# BIMI readiness checklist (Amazon SES)

Use this before publishing `default._bimi.<domain>` TXT. Order matters: authentication first, branding last.

## 1. Amazon SES identity

- [ ] Domain identity verified in the sending region(s)
- [ ] Easy DKIM enabled (or BYODKIM keys published and verified)
- [ ] Custom MAIL FROM domain configured with SPF TXT + MX to SES feedback
- [ ] From-domain and MAIL FROM align for DMARC (relaxed or strict as designed)
- [ ] Configuration set(s) emit bounce/complaint/delivery events
- [ ] Virtual Deliverability Manager (optional) enabled for inbox insights

## 2. SPF

- [ ] Root (or sending) domain SPF includes `include:amazonses.com` (or your MAIL FROM SPF)
- [ ] SPF string stays under DNS TXT length limits (split carefully if needed)
- [ ] No conflicting multiple SPF records on the same name

## 3. DKIM

- [ ] Three Easy DKIM CNAMEs resolve (or BYODKIM TXT published)
- [ ] SES console shows DKIM **Successful**
- [ ] Outbound messages include a valid DKIM-Signature for the From domain

## 4. DMARC (BIMI gate)

- [ ] `_dmarc.<domain>` TXT exists
- [ ] Policy is `p=quarantine` or `p=reject` (not `p=none`)
- [ ] `pct=100` (or omit pct — defaults to 100)
- [ ] If sending from a subdomain, parent domain also has enforcement (or subdomain has its own matching enforcement)
- [ ] `rua=` mailbox receives aggregate reports (monitored)
- [ ] Aggregate reports show aligned SPF and/or DKIM for production volume

## 5. Logo (SVG Tiny PS / SVG P/S)

- [ ] Square viewBox (1:1)
- [ ] `version="1.2"` and `baseProfile="tiny-ps"`
- [ ] File ≤ 32 KB
- [ ] No scripts, animations, external refs, or embedded rasters
- [ ] Solid background preferred (transparent often fails in clients)
- [ ] Validated with [BIMI SVG Validator](https://www.factualminds.com/tools/bimi-svg-validator/)

## 6. Hosting

- [ ] Logo served over HTTPS
- [ ] `Content-Type: image/svg+xml`
- [ ] PEM (VMC/CMC) served over HTTPS if used
- [ ] Prefer private S3 + CloudFront OAC (not public website bucket)
- [ ] Cache policy allows mailbox providers to fetch; plan invalidation on logo change

## 7. Mark certificate (when required)

- [ ] VMC (trademarked mark) or CMC (common mark) obtained from a participating CA
- [ ] PEM chain uploaded and reachable
- [ ] Certificate not expired (`openssl x509 -in logo.pem -noout -dates`)
- [ ] Logo in certificate matches hosted SVG

## 8. BIMI DNS

- [ ] `default._bimi.<domain>` TXT: `v=BIMI1;l=<https-svg>;a=<https-pem>` (omit `a=` only if accepting limited display)
- [ ] Record validated with [BIMI Record Generator](https://www.factualminds.com/tools/bimi-record-generator/)
- [ ] Domain scored with [BIMI Readiness Checker](https://www.factualminds.com/tools/bimi-readiness-checker/)

## 9. Mailbox proof

- [ ] Send authenticated mail to Gmail / Yahoo / Apple Mail test inboxes
- [ ] Confirm Authentication-Results show DMARC pass
- [ ] Allow reputation/cadence time — logo display is not instant
- [ ] Document which providers show the logo vs avatar fallback

## 10. Operations

- [ ] Calendar reminder for VMC/CMC renewal (typically annual; alert 30–45 days out)
- [ ] Runbook for logo update (upload → invalidate CloudFront → re-check MIME)
- [ ] Runbook for certificate renew (upload new PEM → invalidate → OpenSSL dates)
- [ ] Runbook for emergency revoke (remove or blank `a=` / take down PEM → invalidate)
- [ ] DMARC report review cadence (weekly during rollout, monthly steady-state)

### Runbook: logo update

1. Validate the new SVG with the [SVG Validator](https://www.factualminds.com/tools/bimi-svg-validator/) (Tiny PS, ≤ 32 KB, square).
2. Upload with explicit MIME: `aws s3 cp logo.svg s3://$BUCKET/logo.svg --content-type image/svg+xml --cache-control "public,max-age=86400"`.
3. Invalidate CloudFront: `aws cloudfront create-invalidation --distribution-id $DIST_ID --paths "/logo.svg"`.
4. Confirm `curl -sI https://bimi.example.com/logo.svg` returns `200` and `Content-Type: image/svg+xml`.
5. If providers previously cached a failed validation, prefer a new path (`logo-v2.svg`) and update `l=` in `default._bimi` instead of relying on invalidation alone.
6. If the mark changed and you use a VMC/CMC, confirm the certificate still matches the hosted SVG (reissue if not).

### Runbook: certificate renew

1. Obtain the renewed VMC/CMC PEM from the CA; inspect dates: `openssl x509 -in certificate.pem -noout -dates`.
2. Upload: `aws s3 cp certificate.pem s3://$BUCKET/certificate.pem --content-type application/x-pem-file --cache-control "public,max-age=86400"`.
3. Invalidate `/certificate.pem` on CloudFront.
4. Confirm `curl -sI` on the `a=` URL (HTTPS 200, not `text/html` from a custom error page).
5. Re-score with the [Readiness Checker](https://www.factualminds.com/tools/bimi-readiness-checker/) and spot-check Gmail.

### Runbook: emergency revoke / take-down

Use when a mark must stop appearing (legal, brand incident, compromised asset):

1. **Fast path:** remove the `a=` tag (or the entire `default._bimi` TXT) at the DNS provider; lower TTL beforehand if you can.
2. **Asset path:** delete or replace PEM/SVG in S3 and invalidate CloudFront so fetches fail closed.
3. Confirm dig no longer advertises the old pointers; confirm `curl` no longer serves the old mark.
4. Notify stakeholders that inbox caches may lag; document the change window.
5. Do **not** leave an expired PEM at a live `a=` URL — prefer DNS removal over a rotting certificate.
