Amit Kothari
Amit Kothari CEO of Tallyfy · Workflow AI Expert

Is BIMI worth it? What $3,906 over three years bought us

In brief

We paid Red Sift $3,906 across three annual terms for BIMI, starting at $999 in 2022 and ending at $1,608 in 2025. The money bought a Gmail checkmark and one directional open rate observation, while the real win turned out to be forced DMARC discipline. Here is what we would pay for again, and at what price.

Summary

  • $3,906 over three years - Red Sift started us at $999 in 2022 and had us at $1,608 by 2025, a 61% climb across three signed order forms for the same verified mark certificate
  • We measured one uplift, once - about three weeks after going live in July 2022, our own Mailgun data showed open rates up somewhere between 10% and 25%. No control group, a short window, and open tracking has only gotten blurrier since
  • Display stays uneven in mid-2026 - Gmail pairs the avatar with a blue checkmark when a VMC backs a registered trademark, Apple Mail joined at iOS 16, Yahoo needs no certificate at all, and Microsoft Outlook renders nothing
  • Enforcement is the durable win - BIMI forced tallyfy.com to DMARC p=reject and keeps it there. We re-upped for three more years at $850 a year in June 2026, after our 2026 price survey

Three signed order forms sit in our Red Sift folder: $999.00 a year on the 2022 form, then $1,299.00 on the 2024 renewal, a 30% jump. The 2025 renewal added another 24% and landed at $1,608.00. Add the terms up and Tallyfy paid $3,906 for three years of BIMI, issued first through the vendor’s technology partner Entrust and, from the 2025 paperwork onward, through DigiCert. Each jump arrived on an order form we signed, so there’s no ambush to complain about here, just a bill worth a hard look.

Was it worth it? At the price we pay now, yes. At the price we were last quoted, no, and the space between those two answers is the most useful thing in this post. How the invoices climbed 61% and why we cancelled on June 15, 2026 is the full renewal story; this post only weighs what the money bought.

Did open rates actually move?

They moved once, as far as we can tell. We hold the number loosely.

On August 18, 2022, about three weeks after our logo went live (go-live was roughly July 27), we wrote to Red Sift that we had seen “uplifts in open rates in the order of 10% - 25% via Mailgun data”. That sentence is the entire measurement record behind a $3,906 spend. One email, three weeks in, reading our own dashboards.

The number deserves a bit of suspicion, and we’re the ones telling you so. It came from a before-and-after read, never a proper A/B test. Nothing was held constant: campaigns and volumes both moved, and Gmail itself was still expanding BIMI display while we watched. The inbox of 2022 also flattered the experiment, since brand avatars were rare enough back then to catch the eye. Open rates were going soft as a metric too. Apple had begun preloading remote images for Apple Mail users through Mail Privacy Protection the autumn before, which registers opens no human made, and open tracking has drifted further from ground truth every year since.

So we repeat the claim exactly the way we made it in 2022: a directional read of our own Mailgun data, in an inbox environment that no longer exists. If a certificate vendor shows you a tidy uplift chart, ask about the control group. Ours didn’t have one.

When the logo actually appeared

There’s a second reason we distrust neat before-and-after windows: display itself arrived in stages. After the late-July 2022 go-live, our swan showed up in Gmail on Android first. Web Gmail stayed blank for weeks while we debugged with Red Sift and, at one point, a deliverability engineer at Netcore, re-checking the DNS record and the SVG file more times than we’d like to admit.

Nothing was wrong.

Gmail rolls BIMI display out per sender on its own schedule, weighted by how much it trusts your sending domain, and no support ticket hurries that along. Your DNS record is a request. Google decides when you’ve earned the pixels.

Budget for the gap. A certificate can be issued and the DNS flawless, and the logo will still trail by days to weeks in some clients.

What each inbox shows in mid-2026

Client support moved a lot between 2022 and 2026, and it moved unevenly. Here’s the state we verified in early July 2026. The short version: Gmail and Apple Mail reward the certificate, while Yahoo and Outlook sit at opposite ends of caring about it.

Gmail

Gmail gives the most and asks the most. With a VMC backing a registered trademark, mail from tallyfy.com gets the swan avatar plus the blue verified checkmark. Google’s September 2024 announcement added Common Mark Certificates for senders without a registered trademark, and a CMC gets the avatar without the checkmark. Google’s setup docs are also blunt that BIMI won’t work over a DMARC policy of p=none; quarantine or reject only, with pct at 100. Our trademark is registered (USPTO number 5049343, and that registration number rides inside the certificate itself), so we qualify for the checkmark tier.

Apple Mail

Apple Mail joined with iOS 16 and iPadOS 16, plus macOS Ventura 13, per Apple’s developer notes, and Apple checks a verified evidence document such as a VMC rather than taking your word for it. One wrinkle from our own purchase: a May 2026 reseller tip about Apple still widening its trusted VMC roots pushed us onto the DigiCert chain, a call we unpack in the vendor bake-off.

Yahoo

Yahoo cares more about the sender than the certificate. Its sender hub requirements list a valid SVG logo, a DMARC policy of quarantine or reject, bulk sending patterns, and decent reputation for the sending address. A VMC isn’t required; Yahoo says it’ll use one to inform eligibility if you have it. That makes Yahoo the inbox where our $850 a year is closest to optional. Logos appear in the message list and read views of the Yahoo and AOL mobile apps, and in read views on desktop webmail.

Outlook

Microsoft is the holdout. An answer on Microsoft Q&A confirms that Exchange Online and Outlook don’t render BIMI logos, so compliant senders show up plain in Microsoft-hosted inboxes, and no implementation date has been announced. Microsoft’s BIMI involvement sits on the sending side, in Dynamics 365 Customer Insights. As of mid-2026, no generally available Outlook surface renders BIMI. If your buyers live in Exchange Online, an $850-a-year mark certificate is a tough sell.

Can you turn any of that into an impressions model? You can, as a hypothetical, though we’d rather show the seams than sell the math. A sender pushing 100,000 emails a month with 40% of recipients on Gmail would put its mark in front of roughly 40,000 inboxes monthly, for what works out to $70.83 of certificate. We’re not publishing Tallyfy’s own send volumes to dress that up. The model breaks anyway, because nobody clicks an avatar; there’s no destination URL on a BIMI logo, so the spend attributes to nothing in any funnel report you’ll ever run.

Where recognition does have room to work is first contact: an invoice from a supplier the recipient has never seen, a proposal, the kickoff email you send when onboarding a new client whose inbox has never met your domain. By the fortieth task nudge inside a long project, the avatar is furniture. We’d internalized that earlier, when we rebuilt reminder emails around a daily digest instead of per-task pings.

Weigh the costs against the one real win

The win first, because it took us until about the second renewal to name it. BIMI’s entry condition is DMARC at enforcement; Gmail and Yahoo both gate display on quarantine or reject, as covered above. To show a swan, we had to take tallyfy.com to p=reject and hold it there through every sending-platform change since 2022. This is the live record as we read it on July 2, 2026:

_dmarc.tallyfy.com  TXT  "v=DMARC1; p=reject; sp=reject; rua=mailto:cf58ddc3b39843d4bc555830361dd0ca@dmarc-reports.cloudflare.net,mailto:re+9d471d5a524d@inbound.dmarcdigests.com; aspf=r; pct=100"

At p=reject, receiving servers are told to refuse mail that fails authentication, which is the part that blunts domain spoofing; sp=reject extends that to every subdomain, including ones we never send from. The certificate is the visible tip. The enforcement discipline underneath is where the security value lives, and a visible logo doubles as a tripwire: if our DMARC posture ever regressed, the swan would vanish from Gmail and someone would ask why by the next morning. That same discipline eventually pushed us to audit 11 domains we own, typo-squats included, and the findings there were humbling.

Now the bill, in four parts.

Price variance is wild for an identical product. A DigiCert-chain certificate cost us $1,608 a year on the Red Sift renewal signed June 6, 2025, and $850 a year on the three-year SSL Dragon order we placed June 15, 2026 ($2,550 total, invoice 46980, term through June 14, 2029). Nothing about the certificate changed between those two signatures. The delta is $758 a year, roughly a 47% cut, earned by shopping four vendors from late April to mid June 2026.

Re-validation never goes away. A VMC is a one-year certificate no matter the term you buy; multi-year deals lock the price while the certificate itself re-issues annually. Validation isn’t quick paperwork, either. Our replacement request went into DigiCert’s CertCentral on June 16, 2026, and the organization and trademark checks were still running as of early July, with the live certificate due to expire July 28, 2026. We’re watching the validation queue the way you’d watch a package tracker. When it clears, the swap on our self-hosted setup is a one-file deploy, and the reasons why are most of how BIMI works in the first place.

Attribution is zero, permanently. The logo is a trust signal, and trust signals don’t carry UTM parameters, so the only ROI evidence you’ll ever gather is a directional open-rate read like our 2022 one. Anyone promising more precision than that is selling something.

Display timing belongs to the mailbox providers, and that hasn’t changed since 2022. You can’t buy your way to the front of Gmail’s trust queue, so an annoying mid-quarter possibility remains: the certificate lands weeks before the logo does.

Who should skip it

  • DMARC still at monitoring - If your _dmarc record says p=none, spend $0 and get to enforcement first. Google’s docs won’t entertain BIMI below quarantine, and enforcement is where the security payoff sits anyway.
  • No registered trademark - Gmail’s CMC route covers marks in prior use, minus the checkmark. If the blue tick is why you’re buying, a trademark registration comes first, and that’s its own project with its own fees and timeline.
  • Buyers who live in Outlook - You’d be paying for pixels Microsoft doesn’t render as of mid-2026. Park the budget until Redmond ships something generally available.

Where this leaves us

Would we buy BIMI again? We did, on June 15, 2026, without much internal debate, because the price in front of us was $850 a year. The same question at $1,608, the renewal rate we’d signed in June 2025, got a different answer: we went shopping and left our vendor of three years over it. The quoted price decides the verdict, which is why every number in this post carries a date.

Our advice compresses well. Get DMARC to p=reject and let it settle; that part is free and carries most of the security value. Then treat the certificate as the commodity it is: collect dated quotes from more than one reseller and more than one CA, then tell the finalists the number to beat. Sign whatever term locks the low rate; ours was three years at $2,550.

If your recipients mostly read mail where BIMI renders, the certificate defends your brand in the exact surface where spoofing happens, and at $850 a year we think that’s fair money. If they mostly read mail in Exchange Online, hold off.

That said, re-run the decision annually whatever you choose. The CA behind our own subscription changed once without us driving it, and prices moved 61% up and then 47% down inside four years. Apple root coverage was reportedly still widening in May 2026. Mid-2026 answers have a shelf life.

BIMI never became a growth channel for us, and we’ve stopped expecting it to be one. What we bought, at its best price, is a spoofing deterrent with a visible receipt. The checkmark and the avatar are nice; the standing reason to keep DMARC locked at reject is the part we’d miss.

About the author

Amit is the CEO of Tallyfy. He has 25+ years of practical experience in technology, entrepreneurship, and operational efficiency. He's been hands-on with AI-first engineering and changing Tallyfy to AI-native workflow automation since Claude Code was first released. He's also an Entrepreneur in Residence at WashU's Skandalaris Center, created the OneDay (Woolf) AI curriculum for their accredited MBA and consults with clients who need help with AI via Blue Sheen. He graduated with a Computer Science degree from the University of Bath. He's originally British and lives in St. Louis, MO.

Find Amit on his website , LinkedIn , or GitHub . Read Amit's bio →

Automate your workflows with Tallyfy

Stop chasing status updates. Give people and AI a process to follow.