Can a trademark owner authorize a third party to use their logo for BIMI?

Key findings

• Authorization possible: Trademark owners can indeed authorize third parties (e.g., marketing agencies or franchisees) to use their registered logo for BIMI display, provided all technical prerequisites are met.
• VMC requirement: For many major mailbox providers (like Gmail), a Verified Mark Certificate (VMC) is necessary to authenticate the logo. This certificate verifies that the logo is a registered trademark and that the domain is authorized to use it.
• DMARC alignment: Successful BIMI implementation critically relies on a strong DMARC policy, specifically p=quarantine or p=reject, ensuring both SPF and DKIM authentication are correctly aligned with the visible From: domain. You can learn more about DMARC alignment in our guide, a simple guide to DMARC, SPF, and DKIM.
• CA discretion: The Certificate Authority (CA) responsible for issuing the VMC has the final say on whether to issue a certificate for specific domain configurations, especially concerning "cousin domains" or domains not directly owned by the trademark holder but used by an authorized sender.
• Mailbox provider discretion: Even with all technical requirements met, the ultimate decision to display the logo rests with individual mailbox providers, who may have additional, often unstated, criteria.

Key considerations

• Domain ownership: If the third party uses a domain that is distinct from the primary brand's domain (a "cousin domain"), the complexity of obtaining a VMC that covers the brand's logo for that specific domain increases. The primary brand might need to add the cousin domain to their existing VMC.
• VMC scope: A single VMC can be issued to cover multiple domains, simplifying management for brands with several sending domains or those authorizing various third parties.
• Understanding requirements: It's crucial for both the trademark owner and the third-party sender to fully understand the intricate technical requirements for BIMI and VMC, including the need for a registered trademark and a published BIMI record.
• Legal and executive alignment: Often, internal legal or executive teams may misunderstand the technical implications of email authentication standards like BIMI, potentially creating roadblocks for authorized third-party usage. This is where the BIMI Group's documentation can be a helpful resource.

Key opinions

• Franchise models work: Marketers in franchise organizations have successfully enabled franchisees to use the brand's logo for BIMI, indicating that authorized third-party use is achievable in real-world scenarios.
• Cousin domain challenges: The use of "cousin domains" (e.g., joinusatfoo.com for foo.com) by third-party marketers for a primary brand's logo introduces significant complications. Marketers often find these situations are not straightforward.
• CA decision point: Many marketers perceive that the ultimate decision regarding VMC issuance for such complex domain structures lies solely with the Certificate Authority, suggesting a degree of uncertainty and a need for direct consultation with CAs.
• Advocate for main domain VMC: A common suggestion from marketers is for the primary brand (foo.com in the example) to obtain and manage the VMC, potentially adding authorized third-party domains to their certificate.
• Non-technical roadblocks: Marketers lament facing internal resistance, particularly from legal or executive departments, who may not grasp the technical nuances of email authentication and BIMI implementation. This leads to a perception that some internal "reasons" block technically feasible solutions.

Key considerations

• Early CA consultation: For complex scenarios like third-party logo usage on cousin domains, it's advisable for marketers to consult with a Certificate Authority early in the process to understand specific requirements and feasibility.
• Internal education: Marketers play a crucial role in educating their internal stakeholders, especially legal and executive teams, on the technical requirements and benefits of BIMI, to overcome unnecessary restrictions. This helps with the implementation steps for BIMI.
• Domain strategy: Consider whether using a subdomain of the main brand (e.g., marketing.foo.com) for third-party sending might simplify BIMI implementation compared to completely separate "cousin domains."
• Focus on DMARC readiness: Ensure the core DMARC policies are robust (p=quarantine or p=reject) on all relevant sending domains before attempting BIMI, as this is a fundamental prerequisite for any BIMI deployment. DMARC monitoring can help track compliance.
• Expect variations: Marketers should be prepared for the fact that even with proper BIMI setup, logo display can vary across different email clients due to their specific rendering rules and policies, as noted by Knak's guide to BIMI.

Key opinions

• Affirmative authorization: According to experts, a trademark owner can authorize third parties to send BIMI-compliant mail on their behalf, provided the mail is DMARC-aligned and meets other technical specifications.
• BIMI is domain-keyed: BIMI functionality is tied directly to the visible From: domain in the email, requiring that domain (and the organizational domain, if different) to have a DMARC policy of p=quarantine or p=reject.
• CA's role in VMC: The Certificate Authority (CA) holds the responsibility for verifying both the entity applying for the VMC and the trademark itself, making their decision pivotal in cases involving third-party domain usage.
• VMC for multiple domains: Experts confirm that a single Verified Mark Certificate can encompass multiple domains, simplifying the process for brands with various sending entities or authorized third parties.
• Logo display is not guaranteed: Even if all BIMI requirements are met, experts caution that mailbox providers retain the final discretion on whether to display the logo, based on their own internal algorithms and reputation checks.

Key considerations

• Cousin domain complexity: Using "cousin domains" that are not directly owned by the primary brand but are intended to display the brand's logo presents a nuanced challenge. The CA's willingness to include such domains on a VMC is not always certain.
• Strategic domain management: Experts often suggest that it might be more straightforward for the primary brand (foo.com) to manage the VMC and include authorized third-party domains (joinusatfoo.com) on it, if the CA permits.
• Internal communication challenges: Many experts have encountered situations where internal legal or executive teams, lacking email technical knowledge, impose restrictions that complicate or prevent optimal BIMI implementation for authorized third-party senders, leading to unnecessary hurdles. This is a common issue that email deliverability experts frequently face.
• Beyond technical compliance: While technical adherence to BIMI standards, including DMARC compliance, is essential, other factors like sender reputation and mailbox provider policies can still influence logo display.
• VMC requirements clarity: It's important to thoroughly review the VMC requirements provided by the BIMI Group and the specific Certificate Authorities to ensure compliance for authorized third-party usage.

Key findings

• BIMI standard requirements: The BIMI standard mandates that the logo displayed must be a registered trademark and that the sending domain must enforce a DMARC policy of p=quarantine or p=reject.
• VMC as proof of ownership: A Verified Mark Certificate (VMC) serves as cryptographic proof that the organization has the right to use the specified logo for the identified sending domain(s).
• Flexibility for authorized senders: While the documentation emphasizes the trademark owner's rights, it generally allows for the owner to authorize use by legitimate third-party senders, aligning with how DMARC permits third-party sending.
• CA's verification process: Certificate Authorities, such as DigiCert and Entrust, are responsible for a stringent validation process to ensure the requesting entity has verified ownership of both the domain and the trademarked logo. This includes checking the trademark's registration with a recognized intellectual property office.
• Logo format: BIMI requires the logo to be in a specific Scalable Vector Graphics (SVG) format, specifically SVG Tiny P/S, which must also be validated. Details on this can be found in information about BIMI requirements for SVG files.

Key considerations

• Trademark registration: Documentation consistently stresses that the logo must be a registered trademark in one of the approved jurisdictions globally to be eligible for a VMC.
• Domain control validation: The organization requesting the VMC (whether the brand owner or an authorized third party) must demonstrate control over the domains listed in the VMC.
• Binding with VMC: The BIMI record published in DNS must correctly reference the VMC, which in turn links the logo to the authorized domain, as explained by the BIMI Group's official guidelines.
• Regular updates: The VMC is a digital certificate with a validity period, requiring periodic renewal and re-validation to ensure continuous logo display. This is part of the costs and steps for implementing BIMI.
• Brand consistency: Documentation implicitly encourages maintaining brand consistency by ensuring that any authorized third-party usage adheres to the brand's guidelines for logo representation.