 1-year validity. Renewal not scheduled. Logo silently stops rendering at Gmail when cert expires. Set 30-day expiration alerts.	2-3 weeks renewal cycle	7%