BIMI: the golden nameplate on a door that's already locked

Imagine this: you’ve just had a new lock fitted on your front door. Good lock, certified, tamper-proof. Your house is secure.

Then someone comes along wanting to sell you a golden nameplate.

“Looks professional,” he says. “People will immediately see that someone lives here who has their act together.”

Costs you €1,500 a year. Only works if someone bothers to look at it (the postman, sometimes). And it adds nothing to the security of your house.

That’s BIMI.

First, the basics: your lock is already locked

Real email security consists of three standards:

• SPF → who is allowed to send email on behalf of your domain
• DKIM → has the content been tampered with in transit
• DMARC → what should happen when a check fails

If your DMARC is set to p=reject, the problem of email spoofing is fundamentally solved. Nobody can pretend to be your domain anymore. The lock is on the door.

Everything that comes after should therefore not claim to be “security” again.

And yet, that’s exactly what happens.

What BIMI actually is

BIMI (Brand Indicators for Message Identification) does exactly one thing:

It displays a logo next to your email in supported email clients.

Nothing more.

No extra security. No better deliverability. No spam filter advantage. No additional authentication.

Purely visual.

It’s the digital golden nameplate.

The bill: where it falls apart for small business

To actually display that logo, you typically need a Verified Mark Certificate (VMC).

A commercial certificate that confirms your logo genuinely belongs to your organisation.

And that’s where it gets interesting — and for small business, usually uninteresting.

Costs and barriers:

• Annual certification fees (hundreds to thousands of euros)
• Often mandatory trademark registration or legal validation
• Lead time of weeks to months
• Dependency on commercial certificate authorities

For a visual icon in an inbox.

Visibility: the biggest problem

BIMI doesn’t work everywhere.

• Gmail: yes (the main player)
• Yahoo Mail: yes (limited market share)
• Apple Mail / iCloud: limited and inconsistent
• Microsoft Outlook / Microsoft 365: no

That last one is crucial.

In small business, a large portion of business email runs through Microsoft 365.

In other words: you’re paying for a logo that a large portion of your recipients will never see.

The postman and the courier

Say you invest in that golden nameplate.

The postman (Gmail) sees it and nods approvingly.

But the courier (Outlook) — who handles most of your business correspondence — walks straight past it.

Realistically, BIMI is visible to roughly 20–40% of your recipients. And that percentage drops quickly in B2B environments where Microsoft is dominant.

What BIMI doesn’t do

This matters more than what it does:

• ❌ doesn’t make your email more secure (DMARC does that)
• ❌ doesn’t prevent phishing (DMARC does that)
• ❌ doesn’t improve deliverability (SPF/DKIM do that)
• ❌ doesn’t influence spam filters (your reputation does that)
• ❌ doesn’t strengthen authentication (that’s already in place)

BIMI is exclusively visual.

It’s marketing in a security context.

The question you should ask yourself

Not: “can we implement BIMI?”

But: “Does a paid logo in a limited portion of inboxes deliver enough value to justify the cost, complexity and dependency?”

For small business, the answer is almost always: no.

The right order

The first three are security. The last one is branding.

Conclusion

BIMI is often presented as “the next step in email trust”.

But technically, it isn’t.

It’s an optional visual layer on top of existing email security — dependent on a limited number of email clients and in practice often tied to commercial certification.

Or put simply:

BIMI doesn’t make your email more secure. It only makes it more recognisable in a portion of inboxes.

Curious how your website performs? Try the free website check.