Suped

A guide to BIMI accredited certificate providers

Michael Ko profile picture

Michael Ko

11 Jul 2025

An illustration of a certificate and an email icon, representing a Verified Mark Certificate for BIMI.

Getting your brand's logo to appear in your customers' inboxes is a powerful way to build trust and recognition. That's the promise of BIMI (Brand Indicators for Message Identification). But to unlock the full potential of BIMI, especially with major mailbox providers like Gmail and Apple, you need something called a Verified Mark Certificate, or VMC. This isn't just another acronym to add to the pile; it's a crucial piece of the email authentication puzzle that validates you are who you say you are.

The journey to getting a VMC can seem complicated. It involves trademarking your logo, getting your DMARC policy in order, and then navigating the world of Certificate Authorities (CAs). The final step, choosing a provider, is critical because not just any CA can issue a VMC. Only a select few have been accredited by the BIMI Group to perform the rigorous checks required. In this guide, I'll walk you through what these certificates are, who can issue them, and what you need to consider when choosing a provider for your business.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What is a Verified Mark Certificate (VMC)?

Think of a VMC as a digital passport for your brand's logo. It's a certificate that proves your organization has the legal right to use the logo you want to display in emails. This verification is what gives mailbox providers the confidence to show your logo next to your messages, assuring recipients that the email is legitimately from you and not a phishing attempt. It’s a key part of how BIMI and VMCs work together to enhance email security and brand presence.

Before you can even apply for a VMC, there are some important prerequisites. First and foremost, you must have DMARC configured for your domain with a policy of enforcement. This means your DMARC record must be set to p=quarantine or p=reject. A policy of p=none won't cut it. Second, your logo must be a registered trademark with a recognized intellectual property office. This is non-negotiable and often the longest part of the process for many brands.

This strict validation process is precisely why a VMC is so valuable. It’s not just a rubber stamp. It's a verifiable link between your authenticated domain and your legally owned brand mark. While some providers might show a BIMI logo without a VMC, the most prominent players like Google require this certificate to ensure the system remains trustworthy. Without it, you’re missing out on the majority of inboxes where you’d want your logo to appear.

A minimalist illustration of a shield with a checkmark in the center, symbolizing verification and trust. The style of the images should be A minimalist retro illustration in the style of Malika Favre. Dominant colors are bright poppy red and deep royal blue. Vector art, high contrast. Do not put any words in the image or alphanumeric characters.

Who are the BIMI accredited certificate providers?

You can't just go to any SSL certificate vendor and ask for a VMC. The authority to issue these specialized certificates is limited to a small number of providers who have passed a strict accreditation process. The AuthIndicators Working Group, the body behind BIMI, maintains an official list of Mark Verifying Authorities (MVAs) that are permitted to issue VMCs.

Currently, the two primary CAs that have been accredited to issue VMCs are DigiCert and Entrust. These companies are established players in the digital security space and have the infrastructure and processes required to handle the rigorous verification that a VMC demands. You can purchase a VMC directly from them or through one of their many resellers.

The role of these accredited providers is to be the gatekeepers of the BIMI ecosystem's visual trust layer. Their job involves multiple verification steps, such as confirming your organization's identity, validating your control over the domain, and most importantly, verifying that your logo is a registered trademark and that you are the rightful owner. This meticulous process ensures that only legitimate brands can display their logos, preventing bad actors from impersonating trusted companies in the inbox.

DigiCert

Reputation

As the first CA accredited to issue VMCs, DigiCert has a long-standing reputation in the email security community. They have a well-defined process and extensive documentation.

Key Features

Entrust

Reputation

A major global CA with a broad portfolio of security products. Entrust is the other primary provider of VMCs, offering a competitive alternative for businesses.

Key Features

Choosing the right certificate authority

When deciding between DigiCert and Entrust, or their resellers, you're generally choosing between two highly reputable CAs. For a long time, the choice came down to pricing, existing relationships, or specific reseller bundles. DigiCert, being the first to market, has extensive experience and is often the default choice for many businesses starting their BIMI journey.

Entrust provides a solid alternative, backed by its long history as a Certificate Authority. For organizations that already use Entrust for other security products, it can be a convenient and logical choice to keep certificate management under one roof. Both providers follow the same core set of validation standards mandated by the BIMI Group, so the end product—a valid VMC—is functionally identical.

CA Distrust issues

Important warning about Entrust

Recent developments have made this choice more critical. Google has announced its intent to distrust public TLS certificates from Entrust, and Apple has already taken similar steps. While this primarily affects website SSL/TLS, it has a direct impact on VMCs. For instance, Apple will not trust VMCs issued by Entrust after a certain date. This means if you want your logo to appear in Apple Mail, an Entrust VMC may not work.

Given these recent events, it is currently advisable to choose DigiCert or a reseller that provides DigiCert VMCs to ensure maximum compatibility across all mailbox providers that support BIMI, especially Apple. This situation is evolving, but for now, DigiCert offers a more reliable path to getting your logo displayed everywhere.

A minimalist illustration of a DNS record being configured on a computer screen, with lines and text representing data entry. The style of the images should be A minimalist retro illustration in the style of Malika Favre. Dominant colors are bright poppy red and deep royal blue. Vector art, high contrast. Do not put any words in the image or alphanumeric characters.

The process of getting a VMC

The path to obtaining a VMC is methodical and requires careful preparation. As mentioned earlier, the first step is achieving DMARC enforcement. This signals to mailbox providers that you have control over your email sending domain and are actively preventing fraudulent use. Without a p=quarantine or p=reject policy, your VMC application will not proceed.

Next is the trademark requirement. Your logo must be an active, registered trademark with an intellectual property office recognized by the VMC issuers. This can be a lengthy and expensive process if you haven't done it already. Once trademarked, you need to create an SVG version of your logo that conforms to the specific BIMI profile, which has strict requirements on file structure and content.

With those prerequisites in place, you can finally apply for your VMC through your chosen provider. This involves a verification process where you'll need to prove your identity and your organization's legitimacy. After issuance, you receive the certificate file, which you host on a public server. The final step is to publish a BIMI DNS record pointing to your SVG logo and your new VMC file.

BIMI DNS Record Example

dns

default._bimi.yourdomain.com IN TXT "v=BIMI1; l=https://media.yourdomain.com/logo.svg; a=https://media.yourdomain.com/vmc.pem;"

This DNS record tells mailbox providers where to find your logo (l=) and the Verified Mark Certificate (a=) that proves you own it.

Implementing BIMI with a VMC is undoubtedly a significant undertaking, but the payoff is substantial. You're not just adding a logo to your emails; you're participating in a new global standard for visual email authentication. Choosing the right accredited provider is a key part of that process. Due to the current landscape, DigiCert stands out as the most reliable choice for ensuring broad compatibility.

By navigating the requirements and carefully selecting a provider, you can enhance your brand's visibility, increase customer trust, and improve engagement with every email you send. It’s a clear signal to your recipients that you take their security seriously, and in today’s digital world, that is more valuable than ever.

Frequently asked questions

How much does a VMC cost?

The cost of a VMC is not trivial. Prices typically start at over $1,000 per year and can vary based on the provider and reseller. This cost reflects the extensive manual verification process required to vet the trademark and organization. You can explore VMC pricing from different providers to find one that fits your budget.

How long does it take to get a VMC?

The process can take anywhere from a few days to several weeks. The main variable is the verification process. If your organization's details and trademark information are straightforward and easy to verify, it will be quicker. Delays often happen if the CA needs additional documentation to prove your identity or trademark ownership.

Do I absolutely need a VMC for BIMI?

While the BIMI standard technically allows for a record without a VMC, its effectiveness is severely limited. Major mailbox providers, including Gmail and Apple Mail, require a VMC to display the logo. Without one, your logo will not appear in most of the inboxes you are trying to reach, defeating much of the purpose of implementing BIMI.

Which mailbox providers support BIMI?

Support for BIMI is growing steadily. The major providers currently supporting it are Google (Gmail), Apple Mail, Yahoo, and Fastmail. Several other providers like Comcast and La Poste are in pilot phases or actively considering it. You can check an updated list of BIMI mailbox provider support to see where your logo will be visible.
A person inspecting a document with a magnifying glass to validate it for BIMI compliance.

A guide to validating your BIMI SVG and certificate

Matthew Whittaker profile picture

Matthew Whittaker

11 Jul 2025

Learn how to ensure your BIMI implementation is successful by properly validating your SVG logo and VMC certificate. This guide covers the strict technical requirements for SVG files, how to verify them against the official schema, and how to confirm your DNS records are correctly configured for compliance.

A chart showing a line graph trending upwards, with the arrow at the end shaped like a brand logo, symbolizing the ROI of BIMI.

Understanding the business value and ROI of implementing BIMI

Matthew Whittaker profile picture

Matthew Whittaker

11 Jul 2025

Discover the tangible business value and ROI of implementing BIMI. Learn how this email standard goes beyond just displaying a logo to boost open rates, enhance brand trust, and improve security, delivering a measurable return on your investment.

A comparative illustration showing the BIMI standard and Apple Business Connect. Both are depicted as leading to an email with a brand logo, highlighting their shared goal but different paths.

Is Apple Business Connect the same as BIMI? a comparative guide

Matthew Whittaker profile picture

Matthew Whittaker

11 Jul 2025

Discover the key differences between Apple Business Connect's Branded Email feature and the BIMI standard. This guide compares their requirements, implementation processes, and scope to help you understand that they are not the same, but rather complementary tools for enhancing brand presence in the inbox. Learn why using both is the ideal strategy for maximum email visibility.

A minimalist illustration showing brand logos appearing in an email inbox, demonstrating BIMI.

Which email clients actually support BIMI?

Michael Ko profile picture

Michael Ko

13 Jul 2025

Curious which email clients support BIMI? This post breaks down the current landscape of BIMI adoption, highlighting major providers like Gmail, Apple Mail, and Yahoo. We'll cover the essential prerequisites, such as DMARC enforcement, and provide a clear table showing who supports BIMI and whether a Verified Mark Certificate (VMC) is required. Learn which key player is still holding out and what that means for your email strategy.

A stylized illustration of a digital certificate being inspected, symbolizing the difference between VMC and CMC for BIMI.

VMC vs CMC: How to tell which BIMI certificate a domain is using

Michael Ko profile picture

Michael Ko

20 Jul 2025

Learn the key differences between a Verified Mark Certificate (VMC) and a Common Mark Certificate (CMC) for BIMI. This guide explains what each certificate is, why the distinction matters, and provides a step-by-step technical process to identify which type a domain is using.

Start improving your email deliverability today

Get started