You were pretty close on the order.
-Contact/Gal
-Gravatar
-Bimi
-Website Icon (pull from root of website, <link ref='icon'>)
-Favicon.ico
-No Image / Monogram

Are you seeing clear examples of BIMI being skipped? That could be a bug

The avatars are cached in 2 seperate 5 day caches.
Contact/Gal (changes instantly, no cache), 
Per User: Gravatar

Per server: Bimi, Website Icon, Favicon, and lack of icon (we cache this)

Also, if an email is older than 5 days, we won't update the icon until you click on it in webmail. It won't automatically update in the message list. We did this to keep the load on avatar fetching down.

I am indeed seeing the BIMI image skipped and the favicon.ico used instead...but in all of those cases I've checked so far they are BIMIv1 tiny-ps 1.2 SVG images that do not have a VMC (Verified Mark Certificate). I will have to double-check to see if it is working with BIMIv1 tiny-ps 1.2 SVG images that do have a valid VMC.

Good to know on the caches. I see they cleared over the weekend so the new favicon.ico that I uploaded to websites to match the BIMI images for domains last week are now showing in SmarterMail. It may be that SmarterMail is just ignoring BIMI SVG images without VMC, like GMail?

Just looked at the code. We are not verifying or looking for certificates at the moment. 
We do a TXT Record to "default._bimi.<DmarcDomain>" We verify the TXT header has v=BIMI1 and then we pull the "l=" parameter with the URL.

We do require that DMARC has a Pass result into order to pull BIMI images, this is to prevent abuse.

Something you can look out for is that new emails should have BIMI details should be applied the message, if the domain had BIMI. You can look for the "X-SmarterMail-BIMI" header.

Matt---Does SM still tag the header with "X-SmarterMail-BIMI" on the more recent versions (I am currently on 8629)?

On the left is the validation from MX Records that email.apple.com is passing BIMI but on the right is the header from an email from Apple on 9/18 and when I search the header I can't find text = bimi.

Maybe I am doing something wrong?

Thanks.

You should still be getting the header as long as DMARC is running and passing on the message. If DMARC is passing for the message you can try searching your SpamChecks log for "BIMI Exception" to see if anything is happening. You can also check your SMTP logs for "DMARC Results:" and make sure we're correctly identifying the dmarc info.

It's passing dmarc:

[2023.09.18] 17:10:53.919 [17.171.37.39][31270991] DMARC Results: Passed (Domain: email.apple.com, Reason: SPF: True, DKIM: True, Alignments: 2, Domain: email.apple.com), Reason: SPF: True, DKIM: True, Alignments: 2, Domain: email.apple.com, Reject? False

When I look @ the SpamChecks logs I don't see anything at all regarding BIMI or domain = email.apple.com

Spam Checks Process Logging currently = Exception Only

Thanks.

ok - thanks, will wait for the update to re-test.

What the result after re-test?

need to wait for .NET Core release