Getting your brand's logo to appear in your customers' inboxes is a powerful way to build trust and recognition. That's the promise of BIMI (Brand Indicators for Message Identification). But to unlock the full potential of BIMI, especially with major mailbox providers like Gmail and Apple, you need something called a Verified Mark Certificate, or VMC. This isn't just another acronym to add to the pile; it's a crucial piece of the email authentication puzzle that validates you are who you say you are.
The journey to getting a VMC can seem complicated. It involves trademarking your logo, getting your DMARC policy in order, and then navigating the world of Certificate Authorities (CAs). The final step, choosing a provider, is critical because not just any CA can issue a VMC. Only a select few have been accredited by the BIMI Group to perform the rigorous checks required. In this guide, I'll walk you through what these certificates are, who can issue them, and what you need to consider when choosing a provider for your business.
Think of a VMC as a digital passport for your brand's logo. It's a certificate that proves your organization has the legal right to use the logo you want to display in emails. This verification is what gives mailbox providers the confidence to show your logo next to your messages, assuring recipients that the email is legitimately from you and not a phishing attempt. It’s a key part of how BIMI and VMCs work together to enhance email security and brand presence.
Before you can even apply for a VMC, there are some important prerequisites. First and foremost, you must have DMARC configured for your domain with a policy of enforcement. This means your DMARC record must be set to p=quarantine or p=reject. A policy of p=none won't cut it. Second, your logo must be a registered trademark with a recognized intellectual property office. This is non-negotiable and often the longest part of the process for many brands.
This strict validation process is precisely why a VMC is so valuable. It’s not just a rubber stamp. It's a verifiable link between your authenticated domain and your legally owned brand mark. While some providers might show a BIMI logo without a VMC, the most prominent players like Google require this certificate to ensure the system remains trustworthy. Without it, you’re missing out on the majority of inboxes where you’d want your logo to appear.
You can't just go to any SSL certificate vendor and ask for a VMC. The authority to issue these specialized certificates is limited to a small number of providers who have passed a strict accreditation process. The AuthIndicators Working Group, the body behind BIMI, maintains an official list of Mark Verifying Authorities (MVAs) that are permitted to issue VMCs.
Currently, the two primary CAs that have been accredited to issue VMCs are DigiCert and Entrust. These companies are established players in the digital security space and have the infrastructure and processes required to handle the rigorous verification that a VMC demands. You can purchase a VMC directly from them or through one of their many resellers.
The role of these accredited providers is to be the gatekeepers of the BIMI ecosystem's visual trust layer. Their job involves multiple verification steps, such as confirming your organization's identity, validating your control over the domain, and most importantly, verifying that your logo is a registered trademark and that you are the rightful owner. This meticulous process ensures that only legitimate brands can display their logos, preventing bad actors from impersonating trusted companies in the inbox.
When deciding between DigiCert and Entrust, or their resellers, you're generally choosing between two highly reputable CAs. For a long time, the choice came down to pricing, existing relationships, or specific reseller bundles. DigiCert, being the first to market, has extensive experience and is often the default choice for many businesses starting their BIMI journey.
Entrust provides a solid alternative, backed by its long history as a Certificate Authority. For organizations that already use Entrust for other security products, it can be a convenient and logical choice to keep certificate management under one roof. Both providers follow the same core set of validation standards mandated by the BIMI Group, so the end product—a valid VMC—is functionally identical.
Given these recent events, it is currently advisable to choose DigiCert or a reseller that provides DigiCert VMCs to ensure maximum compatibility across all mailbox providers that support BIMI, especially Apple. This situation is evolving, but for now, DigiCert offers a more reliable path to getting your logo displayed everywhere.
The path to obtaining a VMC is methodical and requires careful preparation. As mentioned earlier, the first step is achieving DMARC enforcement. This signals to mailbox providers that you have control over your email sending domain and are actively preventing fraudulent use. Without a p=quarantine or p=reject policy, your VMC application will not proceed.
Next is the trademark requirement. Your logo must be an active, registered trademark with an intellectual property office recognized by the VMC issuers. This can be a lengthy and expensive process if you haven't done it already. Once trademarked, you need to create an SVG version of your logo that conforms to the specific BIMI profile, which has strict requirements on file structure and content.
With those prerequisites in place, you can finally apply for your VMC through your chosen provider. This involves a verification process where you'll need to prove your identity and your organization's legitimacy. After issuance, you receive the certificate file, which you host on a public server. The final step is to publish a BIMI DNS record pointing to your SVG logo and your new VMC file.
default._bimi.yourdomain.com IN TXT "v=BIMI1; l=https://media.yourdomain.com/logo.svg; a=https://media.yourdomain.com/vmc.pem;"Implementing BIMI with a VMC is undoubtedly a significant undertaking, but the payoff is substantial. You're not just adding a logo to your emails; you're participating in a new global standard for visual email authentication. Choosing the right accredited provider is a key part of that process. Due to the current landscape, DigiCert stands out as the most reliable choice for ensuring broad compatibility.
By navigating the requirements and carefully selecting a provider, you can enhance your brand's visibility, increase customer trust, and improve engagement with every email you send. It’s a clear signal to your recipients that you take their security seriously, and in today’s digital world, that is more valuable than ever.
