Suped

Log inGet started
Knowledge base
/
Email deliverability
/
Technical

Can a trademark owner authorize a third party to use their logo for BIMI?

Michael Ko profile picture
Michael Ko
Co-founder & CEO, Suped
Published 11 May 2025
Updated 16 Aug 2025
7 min read
Many businesses and marketing agencies often ask whether a trademark owner can authorize a third party, such as an email service provider or marketing agency, to use their brand logo for BIMI (Brand Indicators for Message Identification). This is a crucial question for brands looking to leverage BIMI for enhanced email trust and visibility, especially when working with external partners for email campaigns.
The short answer is yes, a trademark owner generally can authorize a third party to use their logo for BIMI. However, the process involves navigating specific requirements, particularly concerning Verified Mark Certificates (VMCs), and ensuring proper alignment of technical standards. Understanding these nuances is key to a successful BIMI implementation for all parties involved.

Understanding BIMI and trademark requirements

BIMI is an email specification that allows organizations to display their trademarked logo next to their sender name in email inboxes. Its primary goal is to enhance brand recognition and trust, while simultaneously bolstering email security by requiring robust authentication protocols like DMARC. For your logo to appear, it typically needs to be registered as a trademark and validated by a Certificate Authority (CA) through a VMC.
The Verified Mark Certificate (VMC) acts as a digital credential that verifies the authenticity of your trademarked logo. This certificate links your email sending domain to your official, registered brand logo, providing a verifiable chain of trust. Major mailbox providers like Google and Yahoo often require a VMC for logos to be displayed, adding a layer of security and legitimacy to your emails. You can learn more about the requirements to implement BIMI for various providers.
The critical requirement for obtaining a VMC is that the logo must be registered as a valid, live trademark with a recognized intellectual property office. This ensures that the logo is legally owned by the entity seeking the VMC, preventing unauthorized use and maintaining brand integrity. The BIMI Group's official guidelines, such as the Minimum Security Requirements for Issuance of Mark Certificates, detail these stringent verification processes.
However, the question of third-party authorization arises when an external entity is responsible for managing email sending or brand assets on behalf of the trademark owner. This scenario is common in agency-client relationships or franchise models, where multiple entities might send emails under a unified brand.

Key BIMI requirements for logo display

  1. Trademarked logo: The logo must be registered as a trademark with a recognized intellectual property office.
  2. SVG format: The logo needs to be in a specific Scalable Vector Graphics (SVG) format, specifically SVG Tiny P/S.
  3. DMARC at enforcement: Your domain must have a DMARC policy set to either quarantine (p=quarantine) or reject (p=reject). This is a fundamental security prerequisite for BIMI.
  4. Verified mark certificate (VMC): For certain mailbox providers, particularly google.com logoGoogle and yahoo.com logoYahoo, a VMC is required to verify ownership of the trademarked logo.
  5. BIMI DNS record: A BIMI record, which points to your logo's location and VMC, must be published in your domain's DNS.

Authorizing third parties for BIMI

From a technical standpoint, BIMI is tied to the visible From: domain in an email. This means that as long as the email is sent with a From: domain that is DMARC-aligned and compliant, and the associated BIMI DNS record is correctly published for that domain, the logo can potentially display. If a third party is authorized to send emails on behalf of the trademark owner using the trademark owner's domain, they can also facilitate the BIMI setup.
The crucial part lies with the Certificate Authority (CA) that issues the VMC. CAs like digicert.com logoDigiCert and entrust.com logoEntrust are responsible for verifying the entity applying for the VMC and ensuring that they have the legal right to use the trademarked logo for the specified domains. If a third party is applying for a VMC that includes a logo trademarked by another entity, the CA will require explicit authorization. This authorization typically comes in the form of a legal document, such as a licensing agreement or a letter of authorization from the trademark owner.
This allows for scenarios where a franchise owner (the trademark owner) can authorize their franchisees (third parties) to use the brand logo for BIMI purposes under their respective domains. Similarly, a marketing agency can manage the BIMI implementation for their client's domain, provided they have the necessary legal authorization and access to the client's DNS records. It is important to note that a VMC can contain multiple domains, simplifying management for organizations with several related domains.

Trademark owner responsibilities

  1. Authorization: Grant explicit legal authorization for logo use to the third party.
  2. Trademark maintenance: Ensure the logo is properly trademarked and maintained.
  3. Documentation: Provide the third party with necessary documentation for VMC application.
  4. Domain control: Maintain ownership and control over the primary domain(s).

Third-party responsibilities

  1. Formal authorization: Obtain formal authorization from the trademark owner.
  2. CA coordination: Work with the Certificate Authority to ensure all VMC requirements are met.
  3. BIMI DNS management: Manage the BIMI DNS record for the authorized domain(s).
  4. DMARC compliance: Ensure DMARC is at an enforcement policy (p=quarantine or p=reject) for the sending domains.

Practical considerations and potential hurdles

While authorization is generally possible, several practical considerations and potential hurdles might arise. One significant challenge occurs when the third party operates under a 'cousin domain' - a domain that is visually similar to the main brand's domain but not directly owned by the trademark holder. For instance, if foo.com owns the trademark, but a marketer wants to use joinusatfoo.com with foo.com's logo, this becomes more complex.
In such cases, the Certificate Authority's discretion plays a major role. CAs are stringent about verifying domain ownership and the right to use the trademark for that specific domain. It might be challenging for a third-party-owned cousin domain to get a VMC for a logo trademarked by a different entity, even with authorization. The safest approach is for the trademark owner to include such related domains within their own VMC, if feasible, as VMCs can support multiple domains.
Another hurdle relates to the technical setup. Implementing BIMI requires a properly configured DMARC record at an enforcement policy, typically p=quarantine or p=reject. If the third party is responsible for email sending, they must ensure their infrastructure fully supports DMARC alignment for the authorized domain. Without this foundational email authentication, BIMI cannot function, regardless of logo authorization. We provide tools like a free DMARC record generator to help with this setup.
The process of obtaining a VMC and setting up BIMI for third-party use involves legal and technical coordination. Clear communication and legal agreements between the trademark owner and the third party are essential to avoid any intellectual property disputes or complications during the VMC issuance process. For more information, you can refer to the Brand Indicators for Message Identification (BIMI) specification published by the IETF.
Furthermore, email deliverability and sender reputation remain critical. Even with a valid BIMI setup, poor sending practices by the third party could still lead to emails landing in spam or being blocked, negating the visual benefit of the logo. Regular monitoring of email performance and blocklist status, (or blacklist status) is important, as being listed on an email blocklist can severely impact deliverability.

Scenario

VMC issuance feasibility

Recommendation

Trademark owner uses a third party to send email from their primary domain (e.g., brand.com).
High.
Trademark owner applies for VMC, includes domain. Third party ensures DMARC compliance.
Third party (e.g., marketing agency) sends email from a subdomain of the trademark owner (e.g., mail.brand.com).
High.
Trademark owner applies for VMC, includes subdomain.
Third party sends email from a related but separately owned "cousin domain" (e.g., brand-promo.com for brand.com).
Challenging; depends on CA discretion and legal proof of authorization.
Trademark owner should include the cousin domain in their VMC if possible, or third party must secure robust legal authorization and prepare for strict CA scrutiny.
Government entity authorizes use of their logo to a third party.
Possible with official government documentation.
Third party must provide verifiable authorization from the government entity to the CA.

Conclusion

In summary, a trademark owner can indeed authorize a third party to use their logo for BIMI. The success of this hinges on strong legal authorization, meticulous adherence to BIMI's technical requirements, especially DMARC enforcement, and the Certificate Authority's verification process. While straightforward for primary domains and subdomains, using trademarked logos on third-party-owned cousin domains can introduce complexities that require careful navigation.
Prioritizing clear communication, legal agreements, and a thorough understanding of BIMI and VMC requirements will pave the way for successful brand logo display across all authorized email sending activities.

Views from the trenches

Best practices
Ensure comprehensive legal agreements are in place before authorizing third-party use of your trademarked logo for BIMI, clearly outlining responsibilities.
The primary trademark owner should ideally manage the VMC and add all authorized sending domains, including those used by third parties, to their single VMC.
Regularly review DMARC reports to ensure that third-party sending domains maintain proper DMARC alignment, which is essential for BIMI logo display.
Conduct a thorough audit of all email sending sources and their respective From: domains to determine which require BIMI implementation and VMC coverage.
Common pitfalls
Assuming that a trademark owner's general authorization is sufficient for a Certificate Authority to issue a VMC to a third-party-owned domain.
Overlooking the necessity of DMARC at an enforcement policy (p=quarantine or p=reject) for all domains using BIMI, leading to logo display failures.
Failing to include all authorized From: domains, especially subdomains or cousin domains, within the Verified Mark Certificate.
Not understanding that a Certification Authority has the final say on VMC issuance based on their strict verification protocols, even with perceived authorization.
Expert tips
For complex organizational structures, consider consolidating VMC applications under the main trademark owner to simplify the verification process for multiple related domains.
If a third party uses a distinct domain (a cousin domain), explore the possibility of the trademark owner obtaining a VMC for that domain, if legally permissible, rather than the third party.
Educate legal and executive teams about the technical intricacies of BIMI, including DMARC requirements and CA verification, to prevent unrealistic expectations.
Continuously monitor BIMI implementation status using DMARC reporting tools to quickly identify and resolve any issues affecting logo display.
Marketer view
Marketer from Email Geeks says: We successfully implemented BIMI where the main franchise explicitly authorized the franchisee to use their trademarked logo in emails.
July 7, 2022 - Email Geeks
Expert view
Expert from Email Geeks says: BIMI is fundamentally tied to the visible From: domain and requires DMARC to pass at an enforcement policy; a brand can definitely use a third party to send BIMI-compliant mail, provided all technical and legal requirements are met.
July 7, 2022 - Email Geeks

Frequently asked questions

Related pages

What are the requirements and implementation steps for BIMI?
What are the requirements to implement BIMI, and which providers support it?
How do I display my logo in email inboxes, particularly Gmail, and what are the BIMI requirements?
What are best practices for BIMI logo usage, especially regarding multiple logos and selector support?
How do I implement BIMI and get my logo to show in Gmail and Yahoo Mail?
What are the benefits and requirements of BIMI for email deliverability and branding?
What are the requirements and alternatives for implementing BIMI with VMC certificates, especially regarding trademark jurisdiction and costs?
What are the steps for BIMI verification and logo display?
What email providers support BIMI without a VMC, and what are key considerations for BIMI implementation?
A guide to BIMI accredited certificate providers
DMARC monitoring

Start monitoring your DMARC reports today

Suped DMARC platform dashboard

What you'll get with Suped

Real-time DMARC report monitoring and analysis
Automated alerts for authentication failures
Clear recommendations to improve email deliverability
Protection against phishing and domain spoofing
Get started - free
Product
DMARC monitoring
Blocklist monitoring
MSP
Pricing
Tools
DMARC record generator
Blocklist checker
Email tester
Resources
Customers
Blog
Guides
Knowledge base
Company
About
Trust and security

Suped

Privacy policy
Terms of service
© 2025 Suped Pty Ltd
LinkedInX