Getting your brand's logo to appear in your customers' inboxes is a powerful way to build trust and recognition. That's the promise of BIMI (Brand Indicators for Message Identification). But to unlock the full potential of BIMI, especially with major mailbox providers like Gmail and Apple, you need something called a Verified Mark Certificate, or VMC. This isn't just another acronym to add to the pile; it's a crucial piece of the email authentication puzzle that validates you are who you say you are.
The journey to getting a VMC can seem complicated. It involves trademarking your logo, getting your DMARC policy in order, and then navigating the world of Certificate Authorities (CAs). The final step, choosing a provider, is critical because not just any CA can issue a VMC. Only a select few have been accredited by the BIMI Group to perform the rigorous checks required. In this guide, I'll walk you through what these certificates are, who can issue them, and what you need to consider when choosing a provider for your business.
Think of a VMC as a digital passport for your brand's logo. It's a certificate that proves your organization has the legal right to use the logo you want to display in emails. This verification is what gives mailbox providers the confidence to show your logo next to your messages, assuring recipients that the email is legitimately from you and not a phishing attempt. It’s a key part of how BIMI and VMCs work together to enhance email security and brand presence.
Before you can even apply for a VMC, there are some important prerequisites. First and foremost, you must have DMARC configured for your domain with a policy of enforcement. This means your DMARC record must be set to p=quarantine or p=reject. A policy of p=none won't cut it. Second, your logo must be a registered trademark with a recognized intellectual property office. This is non-negotiable and often the longest part of the process for many brands.
This strict validation process is precisely why a VMC is so valuable. It’s not just a rubber stamp. It's a verifiable link between your authenticated domain and your legally owned brand mark. While some providers might show a BIMI logo without a VMC, the most prominent players like Google require this certificate to ensure the system remains trustworthy. Without it, you’re missing out on the majority of inboxes where you’d want your logo to appear.
You can't just go to any SSL certificate vendor and ask for a VMC. The authority to issue these specialized certificates is limited to a small number of providers who have passed a strict accreditation process. The AuthIndicators Working Group, the body behind BIMI, maintains an official list of Mark Verifying Authorities (MVAs) that are permitted to issue VMCs.
Currently, the two primary CAs that have been accredited to issue VMCs are DigiCert and Entrust. These companies are established players in the digital security space and have the infrastructure and processes required to handle the rigorous verification that a VMC demands. You can purchase a VMC directly from them or through one of their many resellers.
The role of these accredited providers is to be the gatekeepers of the BIMI ecosystem's visual trust layer. Their job involves multiple verification steps, such as confirming your organization's identity, validating your control over the domain, and most importantly, verifying that your logo is a registered trademark and that you are the rightful owner. This meticulous process ensures that only legitimate brands can display their logos, preventing bad actors from impersonating trusted companies in the inbox.
Reputation
Key Features
Reputation
Key Features
When deciding between DigiCert and Entrust, or their resellers, you're generally choosing between two highly reputable CAs. For a long time, the choice came down to pricing, existing relationships, or specific reseller bundles. DigiCert, being the first to market, has extensive experience and is often the default choice for many businesses starting their BIMI journey.
Entrust provides a solid alternative, backed by its long history as a Certificate Authority. For organizations that already use Entrust for other security products, it can be a convenient and logical choice to keep certificate management under one roof. Both providers follow the same core set of validation standards mandated by the BIMI Group, so the end product—a valid VMC—is functionally identical.
Important warning about Entrust
Given these recent events, it is currently advisable to choose DigiCert or a reseller that provides DigiCert VMCs to ensure maximum compatibility across all mailbox providers that support BIMI, especially Apple. This situation is evolving, but for now, DigiCert offers a more reliable path to getting your logo displayed everywhere.
The path to obtaining a VMC is methodical and requires careful preparation. As mentioned earlier, the first step is achieving DMARC enforcement. This signals to mailbox providers that you have control over your email sending domain and are actively preventing fraudulent use. Without a p=quarantine or p=reject policy, your VMC application will not proceed.
Next is the trademark requirement. Your logo must be an active, registered trademark with an intellectual property office recognized by the VMC issuers. This can be a lengthy and expensive process if you haven't done it already. Once trademarked, you need to create an SVG version of your logo that conforms to the specific BIMI profile, which has strict requirements on file structure and content.
With those prerequisites in place, you can finally apply for your VMC through your chosen provider. This involves a verification process where you'll need to prove your identity and your organization's legitimacy. After issuance, you receive the certificate file, which you host on a public server. The final step is to publish a BIMI DNS record pointing to your SVG logo and your new VMC file.
BIMI DNS Record Example
dns
default._bimi.yourdomain.com IN TXT "v=BIMI1; l=https://media.yourdomain.com/logo.svg; a=https://media.yourdomain.com/vmc.pem;"
This DNS record tells mailbox providers where to find your logo (l=) and the Verified Mark Certificate (a=) that proves you own it.
Implementing BIMI with a VMC is undoubtedly a significant undertaking, but the payoff is substantial. You're not just adding a logo to your emails; you're participating in a new global standard for visual email authentication. Choosing the right accredited provider is a key part of that process. Due to the current landscape, DigiCert stands out as the most reliable choice for ensuring broad compatibility.
By navigating the requirements and carefully selecting a provider, you can enhance your brand's visibility, increase customer trust, and improve engagement with every email you send. It’s a clear signal to your recipients that you take their security seriously, and in today’s digital world, that is more valuable than ever.
How much does a VMC cost?
How long does it take to get a VMC?
Do I absolutely need a VMC for BIMI?
Which mailbox providers support BIMI?
Matthew Whittaker
11 Jul 2025
Learn how to ensure your BIMI implementation is successful by properly validating your SVG logo and VMC certificate. This guide covers the strict technical requirements for SVG files, how to verify them against the official schema, and how to confirm your DNS records are correctly configured for compliance.
Matthew Whittaker
11 Jul 2025
Discover the tangible business value and ROI of implementing BIMI. Learn how this email standard goes beyond just displaying a logo to boost open rates, enhance brand trust, and improve security, delivering a measurable return on your investment.
Matthew Whittaker
11 Jul 2025
Discover the key differences between Apple Business Connect's Branded Email feature and the BIMI standard. This guide compares their requirements, implementation processes, and scope to help you understand that they are not the same, but rather complementary tools for enhancing brand presence in the inbox. Learn why using both is the ideal strategy for maximum email visibility.
Michael Ko
13 Jul 2025
Curious which email clients support BIMI? This post breaks down the current landscape of BIMI adoption, highlighting major providers like Gmail, Apple Mail, and Yahoo. We'll cover the essential prerequisites, such as DMARC enforcement, and provide a clear table showing who supports BIMI and whether a Verified Mark Certificate (VMC) is required. Learn which key player is still holding out and what that means for your email strategy.
Michael Ko
20 Jul 2025
Learn the key differences between a Verified Mark Certificate (VMC) and a Common Mark Certificate (CMC) for BIMI. This guide explains what each certificate is, why the distinction matters, and provides a step-by-step technical process to identify which type a domain is using.