Is a VMC mandatory for BIMI with Gmail?

Yes, for Google's Gmail service, a VMC is currently required to display your brand logo using BIMI. While BIMI technically allows for logos without VMCs, major providers like Google require the added verification a VMC provides.

Why might my BIMI logo not show up despite having a VMC?

If your BIMI logo isn't showing, check these points: your DMARC policy is at `p=quarantine` or `p=reject`, your VMC is active and issued by an accredited CA, your SVG logo file is correctly formatted and publicly accessible, and your domain has a good sending reputation. Recent changes in CA root certificate trust, such as those impacting Entrust, can also affect display.

Are there other VMC issuers besides DigiCert and Entrust?

While DigiCert and Entrust were the initial and most prominent VMC issuers, the AuthIndicators Working Group maintains an updated list of accredited CAs. It's recommended to consult this official list for the most current information.

How do recent CA root changes impact my existing VMC?

Recent changes in how major platforms trust specific CA root certificates can directly impact VMC display. If your VMC is rooted in a certificate that has been distrusted, your BIMI logo may stop appearing . It's important to be aware of these industry-wide changes and address them by potentially obtaining a new VMC from an unaffected root.

Is DigiCert the only working VMC issuer for Google BIMI? - Technical - Email deliverability - Knowledge base

When you see a brand's logo next to their emails in your inbox, that's often thanks to Brand Indicators for Message Identification (BIMI) and a Verified Mark Certificate (VMC). BIMI allows companies to display their trademarked logos in the inbox, enhancing brand recognition and trust. As an email deliverability specialist, I often hear questions about which Certificate Authorities (CAs) reliably issue VMCs that email service providers, particularly Google's Gmail service, support.

There has been a noticeable trend where logos tied to DigiCert VMCs appear consistently, while those from other CAs, like Entrust, sometimes face visibility issues. This has led many to question if DigiCert is the only reliable option for Google BIMI. It's an important concern, given the investment required for VMCs.

I'll delve into the factors influencing VMC visibility with Google and other mailbox providers, address the perceived dominance of DigiCert, and explain what you need to know to ensure your brand logo displays successfully.

Understanding VMCs and certificate authorities

A VMC (Verified Mark Certificate) is a digital certificate that verifies your ownership of a trademarked logo. This certificate is crucial for BIMI because it provides cryptographic proof that your organization is authorized to use a specific logo in email. It's essentially a seal of authenticity for your brand's visual identity in the inbox. For Gmail to display your logo, a VMC is required, distinguishing BIMI logos from regular profile pictures.

These certificates are issued by Certificate Authorities (CAs) that have been accredited to issue VMCs by the AuthIndicators Working Group, the body responsible for the BIMI standard. Initially, only a couple of CAs, primarily DigiCert and Entrust, were authorized to issue these certificates. This limited selection meant most organizations seeking to implement BIMI had to choose between these two providers.

While both DigiCert and Entrust have played significant roles in the early adoption of BIMI, the landscape is not static. Other CAs have emerged, and the requirements and acceptance criteria can evolve. Understanding the differences between these issuers and their specific processes is key to a smooth BIMI implementation.

Feature	DigiCert	Entrust
VMC availability	One of the first to issue VMCs, widely recognized.	Also an early issuer, offered VMCs from early on.
Trademark requirement	Requires an officially registered trademark for the logo.	Same requirement for a trademarked logo.
Pricing (approx.)	Reported to be in the range of $1,500 annually.	Competitive with DigiCert, also around $1,400 per year.

The perceived disparity between CAs

The observation that DigiCert-issued VMCs seem to work more consistently with Google (Gmail) while some Entrust-issued ones have had issues, especially concerning specific domains like Air Canada, is not unfounded. However, this isn't necessarily due to a fundamental preference by Google for one CA over the other. More often, it's tied to underlying certificate trust issues or specific configuration nuances.

A significant factor that emerged recently involved Apple's decision to distrust certain root certificates from Entrust. Although this primarily impacted Apple Mail's display of BIMI logos, such broad certificate authority changes can have ripple effects across the ecosystem. If a VMC is built on a distrusted root, its validation chain breaks, causing logos not to display. This situation highlights the critical importance of a CA's overall trustworthiness and its standing with major operating systems and email providers.

It's important to remember that the BIMI standard relies on a chain of trust. If any link in that chain is broken, whether it's an issue with the VMC itself, the CA's root certificates, or the SVG logo file, the logo won't appear. While DigiCert has historically been a very prominent and reliable player, this doesn't mean other CAs are inherently non-functional for Google BIMI. Issues are often specific and addressable.

The evolving landscape of VMC support

While DigiCert and Entrust were the pioneering VMC issuers, the ecosystem is expanding. The AuthIndicators Working Group maintains an official list of accepted VMC issuers, which has changed over time. It's always best to consult this list directly to see the most current accredited providers.

Major email providers like Google, Yahoo, and now Apple Mail support BIMI. However, their specific requirements regarding VMCs can vary slightly. For instance, while Google and Yahoo fully embrace VMCs from accredited CAs, Apple initially had stricter requirements, only accepting VMCs from DigiCert in some instances.

It's important to monitor updates from these providers, as their policies can impact your BIMI implementation. The goal is to ensure your VMC is issued by a CA that is trusted by the major mailbox providers where you want your logo to appear.

Example BIMI DNS recordDNS

v=BIMI1;l=https://yourdomain.com/path/to/logo.svg;a=https://yourdomain.com/path/to/vmc.pem;

Other critical factors for BIMI display

Having a VMC from a recognized CA is a necessary step, but it's not the only factor for successful BIMI logo display. Several other elements must be correctly configured for your logo to show up. The foundational requirement for BIMI is DMARC enforcement at a policy of quarantine (p=quarantine) or reject (p=reject). Without strong DMARC, your BIMI record will be ignored.

Your domain's reputation also plays a crucial role. If your domain is on a blacklist (or blocklist) or has a poor sender reputation with the receiving email provider, your emails might not reach the inbox, let alone display a logo. Email providers prioritize security and user experience, so a questionable sending history can suppress BIMI display.

Finally, the SVG logo file itself must adhere to strict formatting guidelines specified by the BIMI standard. Any deviation can prevent the logo from rendering correctly. Ensuring that your SVG is properly formatted and hosted, and that your BIMI DNS record points to it accurately, is vital for success.

BIMI implementation checklist

DMARC enforcement: Ensure your DMARC policy is set to `p=quarantine` or `p=reject`.
Trademarked logo: Your logo must be registered with a valid trademark office.
SVG formatting: Ensure your SVG file meets all BIMI specifications.
VMC provider: Choose a CA that is accredited and trusted by major mailbox providers.

Views from the trenches

Best practices

Ensure DMARC is set to `p=quarantine` or `p=reject` at the organizational domain level.

Verify your logo's SVG file meets all BIMI profile specifications for proper rendering.

Regularly monitor your domain's reputation to prevent issues that could affect BIMI display.

Common pitfalls

Using a VMC from a CA whose root certificates are not fully trusted by all major mailbox providers.

Failing to update your BIMI record if your VMC or SVG file location changes.

Assuming a VMC alone guarantees logo display without proper DMARC enforcement.

Expert tips

Review the official BIMI Group website for the most current list of accredited VMC issuers.

Consult with an email deliverability specialist if you experience persistent BIMI logo display issues.

Consider a phased rollout of BIMI, starting with a monitoring-only DMARC policy to assess impact.

Expert view

Expert from Email Geeks says that the perceived disparity between VMC issuers is likely a coincidence due to undisclosed factors.

2020-12-11 - Email Geeks

Expert view

Expert from Email Geeks states that observers may not be aware of all current BIMI participants.

2020-12-11 - Email Geeks

Final thoughts on VMC issuers and Google BIMI

In conclusion, DigiCert is not the only VMC issuer that works with Google BIMI. While their strong reputation and early involvement have made them a prominent choice, other accredited CAs, including Entrust, can also issue functional VMCs. The observed discrepancies in logo display are often attributable to factors beyond just the CA, such as certificate trust issues, especially recent changes in root certificate acceptance by major platforms like Apple, or problems with the BIMI record or SVG file itself.

For successful BIMI implementation and consistent logo display, it's crucial to focus on a holistic approach. This includes ensuring your domain has a strong DMARC policy at enforcement, maintaining a good sender reputation, and meticulously configuring your BIMI DNS record and SVG logo. Staying informed about updates from the AuthIndicators Working Group and major mailbox providers is also key to navigating the evolving landscape of email authentication and branding.