Which certification authorities are recommended for BIMI VMC authentication?
Michael Ko
Co-founder & CEO, Suped
Published 1 Aug 2025
Updated 17 Aug 2025
7 min read
When you're looking to implement Brand Indicators for Message Identification (BIMI) to display your brand's logo next to your authenticated emails, Verified Mark Certificates (VMCs) are often a crucial component. While BIMI itself helps enhance brand recognition and trust, the VMC acts as a digital seal, verifying that your logo is authentically associated with your domain and legally trademarked. This verification process is handled by specific certification authorities (CAs) that have been authorized to issue VMCs.
The question of which certification authorities are recommended for BIMI VMC authentication is a common one, especially given the strict requirements for VMCs. It’s important to select a CA that is trusted by mailbox providers and can facilitate a smooth verification process, ensuring your logo appears consistently.
A Verified Mark Certificate (VMC) is a digital certificate that verifies the authenticity of your company's logo and its association with your email sending domain. It works in conjunction with your BIMI record, which is a DNS TXT record that tells mailbox providers where to find your VMC and logo. The primary goal of a VMC is to provide a higher level of assurance to email recipients that the sender's logo is legitimate and not being used for impersonation or phishing attempts.
For your BIMI logo to appear in supporting inboxes, particularly those like Gmail that require a VMC for this feature, you must have strong email authentication protocols in place. This includes a DMARC policy set to enforcement (quarantine or reject). Without a VMC, some providers might still display your logo if you meet other BIMI requirements, but the VMC adds an undeniable layer of trust, often unlocking logo display in more prominent positions or for more stringent providers. You can learn more about the requirements to set up BIMI and VMC certificates.
The validation process for a VMC is rigorous. It requires proof of ownership for the domain and, crucially, proof that your logo is a registered trademark with a recognized intellectual property office. This ensures that only legitimate brands can display their official logos. This stringent requirement is why only a select few certification authorities are authorized to issue VMCs.
Primary certification authorities for VMC
Currently, the landscape of VMC issuers is quite narrow, with only a few trusted certification authorities globally. The two primary and most widely recognized CAs for BIMI VMC authentication are DigiCert and Entrust. It’s worth noting that Entrust’s VMC business has since been acquired by Sectigo, so when you're considering Entrust, you're now likely interacting with Sectigo for this product. These CAs adhere to the stringent requirements set by the BIMI Group for issuing VMCs, ensuring interoperability across supporting email clients.
While there aren't many direct options, some DMARC and email security providers may act as resellers for these VMCs. This can sometimes offer a more streamlined process or bundled services, but ultimately, the certificate will still originate from one of the accredited CAs. Understanding whether DigiCert is the only VMC issuer for Google BIMI is a common query, and it’s important to know the current landscape.
The limited number of VMC providers is due to the high bar set for trust and validation. The CAs must implement strict identity verification and trademark validation processes, which go beyond standard SSL/TLS certificate issuance. This ensures that the logos displayed are indeed legitimate and legally protected, enhancing overall email security and preventing brand impersonation.
DigiCert
Process: Known for a robust, albeit sometimes lengthy, validation process due to their thoroughness in verifying brand ownership and trademark status.
Support: Generally provides comprehensive support, which can be beneficial for navigating the complexities of VMC acquisition. Some users report direct communication being difficult, but resellers may offer better service.
Google Integration: Widely used and explicitly supported by Google Workspace for BIMI, ensuring compatibility for Gmail logo display.
Entrust (now Sectigo)
Process: Similar rigorous validation, but some users have noted variations in the efficiency or communication depending on whether purchased directly or through a reseller. Reviewing recommended VMC providers after the acquisition can be helpful.
Support: As with any CA, direct support experiences can vary, but many resellers offer added value through their dedicated support channels.
Compatibility: Fully compliant with BIMI standards and recognized by major mailbox providers that support VMCs. Both are trusted sources to get a Verified Mark Certificate
The VMC authentication process
Acquiring a VMC involves several key steps that typically apply regardless of the certification authority you choose. The first and most critical step is ensuring your logo is a registered trademark. This is a non-negotiable requirement for VMCs, as it legally validates your ownership of the mark. Different trademark offices globally are recognized, so ensure yours meets the criteria. You'll need to confirm the specific trademark requirements for BIMI VMC authentication.
Next, you’ll need to prepare your logo in a specific format, typically an SVG file. This SVG file needs to be publicly accessible via a URL so that mailbox providers can fetch it. It also must comply with certain technical specifications to be recognized by BIMI. The CA will verify that your trademarked logo matches the SVG image you provide.
Once your VMC is issued, you’ll update your BIMI DNS record to point to its location. This is a crucial final step, as it tells email systems where to find your verified logo. An example of a BIMI record looks like this, where auth and cert point to your logo SVG and VMC respectively:
BIMI DNS TXT Record ExampleDNS
default._bimi.yourdomain.com IN TXT "v=BIMI1;l=https://yourdomain.com/path/to/logo.svg;a=https://yourdomain.com/path/to/vmc.pem;"
Considerations when choosing a CA
When deciding on a certification authority for your VMC, consider several factors beyond just their accreditation. While DigiCert and Entrust (Sectigo) are the only game in town, their service and pricing can vary, especially if you go through a reseller. Some providers may offer more hands-on support, which can be invaluable given the technical nature of BIMI implementation. You should consider the pricing and approach behind VMCs and BIMI before making a decision.
Support quality is a significant consideration. The VMC application process involves detailed documentation and specific technical requirements. A CA or reseller that provides clear guidance and responsive support can prevent delays and frustration. This is particularly true for smaller organizations who may not have dedicated email deliverability or security teams. This is a common pain point reported by users in the email industry, where direct communication with CAs can sometimes be challenging.
Another factor is whether you prefer to purchase directly from the CA or through a DMARC service provider that resells VMCs. Some resellers offer value-added services, such as assisting with the application, ensuring your DNS records are correctly configured, or providing ongoing monitoring. While reselling can sometimes introduce an additional markup, the convenience and expert assistance can be well worth it for many companies looking to streamline their BIMI setup and VMC implementation.
Views from the trenches
Best practices
Ensure your logo is a registered trademark in a recognized jurisdiction before applying for a VMC.
Verify your DMARC policy is at quarantine or reject for the domain before expecting logo display.
Work with a reseller for white-glove service if you lack internal expertise in VMC implementation.
Common pitfalls
Attempting to obtain a VMC without a registered trademark for your logo.
Not having a DMARC policy at an enforcement level, which prevents VMC from working.
Underestimating the time and documentation required for the VMC validation process.
Expert tips
Maintain an updated DMARC record and ensure continuous compliance for optimal BIMI performance.
Regularly check for updates from the BIMI Group regarding new CAs or changing requirements.
Consider a Common Mark Certificate (CMC) if your logo isn't trademarked but is a widely recognized mark.
Marketer view
Marketer from Email Geeks says DigiCert and Entrust are currently the only known VMC providers.
2024-11-28 - Email Geeks
Expert view
Expert from Email Geeks says their company resells DigiCert VMCs as part of their BIMI service, aimed at large enterprises.
2024-11-28 - Email Geeks
Final thoughts on VMC providers
While the choice of certification authorities for BIMI VMC authentication is limited, both DigiCert and Entrust (now Sectigo) are reputable and trusted entities. Your decision will largely depend on factors like your budget, the level of support you require, and whether you prefer purchasing directly or through a reseller. Remember that a successful BIMI implementation with a VMC hinges not just on the certificate itself, but also on robust email authentication practices like DMARC. This is key to displaying your blue check mark on Gmail.
By carefully navigating the VMC acquisition process and maintaining strong email security, you can successfully leverage BIMI to boost your brand's visibility and trustworthiness in the inbox. Paying attention to these details will ensure your efforts result in the desired logo display and enhanced brand presence.
