If you're looking to implement BIMI (Brand Indicators for Message Identification) to get your logo showing in your customers' inboxes, you've likely come across the term Verified Mark Certificate, or VMC. It’s a critical piece of the puzzle, and a common question I get is about who exactly issues these special certificates. It’s not something you can get from just any certificate provider.
The short answer is that VMCs are issued by a select group of organizations known as Certificate Authorities (CAs). These aren't just any CAs; they are specific ones that have been authorized to act as Mark Verifying Authorities (MVAs).
A VMC serves as digital proof that your organization has the legal right to use a specific logo because it has been officially trademarked. This verification is what gives email providers like Google and Apple the confidence to display your logo next to your messages.
Authorized certificate authorities for VMCs
The BIMI Group, which develops the BIMI standard, works with these CAs to ensure they follow strict validation procedures. This is to prevent bad actors from impersonating brands. Only a handful of CAs are currently accredited to issue VMCs. The list of providers has grown over time, but the main players include:
- DigiCert: A leading CA and one of the very first to start issuing VMCs. They issued the first VMC to CNN back in 2019 during the early pilots.
- Entrust: Another major global CA that provides VMCs with a strong focus on identity and security.
- Sectigo: A well-known name in the web security space that also offers VMCs to help brands implement BIMI.
- GlobalSign: This CA also provides VMCs and extensive documentation on the application process.
The verification process and requirements
Getting a VMC isn't a simple transaction. It involves a detailed verification process where the Certificate Authority validates your organization and, most importantly, your logo. Before you can even apply, you must have a few things in place.
First, your domain must be authenticated with DMARC at an enforcement policy of p=quarantine or p=reject. Second, and this is the key part, your logo must be a registered trademark. The CA will check this against official records from intellectual property offices. As The SSL Store notes, this certificate verifies your logo so that email providers know anyone else can't just use it.
This rigorous process is why VMCs come with a significant cost, often over a thousand dollars per year. You are paying for the extensive legal and identity verification that the Certificate Authority performs. This ensures the integrity of the BIMI standard and protects brands from impersonation, which is ultimately what makes the system trustworthy for everyone.
What DNS record type is used for BIMI?
What image format is required for BIMI logos?
Is a VMC (Verified Mark Certificate) required for BIMI to display a logo?
What is the BIMI 'v=' tag value?
Does BIMI authenticate the logo itself?
What are the specific requirements for an SVG image to be BIMI compliant?
