Will a VMC work on a subdomain if the subdomain isn't explicitly listed in the certificate?
Matthew Whittaker
Co-founder & CTO, Suped
Published 28 Apr 2025
Updated 18 Aug 2025
6 min read
When deploying BIMI, one of the most common questions that comes up revolves around Verified Mark Certificates (VMCs) and how they interact with subdomains. Specifically, many wonder if a VMC will function correctly on a subdomain even if that subdomain isn't explicitly listed within the certificate itself. It's a valid concern, as misconfigurations can prevent your brand logo from appearing in inboxes, impacting your email deliverability and overall brand presence.
The technicalities of certificate validation can be complex, especially when dealing with nested domains and varying certificate types. Understanding the interplay between your organizational domain, subdomains, and how VMCs are issued and validated is crucial for successful BIMI implementation and ensuring your email sending strategy is robust.
Understanding VMCs and domain coverage
A Verified Mark Certificate (VMC) is a digital certificate that authenticates your brand's logo, allowing it to be displayed next to your sender name in supported email clients. Its primary role is to provide a higher level of trust and visual identification for email recipients. For a VMC to be effective with BIMI, it must be issued by a trusted Certificate Authority (CA) and meet specific requirements for both the certificate and the logo it represents.
In the context of domain coverage, most VMCs are designed to cover the organizational domain, which then implicitly extends coverage to its subdomains. This means that if you have a VMC for example.com, it typically applies to subdomains like mail.example.com or news.example.com without each subdomain needing to be individually listed on the certificate. This is a crucial distinction and is often misunderstood.
The key principle here is that the VMC validates the organizational domain, and the BIMI standard is designed to allow subdomains to leverage this validation. According to the DigiCert VMC FAQ, all sending domains need to be listed, but subdomains do not as they will be covered by the base domain.
Scope
A single VMC issued for the base domain (example.com) covers all its subdomains (mail.example.com, news.example.com) for BIMI display.
BIMI record configuration
Each subdomain's BIMI record points to the VMC's location, which validates the organizational domain.
Scope
A VMC issued specifically for a subdomain (sub.example.com) only covers that exact subdomain. This is less common for BIMI.
BIMI record configuration
The BIMI record would point to this specific VMC.
How VMCs work with BIMI and subdomains
For BIMI to display your logo on emails sent from a subdomain, the BIMI record (a DNS TXT record) on that subdomain needs to reference the VMC. The crucial point is that this VMC should be issued for your organizational domain, not necessarily for each individual subdomain.
When an email client receives a message from a subdomain, it checks the BIMI record for that subdomain. This record, in turn, contains the URL to your VMC. The email client then fetches and validates this VMC. As long as the VMC validates the base domain (e.g., example.com), it will be considered valid for the subdomains as well, allowing your logo to appear. This is why one VMC can be shared across all subdomains.
This mechanism greatly simplifies the management of BIMI for organizations that use multiple subdomains for different sending purposes, such as marketing emails from marketing.example.com and transactional emails from transact.example.com. It also aligns with how BIMI VMC certificates work with sub-domains to display logos across various email streams.
BIMI DNS record structure
The BIMI record on your subdomain will look similar to the one on your organizational domain, simply placed at the subdomain level. The l= tag within the BIMI record points to the VMC URI.
Example BIMI record for a subdomain referencing an organizational domain VMCDNS
default._bimi.mail.example.com. IN TXT "v=BIMI1;l=https://vmc.example.com/logo.svg;a=https://vmc.example.com/certificate.pem;"
Troubleshooting VMC and subdomain validation
If you're encountering an error like "certificate is valid for example.com, not edu.example.com", it suggests a mismatch in how the VMC is being interpreted or referenced. This typically happens when the BIMI record on your subdomain expects a VMC issued specifically for that subdomain, or if the VMC itself isn't properly configured to cover the base domain and its subdomains.
Another common pitfall involves the DMARC policy. For BIMI to work, your domain (and subdomains) must have a DMARC policy set to p=quarantine or p=reject. If your DMARC policy isn't strict enough or if your DMARC record doesn't cover subdomains, the VMC (and thus BIMI) may fail validation, regardless of the certificate's domain coverage.
Ensuring proper DMARC record configuration is a prerequisite for BIMI, as it validates sender authenticity and helps prevent phishing and spoofing that can lead to your domain ending up on an email blocklist or blacklist. A robust DMARC setup ensures the integrity needed for your VMC to be trusted.
VMC validation failures
Incorrect VMC issuance: The VMC was issued for a specific subdomain (e.g., sub.example.com) instead of the organizational domain (example.com). While technically possible, it complicates subdomain coverage for BIMI.
BIMI record misconfiguration: The BIMI record on the subdomain points to an incorrect VMC URL or the VMC itself is invalid or expired.
DMARC policy issues: DMARC is not enforced (p=none) or there are authentication failures preventing DMARC alignment.
Implementing VMCs effectively across subdomains
To ensure your VMC works seamlessly across all your subdomains, the best approach is to obtain a VMC for your organizational domain. This single certificate, once properly installed and referenced in your BIMI records, will cover all your legitimate subdomains.
Furthermore, double-check your BIMI records on each subdomain to ensure they correctly point to the VMC for your organizational domain. Remember that BIMI also requires robust email authentication protocols like SPF, DKIM, and DMARC to be in place and properly aligned. If you are configuring BIMI across multiple subdomains, you might want to review how to implement DMARC with BIMI on subdomains to avoid issues.
Best practices for VMC and subdomains
VMC for organizational domain: Always obtain your VMC for your base domain (example.com) to ensure broader coverage.
Consistent BIMI records: Ensure all subdomain BIMI records reference the same VMC URI from your organizational domain.
Strong DMARC enforcement: Implement a DMARC policy of p=quarantine or p=reject on your organizational domain, with subdomain policies if needed. This is critical for VMC success and avoiding common blocklist issues.
Views from the trenches
Best practices
Always get your VMC for the organizational domain, not individual subdomains.
Ensure your BIMI records on subdomains correctly point to the parent domain's VMC URL.
Maintain a strict DMARC policy (p=quarantine or p=reject) on your base domain for optimal BIMI performance.
Common pitfalls
Issuing a VMC for a specific subdomain which limits its applicability for other subdomains.
Forgetting to update the BIMI record on subdomains when the VMC or logo URI changes.
Insufficient DMARC policy (p=none) that prevents BIMI logo display, even with a valid VMC.
Expert tips
Use a DMARC reporting service to monitor authentication results for all your subdomains and troubleshoot any VMC validation errors.
Regularly check your BIMI setup using online validation tools to catch any misconfigurations early.
Educate your internal teams on the importance of consistent branding and email authentication across all sending domains.
Marketer view
Marketer from Email Geeks says that they deployed a BIMI record, including the VMC, across their organizational domain and subdomains, but encountered a certificate validation error indicating the VMC was not valid for the subdomain. This suggests that the subdomain might not have been properly covered by the VMC issued for the organizational domain, or the BIMI setup was looking for explicit subdomain coverage.
2024-01-10 - Email Geeks
Expert view
Expert from Email Geeks says that the VMC should still work on a subdomain even if it's not explicitly listed, provided the BIMI record on the subdomain is configured correctly to reference the VMC issued for the parent domain.
2024-01-10 - Email Geeks
Ensuring your brand's presence
In summary, a VMC issued for your organizational domain will generally work on your subdomains for BIMI purposes, even if those subdomains are not explicitly listed in the certificate. The key is ensuring your BIMI record on the subdomain correctly references the organizational domain's VMC, and that your DMARC policy is in enforcement mode.
By following these guidelines, you can ensure your brand logo consistently appears in inboxes, enhancing trust and recognition for all your email communications, regardless of the subdomain they originate from. This ultimately strengthens your email deliverability and helps prevent your messages from being flagged as spam or landing on a blocklist.
