Why did Apple distrust Entrust?

Apple's decision to distrust Entrust stems from ongoing compliance issues and failures to meet established industry standards for Certificate Authorities. This action aims to protect users from potential security vulnerabilities by removing trust in certificates issued by a CA that has not maintained its adherence to these critical requirements.

What is a Verified Mark Certificate (VMC) and how is it affected?

A Verified Mark Certificate (VMC) is a digital certificate that authenticates your brand's logo for display in supporting email inboxes, such as Apple Mail and Gmail , via BIMI. Apple's distrust means that new VMCs issued by Entrust after the effective date will no longer be recognized by Apple Mail, preventing your brand logo from appearing for recipients using their service.

Which Certificate Authorities are recommended alternatives for VMCs?

The recommended and accredited Certificate Authorities for VMCs are DigiCert and Sectigo . Both are trusted by major email clients and comply with BIMI standards. You can explore the differences between BIMI certificate vendors to find the best fit for your needs.

How does this impact my email deliverability and brand logo display?

The main impact is on brand visibility through BIMI. If your VMC is no longer trusted by Apple , your brand logo will not appear for recipients using their mail services. This can subtly erode recipient trust, as a visible, verified logo enhances the perceived legitimacy of your email, contributing to better email deliverability.

What steps should I take to switch my VMC provider?

First, select a new accredited VMC provider. Next, go through their validation process, which typically involves verifying domain ownership and trademark details. Once your new VMC is issued, update the BIMI DNS record for your domain to point to the new certificate. Finally, monitor your email campaigns to ensure your logo is displaying correctly across all major email clients.

Why is Apple distrusting Entrust CA and VMCs, and what are the alternatives? - Technical - Email deliverability - Knowledge base

The digital landscape of email security and deliverability is constantly evolving, with changes from major players like Apple having significant ripple effects. Recently, a notable development has been Apple's decision to distrust Entrust, a long-standing Certificate Authority (CA), specifically extending this distrust to their Verified Mark Certificates (VMCs) and other certificate types. This move has prompted many organizations to re-evaluate their email authentication strategies.

Understanding why this decision was made and what alternatives are available is crucial for maintaining strong email deliverability and preserving your brand's trust in the inbox. It affects not only secure web connections but also visual brand elements like those displayed through Brand Indicators for Message Identification (BIMI).

Why Apple distrusted Entrust

Apple's decision to distrust Entrust is rooted in compliance concerns within the Certificate Authority ecosystem. CAs are responsible for issuing digital certificates that verify the identity of websites and email senders, ensuring secure communication. When a CA fails to adhere to established industry standards and audit requirements, trust in its issued certificates can erode. In this instance, specific compliance incidents led to Apple's action.

The distrust wasn't a sudden, isolated event, but rather a response to ongoing issues. While the specifics of all incidents are detailed in various industry forums, the core issue revolves around Entrust's adherence to the baseline requirements set by the CA/Browser Forum. These requirements are essential for maintaining the integrity and security of the public key infrastructure. When a CA falls short, browsers and operating systems, like those from

Apple, must take action to protect their users from potential security risks.

The scope of Apple's distrust is broad, impacting not only TLS (Transport Layer Security) certificates, which secure websites, but also S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates used for email encryption and digital signatures, and crucially, Verified Mark Certificates (VMCs). This wider scope means that organizations relying on Entrust for these certificate types need to act promptly to avoid disruptions.

Impact on email and VMCs

For email, the distrust of Entrust VMCs is particularly significant for brands leveraging BIMI (Brand Indicators for Message Identification). BIMI allows organizations to display their registered brand logo next to their email sender name in supporting inboxes. For this to work, a VMC is required to prove ownership of the logo and its associated trademark.

When Apple announced that new VMCs issued by Entrust after a certain date would no longer be trusted, it meant that brand logos relying on these certificates would cease to display in

Apple Mail. This directly impacts brand visibility and the recipient's trust in the authenticity of the sender, affecting overall email deliverability and engagement.

While

Google had previously decided to distrust Entrust public TLS certificates, they initially excluded VMCs from this distrust. Apple's broader stance, as detailed on their support page regarding certification authorities, specifically includes VMCs. This highlights the varying policies among email clients and the importance of checking all relevant platforms.

Key impact points

Brand visibility: Emails sent with Entrust-issued VMCs may lose their logo display in Apple Mail, diminishing brand recognition.
Trust and authentication: The distrust could indirectly affect how recipients perceive the authenticity of your emails, even if other authentication methods like DMARC, SPF, and DKIM are in place.
Security implications: For those using Entrust for S/MIME, there might be warnings or distrust messages for digitally signed or encrypted emails, potentially causing deliverability issues or even leading to emails being placed on a blacklist or blocklist.

Navigating the transition

If your organization currently uses Entrust for VMCs or other affected certificates, the primary course of action is to migrate to an alternative, trusted Certificate Authority. This process involves obtaining a new VMC from a recognized provider and updating your DNS records to reflect the change. It's important to understand that existing certificates issued before the distrust date may continue to function until their expiration, but new issuances or renewals will be impacted.

Transitioning your VMC involves several steps. First, you'll need to identify an accredited CA that issues VMCs. Then, you'll go through their verification process, which typically involves proving ownership of your domain and trademark. Once the new certificate is issued, you will update your BIMI DNS record to point to the new VMC. This ensures that supporting email clients can validate your logo correctly. You can learn more about how to set up BIMI and its requirements.

While this may seem like an urgent task, especially if your current certificate is nearing expiration or you plan to issue new ones, it's not always a crash emergency if your existing certificate was issued prior to the distrust date. However, being proactive is critical to avoid any future disruption to your brand's presence in the inbox.

Before the transition

Identify impact: Determine which services are using Entrust certificates.
Review expiration: Check expiration dates of existing Entrust VMCs.
Trademark validation: Ensure your logo trademark is active and valid for VMC issuance.

During and after transition

Select new CA: Choose a trusted VMC provider like DigiCert or Sectigo.
Obtain new VMC: Purchase and validate your new VMC from the chosen CA.
Update DNS records: Modify your BIMI DNS record to reflect the new VMC. Ensure your DMARC policy is at enforcement (p=quarantine or p=reject).
Monitor and test: Verify your logo displays correctly in Apple Mail and other supporting clients.

Choosing an alternative CA

With Entrust now on Apple's blocklist (or distrust list), organizations need reliable alternatives for VMCs. The primary accredited Certificate Authorities for BIMI VMCs are

DigiCert and

Sectigo. Both offer VMCs that comply with BIMI standards and are trusted by major email clients, including

Google and

Apple.

When choosing a new CA, consider factors beyond just price. Evaluate their customer support, the ease of their validation process, and their reputation for compliance. While the cost of VMCs can vary, prioritizing reliability ensures continuous brand logo display and avoids future issues.

It's also worth noting that some organizations have found

DigiCert to be a seamless replacement for Entrust, particularly when dealing with Apple's extended distrust and other related policy changes impacting BIMI. Always verify the latest requirements and recommendations directly from the CAs and email providers.

CA provider	Key advantages	BIMI VMC support
DigiCert	Widely trusted by all major email clients, robust validation process, strong support for enterprise customers.	Yes, fully compliant with BIMI 1.0 specifications.
Sectigo	Another highly respected CA with a strong focus on automation and security solutions.	Yes, also fully compliant with BIMI 1.0 specifications.
Entrust	Previously a prominent CA, now facing distrust from Apple for new certificate issuances across multiple categories.	Not for new VMC issuances for Apple Mail due to distrust.

Views from the trenches

Best practices

Proactively monitor announcements from major email clients and Certificate Authorities.

Regularly check the expiration dates of all your digital certificates, especially VMCs.

Maintain relationships with multiple trusted CAs to diversify your certificate sources.

Perform thorough testing of email authentication and BIMI display after any certificate changes.

Common pitfalls

Delaying migration after a distrust announcement can lead to disruptions and loss of brand visibility.

Failing to understand the full scope of a distrust, including its impact on VMCs and S/MIME.

Assuming that existing certificates are permanently safe despite new distrust policies.

Overlooking the specific requirements for different email clients when implementing BIMI.

Expert tips

Prioritize the reputation and compliance history of a Certificate Authority when making your selection.

Consult with email deliverability and security specialists for complex certificate deployments.

Ensure clear and consistent communication with all relevant internal and external stakeholders.

Use comprehensive email deliverability tools to monitor the impact of certificate changes.

Marketer view

Marketer from Email Geeks says they recently received a notification from Entrust and assumed it was related to Branded Mail, expressing curiosity about the implications.

2024-01-01 - Email Geeks

Marketer view

Marketer from Email Geeks says they believe the issue is tied to the broader Entrust Certificate Authority distrust, noting Apple's unique inclusion of VMCs in their distrust policy, unlike Google's initial exclusion.

2024-01-01 - Email Geeks

Maintaining trust in the inbox

Apple's distrust of Entrust CA and VMCs marks a significant development in the world of email security and brand identity. It underscores the critical importance of staying informed about changes in Certificate Authority policies and their impact on your email program.

For brands utilizing BIMI, proactively migrating from Entrust to a trusted alternative like

DigiCert or

Sectigo is essential for ensuring continuous brand logo display and maintaining recipient trust. This ensures your emails continue to land in the inbox with their intended visual impact, contributing to overall email deliverability rates.