Every day, your customers receive dozens of emails competing for their attention. Most of those emails look identical in the inbox: a name, a subject line, and nothing else to signal whether the message is genuine or a fraud. Your carefully written email sits alongside phishing attempts, spam, and impersonation attacks, with no visual way for the recipient to tell the difference at a glance.
There is now a practical, widely-supported solution to this problem. It puts your verified company logo directly next to your sender name in Gmail, Yahoo Mail, Apple Mail, and a growing list of other major email providers. It strengthens your email security at the same time as it strengthens your brand. And a recent change by Google means it is now accessible to UK businesses of all sizes, not just large corporations with registered trademarks.
The technology is called BIMI. The certificates that power it are called Mark Certificates. This guide explains both, in plain English.
What Is BIMI?
BIMI stands for Brand Indicators for Message Identification. It is an email standard that allows businesses to display their official logo next to authenticated emails in supported inboxes. When a recipient opens their Gmail or Yahoo Mail, instead of seeing a generic initial or a blank avatar next to your company name, they see your actual logo, verified as belonging to you.
The effect is immediately visible and increasingly familiar to email users. Major brands including HSBC, Vodafone, and BBC have implemented BIMI. As more businesses adopt it, the absence of a verified logo in an email will itself become a signal worth noticing.
BIMI does not work in isolation. It sits on top of a chain of email authentication standards that businesses need to have in place first. Understanding that chain is the key to understanding how the whole system works.
The Authentication Chain: DMARC, DKIM, and SPF
Before a mail provider will display your logo via BIMI, it needs to be confident that emails claiming to come from your domain actually do come from you. That confidence comes from three email authentication standards that work together.
SPF (Sender Policy Framework) tells receiving mail servers which servers are authorised to send email on behalf of your domain. It is configured via a DNS record and helps prevent attackers from simply sending email that falsely lists your domain in the “from” field.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email your domain sends. The receiving server checks that signature against a public key published in your DNS. If the signature is valid, the email genuinely came from an authorised sender and was not modified in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together. It lets you publish a policy in your DNS that tells receiving mail servers what to do with emails that fail authentication checks: deliver them, quarantine them, or reject them outright. DMARC also gives you reporting, so you can see who is sending email using your domain.
For BIMI to work, DMARC must be set to enforcement, meaning your policy must be set to either quarantine or reject, not just monitor. This requirement is deliberate: BIMI is designed to reward businesses that have genuinely locked down their email domain.
The good news is that implementing SPF, DKIM, and DMARC is something most UK businesses can do through their email provider or DNS management tools, and many providers now offer guided setup. Getting to DMARC enforcement is the first step on the path to BIMI.
What Are Mark Certificates?
Once DMARC enforcement is in place, the next requirement for displaying your logo via BIMI is a Mark Certificate. This is where certificate authorities come into the picture.
A Mark Certificate is a digital certificate issued by a trusted certificate authority that cryptographically verifies the association between your logo and your email domain. When a recipient’s mail provider receives your email, it checks your BIMI record, retrieves your Mark Certificate, validates it against the issuing certificate authority, and if everything checks out, displays your logo.
Without a Mark Certificate, some inbox providers will still display a self-asserted logo based on your BIMI record alone. However, the major providers including Gmail require a valid Mark Certificate before they will show your logo. And without one, you do not get the trust signals that make BIMI valuable as a security measure.
There are two types of Mark Certificate, and choosing the right one depends on your situation.
Verified Mark Certificates (VMC)
A Verified Mark Certificate is the original and highest-assurance form of Mark Certificate. To obtain one, your logo must be a registered trademark with an approved intellectual property office. In the UK, that means registration with the Intellectual Property Office. Other approved bodies include the USPTO in the United States and the EUIPO for European trademark registrations.
The validation process for a VMC is rigorous. The certificate authority will verify that your trademark registration is valid and covers the logo you intend to use, verify your ownership of the email domain, and conduct identity validation of the individual applying, which typically involves a video call where the applicant holds photo ID to camera.
This level of scrutiny is by design. A VMC carries a strong identity claim: not just that this logo is associated with this domain, but that the organisation behind that domain has been verified against a legally registered trademark. In Gmail, emails authenticated with a VMC display a blue checkmark alongside your logo, the same verified indicator that appears on social media platforms for confirmed accounts.
For UK businesses with registered trademarks, a VMC is the gold standard. It provides the strongest possible visual trust signal in the inbox, and the blue checkmark in Gmail is increasingly recognised by consumers as a mark of authenticity.
Common Mark Certificates (CMC)
The more recent addition to the Mark Certificate family is the Common Mark Certificate, and it has significantly broadened access to BIMI for UK businesses.
A CMC does not require a registered trademark. Instead, it verifies that your logo is associated with your business and domain through prior use, meaning your business has been using that logo in commerce. Google now accepts CMCs for BIMI logo display in Gmail, which represents a major expansion of the programme. Previously, Gmail’s BIMI implementation required a VMC, effectively limiting participation to larger businesses with the resources to register trademarks.
With CMC support, a UK SME, a startup, a charity, or any organisation using an unregistered but established logo can now display a verified brand mark in Gmail inboxes without first going through the trademark registration process.
The key differences between a VMC and a CMC are worth understanding clearly:
- VMC (Verified Mark Certificate). Requires a registered trademark. Goes through more intensive identity validation. Unlocks the blue verified checkmark in Gmail alongside your logo. Best for businesses with registered trademarks who want the strongest possible trust signal.
- CMC (Common Mark Certificate). Requires demonstrated prior use of your logo rather than a trademark registration. Lighter validation process. Displays your logo in Gmail without the blue checkmark. Best for businesses without a registered trademark who want to benefit from BIMI without the cost and time involved in trademark registration.
Both certificate types require DMARC enforcement and work across the full range of BIMI-supporting inbox providers.
Why Mark Certificates Matter Beyond Brand Recognition
BIMI and Mark Certificates are sometimes discussed primarily as a marketing tool, and the engagement numbers are striking: studies report open rate increases of around 39% and significant uplifts in brand recall and customer trust. But framing them only as a marketing feature understates their security value.
The requirement for DMARC enforcement means that businesses implementing BIMI have, by definition, locked down their email domain against spoofing. Any email claiming to come from your domain that does not pass authentication checks will be quarantined or rejected before it reaches your customers. The logo display is the visible reward for having done that security work, but the security work is the more important part.
In the context of the AI-powered phishing threat, a verified logo is a meaningful additional signal for email recipients. An attacker spoofing your domain cannot obtain a Mark Certificate for that domain without going through a validation process with a trusted certificate authority. They cannot replicate your verified logo display. The presence of your logo is therefore a positive indicator of authenticity, and its absence from an email claiming to be from you is a reason for caution.
This mirrors the role of S/MIME certificates at the message level, but operates visually, at the point where a recipient first sees an email in their inbox before they have even opened it.
Which UK Businesses Should Consider a Mark Certificate?
The honest answer is that any UK business sending regular email to customers, clients, or partners stands to benefit. But the case is particularly strong in certain situations.
- Businesses with customer-facing email programmes, whether transactional email, newsletters, or account communications, will see the most visible impact from BIMI logo display. Recipients who recognise your logo in the inbox are more likely to open your email and more likely to trust it.
- Businesses in sectors where email fraud is common, including financial services, legal services, healthcare, and retail, will find that the combination of DMARC enforcement and a Mark Certificate sends a clear message to customers: our email domain is locked down, and our emails can be verified.
- Businesses that have already experienced domain spoofing or brand impersonation have a direct incentive to implement the full BIMI stack. DMARC enforcement stops the spoofing. BIMI and a Mark Certificate make the legitimate emails visually distinguishable.
- Businesses preparing for GDPR compliance reviews or cyber insurance assessments will find that DMARC enforcement is increasingly cited as an expected security control for organisations handling personal data by email.
The Steps to Getting Your Logo in Gmail
The path from where you are now to displaying a verified logo in Gmail inboxes involves four main steps.
- Step 1: Implement SPF and DKIM. If you are sending email through a major provider such as Microsoft 365 or Google Workspace, SPF and DKIM are likely already available and may simply need to be enabled and configured correctly. Your email provider or DNS administrator can guide you through this.
- Step 2: Deploy DMARC at enforcement. Create a DMARC record in your DNS and set the policy to quarantine or reject. Start with quarantine if you are not yet certain all your legitimate email streams will pass authentication, and monitor the reports before moving to reject.
- Step 3: Obtain a Mark Certificate. Decide whether a VMC or CMC is right for your business based on your trademark status. Work with a trusted certificate authority to go through the validation process and obtain your certificate. At buyssl.co.uk, we can supply Mark Certificates and guide you through the requirements.
- Step 4: Publish your BIMI record. Create a BIMI TXT record in your DNS that points to your logo file (in SVG Tiny P/S format) and your Mark Certificate. Once published, BIMI-supporting inbox providers will begin checking your record and displaying your logo on authenticated emails.
A Note on Logo Format
One practical requirement that catches some businesses out is the SVG Tiny P/S format. Standard SVG files exported from design tools like Adobe Illustrator need a small additional step to meet the BIMI specification. The BIMI Group provides an export script for Illustrator that automates this conversion. Your logo should use a square aspect ratio, a non-transparent background, and be centred within the frame. These are minor adjustments for most logos, but worth checking before you begin the certificate application process.
Getting Started
Mark Certificates represent one of the more accessible improvements a UK business can make to its email security and brand presence in 2026. The combination of DMARC enforcement, a verified Mark Certificate, and BIMI logo display strengthens your defences against domain spoofing, gives customers a visual cue that your emails are genuine, and improves email engagement at the same time.
With Google’s acceptance of Common Mark Certificates now removing the trademark barrier for smaller businesses, there is no longer a reason for any UK business sending regular email to overlook this.
At buyssl.co.uk, we supply both Verified Mark Certificates and Common Mark Certificates from leading certificate authorities, alongside SSL, code signing, and S/MIME certificates. If you would like to explore whether a VMC or CMC is the right fit for your business, or if you need help understanding the DMARC prerequisites, get in touch with our team.
Sources: BIMI Group official documentation; DigiCert Mark Certificate guidance; PowerDMARC CMC/BIMI research 2026; Google BIMI programme requirements.
