The world of Verified Mark Certificates (VMCs) can sometimes feel a bit like a tangled web, especially when major Certificate Authorities (CAs) undergo acquisitions and shift their offerings. A common question I've encountered revolves around Sectigo and its relationship with DigiCert when it comes to VMCs. Specifically, many wonder if Sectigo, despite being a prominent CA itself, is simply reselling DigiCert's VMCs, particularly after its acquisition of Entrust's public certificate business.
This isn't just a matter of curiosity, it has significant implications for organizations looking to implement BIMI (Brand Indicators for Message Identification). The validity and acceptance of a VMC by major email providers like Google and Apple depend heavily on its issuer. If a CA is not directly authorized to issue VMCs that these providers recognize, then purchasing one through them might not yield the desired results, like displaying your logo in the inbox.
My understanding, supported by discussions within the industry, is that while Sectigo is a large and respected Certificate Authority for various SSL/TLS certificates, its approach to Verified Mark Certificates is indeed more nuanced. It appears that for new VMC issuances, Sectigo acts as a reseller for DigiCert VMCs, rather than issuing them directly under its own root for general recognition by email clients that support BIMI.
This distinction is critical. Even though Sectigo maintains its own robust certificate infrastructure, the specific requirements for VMCs, especially those enforced by email service providers like Google and Apple, mean that only a limited number of Certificate Authorities are explicitly approved. This article will delve into the details of this arrangement and what it means for your email authentication strategy.
The VMC market and CA accreditation
To fully understand Sectigo's position, we need to consider the evolving landscape of VMCs and the role of Certificate Authorities. VMCs are specialized digital certificates that verify ownership of a trademarked logo, enabling its display in supporting email clients. For these certificates to be effective, they must be issued by a CA recognized by the BIMI Group and, crucially, by email providers like Google and Yahoo.
DigiCert has historically been a leading provider of VMCs, playing a significant role in the initial rollout and standardization of BIMI. Sectigo is also a major CA with extensive experience in issuing various types of digital certificates, including SSL/TLS. However, the specific accreditation process for VMCs is distinct, and not all CAs that issue traditional certificates are approved to issue VMCs that meet the requirements of all participating email providers.
The acquisition of Entrust's public certificate business by Sectigo added another layer of complexity. Entrust was one of the early BIMI accredited certificate providers, and many organizations had obtained their VMCs through them. After the acquisition, Sectigo began to manage these existing Entrust-issued VMCs, ensuring continuity for those customers. However, the question remained whether Sectigo would begin issuing new VMCs directly under its own name for general BIMI adoption, or if it would maintain a different strategy for new issuances.
Sectigo's approach to VMC issuance
Based on my recent observations and information from industry channels, it appears that for new VMC certificates, Sectigo has chosen to resell DigiCert's VMCs. This means that if you purchase a VMC from Sectigo today, the underlying certificate will likely be issued by DigiCert, not directly by Sectigo. This isn't unusual in the certificate market, as CAs often partner or white-label services.
For existing Entrust VMCs that were acquired by Sectigo, the situation is different. Sectigo is managing the wind-down of these older certificates. This strategy suggests that Sectigo isn't actively seeking to become a direct VMC issuer for new purchases that are recognized by major email clients, but rather ensuring a smooth transition and management for its inherited customer base.
Current VMC issuance
New VMCs: Sectigo resells DigiCert VMCs. The certificate will show DigiCert as the issuer.
Existing Entrust VMCs: Sectigo manages the lifecycle of VMCs originally issued by Entrust before its acquisition. This is generally a transitional phase.
What this means for BIMI
Vendor choice: When seeking a VMC, it's crucial to confirm which CA is the ultimate issuer to ensure recognition by email providers. Consider checking what are the recommended VMC providers for BIMI.
Compatibility: A VMC must be issued by a CA that is explicitly accepted by the email clients you are targeting (e.g., Google, Apple). Without this, your logo may not display.
So, while Sectigo's website may list VMCs, it's important to dig a bit deeper into the specifics of who the ultimate issuer is. For now, it seems the general consensus is that DigiCert remains a primary direct issuer of VMCs for BIMI display across major email providers.
Implications for BIMI implementation
For organizations looking to implement BIMI and display their logo, this distinction in VMC issuance is vital. Ensuring your VMC is from an accepted issuer is as important as having a properly configured DMARC policy. A VMC that isn't recognized by a mailbox provider will not enable your logo to appear, effectively negating the investment and effort.
Important considerations for VMCs:
Accreditation: Always verify that the CA issuing your VMC is on the list of approved providers by the BIMI Group and, more importantly, recognized by major email service providers. Some VMCs from CAs listed by the BIMI Group might not be universally accepted, as seen with Apple's distrust of Entrust.
Cost and alternatives: While VMCs offer significant brand benefits, they come with a cost. It's worth exploring the cost of VMC certificates and cheaper alternatives, particularly if your primary goal is simply to adopt BIMI without the certified logo.
Navigating these nuances is part of ensuring successful email deliverability and brand presence. By understanding the underlying issuance process, you can make informed decisions about your VMC provider and avoid potential issues that could prevent your logo from appearing.
For ongoing monitoring of your DMARC, SPF, and DKIM records, which are essential for BIMI to function, I recommend using a robust platform like Suped. Our DMARC monitoring provides AI-powered recommendations to fix issues, real-time alerts, and a unified platform for all your email authentication needs, including blocklist monitoring and deliverability insights. This ensures that the foundational security protocols for your VMC are always in perfect alignment.
Views from the trenches
Best practices
Always verify the ultimate CA issuer for your VMC, especially with partnerships or acquisitions.
Prioritize CAs explicitly recognized by major mailbox providers like Google and Apple for BIMI.
Regularly check your DMARC reports to ensure VMC validation and BIMI display are working correctly.
Common pitfalls
Assuming all CAs can issue universally accepted VMCs, leading to wasted investment.
Overlooking the specific accreditation needed for VMCs by email service providers.
Neglecting to monitor DMARC and BIMI implementation, missing potential display issues.
Expert tips
Consider engaging with a DMARC monitoring service that provides insights into your BIMI status.
Review the BIMI Group's official list of VMC issuers for current approved providers.
If migrating VMCs due to CA changes, plan carefully to avoid service interruptions.
Marketer view
Marketer from Email Geeks says Sectigo definitely acts as a Certificate Authority for other types of certificates, so it's a bit confusing why they might resell for VMCs.
2024-07-10 - Email Geeks
Expert view
Expert from Email Geeks says that for new VMCs, Sectigo sells DigiCert certificates, not their own. They handle existing Entrust VMCs as a wind-down process.
2024-07-12 - Email Geeks
Making informed VMC decisions
In summary, while Sectigo is a formidable Certificate Authority, the evidence indicates that for new VMC issuances for BIMI, they primarily resell DigiCert VMCs. Their involvement with Entrust VMCs appears to be centered on managing existing certificates rather than issuing new ones directly under the Sectigo brand for broad email client recognition. This distinction is paramount for anyone navigating the complexities of BIMI setup and aiming for consistent logo display in inboxes.
The key takeaway is to always verify the ultimate root Certificate Authority of your VMC to ensure it aligns with the strict requirements of email service providers. This due diligence will help guarantee that your investment in a VMC translates into tangible brand visibility and enhanced email trust.
Effective email authentication, including DMARC, SPF, and DKIM, forms the bedrock of BIMI and VMC success. I encourage you to leverage comprehensive tools like Suped for robust DMARC monitoring and reporting. Our platform offers AI-powered recommendations for policy adjustments, real-time alerts, and features like SPF flattening, making it easier to maintain your email security posture and maximize deliverability.
