What is the purpose of the 'cert=' parameter in a BIMI record?

Before we dive into the specifics of the cert= parameter, it's important to understand what BIMI (Brand Indicators for Message Identification) is. BIMI is an email specification that allows you to display your brand's logo next to your messages in the recipient's inbox. It's a powerful way to increase brand recognition and trust, but it relies on a series of verification steps to work correctly. One of the key components of this verification process is the BIMI record itself, a TXT record that lives in your DNS.

The cert= parameter within a BIMI record is the field that contains the URL of your Verified Mark Certificate (VMC). This certificate is a crucial piece of the puzzle for getting your logo to display in major mailbox providers like Gmail. Essentially, the cert= parameter is the authority claim; it points to a digitally signed certificate that proves you have the legal right to use the logo you're associating with your domain.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

A VMC is a digital certificate that verifies the authenticity of a brand's logo. To get one, you must first have a registered trademark for your logo. A Certificate Authority (CA) then validates your trademark and your organization's identity before issuing the VMC. This process ensures that only legitimate brand owners can use the BIMI standard to its full potential.

BIMI Group says:

Visit website

As described by the BIMI Group, certain mailbox providers will require a VMC. These MVAs (Mark Verifying Authorities) will verify the association of logos with domains, and issue Verified Mark Certificates (VMCs) that can be added to your BIMI record.

So, the purpose of the cert= parameter is to provide mailbox providers with a path to this certificate, allowing them to programmatically verify your logo's authenticity. Without a valid VMC referenced in this parameter, providers that require it will simply ignore your BIMI record, and your logo won't be displayed.

It is technically possible to have a BIMI record without a cert= parameter. This is often referred to as a "self-asserted" BIMI record. In this case, you are simply pointing to your logo file without the backing of a VMC.

BIMI Group says:

Visit website

Self-asserted records are BIMI records without a VMC. They can be denoted by omitting the 'a=;' or leaving the URL portion blank within the 'a=' value for your BIMI record.

Here's how the two types of BIMI records differ in structure and support:

• Self-Asserted (No VMC): The record includes the version and the logo URL, but the authority evidence URL (the a= tag, which contains the cert= data) is left empty. Example: v=BIMI1; l=https://example.com/logo.svg; a=;. Support for this type is limited; providers like Yahoo have supported it, but Gmail does not.
• VMC-Backed: The record includes the VMC URL in the a= tag. This is the version required for the widest compatibility, especially with Gmail. The full setup process results in a record like this: v=BIMI1; l=https://example.com/logo.svg; a=https://path.to/vmc.pem;.

In short, the purpose of the cert= parameter in your BIMI record is to provide the required proof of logo ownership through a Verified Mark Certificate. While not strictly mandatory for a BIMI record to exist, it is essential for achieving the primary goal of BIMI: displaying your logo in the inboxes of major email providers like Gmail, which rely on this verification to prevent impersonation and build a more trustworthy email ecosystem.