Setting up an email BIMI record in cloudflare

I’ve recently learned about a new method that has been developed to help secure email, called BIMI.

I’ve configured the record according to the RFC using the AGARI tool, but for some reason, the BIMI testers don’t see the result, even 24 h later.

Does anyone have any good ideas about how to fix this?

It’s just a TXT record. Does it show up in

1 Like


Here’s how I have it set up:

I should add that I have DMARC, DKIM and SPF set up correctly, and verified.

It’s there:

That’s interesting. I did not know that you could prepend the TXT record to the domain name like that. I was simply reviewing the DNS test results where it shows all the various records.

So now I have to figure out why the test tools, like MX Toolbox and Agari are failing to recognize it…

The Agari tool still does not recognize the record, nor does MXToolbox.

I just re-validated my SPF, DKIM and DMARC records, and I found a couple of issues that I think happened during the automagical port of my original DNS to Cloudflare. There were a couple of spaces added and a missing ;. All fixed. I’m going to wait a bit to see if the changes made any improvement with the problem.

1 Like

No change after 2 h

Cloudflare DNS is doing exactly what you asked it to. I’ve not tried BIMI, so I can only suggest that you check other forums for what it takes to get BIMI working.


Hey @sdayman,
I am already on that. Not sure why the test tools are not happy, but I’ll get it figured out. When I do, I will post what I learn here.

1 Like

Hey DougN, I would like to point out that the hostname should be default._bimi, not bimi alone.

Currently you have:
Screen Shot 2021-03-04 at 4.23.10 PM

Where it should show is this:
Screen Shot 2021-03-04 at 4.23.36 PM

default is what many mail client will display by default, that’s why it didn’t work when you test it. Try change hostname of txt record to default._bima.

Add an example for my domain to make it easier:


Hi, thanks for the pointer! That solved part of the problem. The other missing piece was that the “a” tag cannot be empty, despite what I read elsewhere. The “a” tag can contain self, cert, mva or a valid URI. Since I don’t have an authority as yet, I decided to go with “self.” Having tested it successfully now, I can say that everything appears to be working as expected. :slight_smile:

Thanks to both @sdayman and for the help!


This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.