Summary
Apple's distrust of Entrust CAs and VMCs, potentially stemming from security breaches, non-compliance, or policy changes, necessitates a migration plan. Unlike Google, Apple includes VMCs in its distrust. Experts recommend DigiCert as a reliable alternative and advise immediate action, particularly for those using Entrust for anything. BIMI with VMCs is essential for brand recognition and security, requiring proper DNS configuration and adherence to SPF, DKIM, and DMARC. Implementing BIMI provides extra security, allowing email recipients to easily identify authenticated messages and providing increased brand trust.
Key findings
- Entrust Distrust: Apple distrusts Entrust CAs and VMCs, potentially due to security issues or policy changes.
- VMC Inclusion: Apple's policy includes VMCs, unlike Google's.
- DigiCert as Alternative: DigiCert is the primary recommended alternative due to reliability.
- BIMI Significance: BIMI with VMCs enhances email security, brand recognition, and trust.
Key considerations
- Migration Planning: Develop a plan to migrate away from Entrust, especially if used for more than just BIMI.
- BIMI Implementation: Ensure correct DNS configuration (including SVG logo file location in DNS TXT record) and compliance with SPF, DKIM, and DMARC.
- Alternative Research: Research and select alternative VMC providers like DigiCert or Keyfactor.
- Certificate Validation: Validate trust chains and certificate validity.
What email marketers say
9 marketer opinions
Apple's distrust of Entrust CA and VMCs stems from issues such as security breaches or non-compliance, leading to certificate revocation. Unlike Google, Apple's policy includes VMCs. As a result, those affected should consider alternatives like DigiCert or Keyfactor. Implementing BIMI with a VMC is crucial for brand recognition, email security, and trust, requiring proper DNS record configuration and adherence to email authentication protocols (SPF, DKIM, DMARC).
Key opinions
- Distrustの原因: Apple distrusts Entrust CA and VMCs due to security breaches, non-compliance, or policy changes.
- VMC Impact: Apple's policy, unlike Google's, includes VMCs in the distrust.
- BIMI Importance: BIMI with VMC is essential for brand recognition and enhanced email security.
- Alternatives: DigiCert and Keyfactor are recommended as alternatives to Entrust.
Key considerations
- Provider Switch: Research and switch to alternative VMC providers, ensuring compatibility with BIMI.
- BIMI Implementation: Properly configure DNS records and adhere to SPF, DKIM, and DMARC for BIMI.
- Security Benefits: Leverage VMCs for increased brand trust and reduced phishing risks.
- Compliance: Ensure new CAs are fully compliant with security standards.
Marketer view
Email marketer from BIMI Group explains that BIMI (Brand Indicators for Message Identification) requires a VMC to display a brand's logo in supporting email clients and enhances email security and trust.
25 Jun 2023 - BIMI Group
Marketer view
Email marketer from Comodo explains the importance of BIMI with VMC, and how it provides an extra level of security, it allows email recipients to easily identify authenticated messages and helps provide increased brand trust.
20 May 2022 - Comodo
What the experts say
6 expert opinions
Experts strongly recommend migrating away from Entrust for VMCs and BIMI due to Apple's distrust, potentially stemming from various issues with Entrust's reliability and compliance. While existing certificates issued before November 15th may be valid until expiration, switching to DigiCert is highly advised and should be done as soon as convenient.
Key opinions
- Distrust of Entrust: Apple distrusts Entrust CAs and VMCs, prompting the need for migration.
- Migration Urgency: Immediate migration is not critical for certificates issued before November 15th, but it's strongly recommended.
- DigiCert Recommendation: DigiCert is a frequently recommended alternative to Entrust for VMCs and BIMI.
Key considerations
- Migration Plan: Develop and execute a plan to migrate away from Entrust for all services, not just BIMI.
- DigiCert Implementation: Consider switching to DigiCert as soon as convenient for BIMI and VMC needs.
- Certificate Validity: Assess the expiration dates of existing Entrust certificates to prioritize migration efforts.
Expert view
Expert from Email Geeks states that if you’re using Entrust for _anything_ it’s long past time to have a migration plan, as they’re a cowboy outfit.
31 Dec 2022 - Email Geeks
Expert view
Expert from Word to the Wise explains that Apple distrusting Entrust CAs and VMCs may stem from various issues, and recommends considering alternatives like DigiCert due to their reliability and compliance.
21 Dec 2021 - Word to the Wise
What the documentation says
6 technical articles
Apple devices come with pre-configured trusted root certificates for verifying server identities. Certification Authorities (CAs) are trusted third parties issuing digital certificates for online identity verification. Verified Mark Certificates (VMCs) authenticate brand logos in email inboxes supporting BIMI. Certificates can be added or removed, as demonstrated by Mozilla, emphasizing CA trust for secure browsing. GlobalSign highlights digital certificates' role in online security. LearnDMARC explains that BIMI requires a DNS TXT record to declare the location of an SVG logo file.
Key findings
- Trusted Root Certificates: Apple devices use pre-configured trusted root certificates.
- CA Role: CAs are trusted entities verifying online identities.
- VMC Function: VMCs authenticate brand logos in BIMI-enabled email.
- Certificate Management: Mozilla supports adding and removing trusted root certificates.
- DNS TXT Record: BIMI setup requires declaring the SVG logo file location as a DNS TXT record.
Key considerations
- Validate Trust Chains: Understand how your systems validate the trust chains related to root CAs and intermediary CAs.
- Implement BIMI Correctly: Adhere to BIMI requirements and correctly configure the DNS TXT record for your logo.
- Choose Trusted CAs: Select trusted Certification Authorities to ensure online security and brand authentication.
- Follow Best Practices: Always adhere to best practices, and make sure to use a DNS checker to validate your DMARC/BIMI records.
Technical article
Documentation from GlobalSign describes the role of digital certificates in establishing trust and security in online communications and transactions, emphasizing the importance of trusted CAs.
4 Oct 2022 - GlobalSign
Technical article
Documentation from LearnDMARC, explains that for BIMI you have to declare the location of your SVG logo file as a DNS TXT record, and to check this DNS record with an online checker to ensure it is valid.
21 Jan 2025 - LearnDMARC
Are paid 'top email marketing companies' lists worth it?
Do I need a VMC for BIMI to work with Google and Gmail?
Does a VMC SVG logo need to exactly match a trademarked logo?
How can I check if a domain uses Entrust or Digicert for BIMI, and should I avoid Entrust?
How do I implement a blue check mark on Gmail with BIMI and VMC?
How do I implement BIMI and get my logo to show in Gmail and Yahoo Mail?
