Do I need a VMC for BIMI to work with Google and Gmail?
Michael Ko
Co-founder & CEO, Suped
Published 10 Jun 2025
Updated 19 Aug 2025
10 min read
Brand Indicators for Message Identification (BIMI) is an email standard that allows brands to display their official, verified logos next to their authenticated email messages in recipient inboxes. It is designed to enhance brand recognition, build trust with recipients, and combat phishing by visually confirming the sender's identity. Implementing BIMI involves several steps, including robust email authentication like DMARC enforcement.
A crucial component of BIMI, particularly for certain mailbox providers, is the Verified Mark Certificate (VMC). A VMC is a digital certificate that verifies the authenticity of your brand's logo. It links your registered trademark logo to your sending domain, ensuring that only legitimate senders can display that specific logo.
The question of whether a VMC is strictly necessary for BIMI to work with major providers like Google and Gmail has been a point of confusion for many. Historically, Gmail was among the providers that required a VMC for BIMI logo display. This requirement ensured an extra layer of verification, tying the visual brand element directly to a legally registered trademark. However, recent developments have introduced new options.
I will clarify the current landscape for BIMI and VMCs, especially in the context of Google and Gmail, helping you understand the requirements and how to best implement this standard for your brand's email presence.
The traditional VMC requirement for Gmail
When BIMI first gained traction, Google made it clear that for a brand logo to appear in Gmail inboxes, a Verified Mark Certificate (VMC) was a mandatory requirement. This decision was rooted in a strong emphasis on security and trust. A VMC serves as a robust validation mechanism, ensuring that the logo displayed is indeed owned by the sending organization and is a registered trademark. This added layer of verification helps prevent impersonation and improves the recipient's confidence in the email's legitimacy.
The rationale behind Gmail's strict VMC requirement was to provide a visual cue that was difficult for malicious actors to replicate. Unlike simpler methods of displaying logos, a VMC-backed BIMI record signifies that the brand has undergone a rigorous validation process with a recognized Certificate Authority (CA). This process includes verifying the company's legal existence and the ownership of the trademarked logo.
For many, obtaining a VMC was a significant hurdle due to the costs and the prerequisite of having a registered trademark. Despite these challenges, the benefit of having a verified logo and, often, a blue checkmark next to your email in Gmail inboxes made it a worthwhile investment for brands focused on building strong trust signals. This enhanced visual authentication helped distinguish legitimate emails from phishing attempts.
It is important to understand that while Gmail historically mandated VMCs, other major mailbox providers like Yahoo Mail and Fastmail supported BIMI without a VMC. For these providers, simply having a properly configured BIMI DNS record and an enforced DMARC policy was sufficient to display a logo. However, the VMC added an extra layer of trust that was especially valued by Google.
The evolution of Google's BIMI requirements
In a significant development, Google announced a change to its BIMI requirements, now also accepting Common Mark Certificates (CMCs). This update was a game-changer for many organizations that previously found VMCs cost-prohibitive or couldn't meet the trademark registration requirement. CMCs allow brands to display their logo in supporting inboxes without needing a registered trademark.
The introduction of CMCs aims to democratize BIMI, making it accessible to a wider range of businesses and organizations. While a VMC still offers the highest level of logo verification, including the coveted Gmail blue checkmark for senders with a registered trademark, CMCs provide a viable alternative for displaying a verified logo without that specific prerequisite. This means you can now get BIMI to work with Google and Gmail using either a VMC or a CMC, depending on your brand's specific needs and trademark status. You can read more about CMCs on the BIMI Group's official announcement.
Verified Mark Certificate (VMC)
Trademark required: Requires your logo to be a registered trademark.
Validation: High-level validation by a Certificate Authority (CA) that verifies both domain and logo ownership.
Gmail display: Displays your logo and the Google blue verified checkmark.
Cost: Generally more expensive due to the rigorous validation process and trademark requirement.
Security Signal: Strongest signal of authenticity and trust for recipients.
Common Mark Certificate (CMC)
Trademark required: Does not require a registered trademark for your logo.
Validation: Validates domain ownership and verifies the logo, but without the trademark legal backing.
Gmail display: Displays your logo, but currently without the Google blue checkmark.
Cost: Generally less expensive and more accessible.
Security Signal: Still enhances trust by displaying a verified logo, but without the trademark backing.
While CMCs offer greater flexibility, a VMC remains the gold standard for brands aiming for the highest level of visual authentication in the inbox, particularly with Gmail's blue checkmark. Both certificates require a properly configured BIMI record, which means your domain must have an enforced DMARC policy (p=quarantine or p=reject) and correctly published SPF and DKIM records. This is a foundational step regardless of whether you choose a VMC or CMC. For detailed information on implementing BIMI, you can refer to our guide on the requirements for BIMI and provider support.
Why BIMI is preferred over workarounds
Before BIMI became widely supported, some brands adopted workarounds to display their logo in Gmail. One common method involved setting a profile picture for the sender's Google account that would then appear alongside emails sent from that address. While this offered a visual branding element, it was never an official standard like BIMI and lacked any underlying security verification. You can learn more about how to set up BIMI for Gmail and Yahoo Mail in our related article.
These workarounds, although functional for a time, present several issues. Primarily, they do not offer the security assurances that BIMI, especially with a VMC (or even a CMC), provides. Anyone could theoretically set up a Google profile with a stolen logo, potentially misleading recipients. This creates a loophole that genuine BIMI aims to close by requiring strong email authentication and verified logo ownership. The goal of BIMI is to give consumers visual confidence that the email they received is from the legitimate brand.
Understanding BIMI vs. Google Profile Images
The Google profile image approach is simply a display feature tied to an account, not a robust security standard. It doesn't verify the email sender's domain or the authenticity of the logo in the same way BIMI does. BIMI, on the other hand, is built upon established email authentication protocols like DMARC, ensuring that the logo is only displayed if the email genuinely originates from the claimed brand.
While workarounds might offer a temporary visual presence, they are not future-proof and do not contribute to the broader ecosystem of email security and trust. Mailbox providers are increasingly prioritizing authenticated experiences, making standards like BIMI essential for long-term deliverability and brand integrity.
Therefore, if your goal is to reliably display your brand's logo in Gmail and benefit from the associated trust signals, investing in a proper BIMI implementation with either a VMC or a CMC is the recommended path. This ensures compliance with evolving industry standards and provides a verified visual identity that stands the test of time. For troubleshooting issues with your BIMI logo not showing, check out our guide on why your BIMI logo might not be appearing.
Implementation considerations
To enable BIMI for your domain, regardless of whether you choose a VMC or CMC, you need to ensure your email authentication is rock solid. This primarily means having SPF, DKIM, and DMARC properly configured and enforced. Your DMARC policy must be set to 'quarantine' or 'reject' for BIMI to function. This is the bedrock of the BIMI standard, proving that your domain is protected against unauthorized use.
Next, you will need to prepare your logo in a specific SVG Tiny PS format. This SVG file needs to be hosted on a secure (HTTPS) server. The BIMI record itself is a DNS TXT record that points to the location of your SVG logo file and, if applicable, your VMC or CMC. For detailed steps on BIMI implementation, including how to format your logo and publish your DNS record, please refer to our comprehensive guide.
Here's an example of what a BIMI record might look like in your DNS settings:
In this example, 'l=' points to your SVG logo, and 'a=' points to your VMC or CMC. If you're implementing BIMI without a certificate (for providers that don't require one, or using a CMC where the blue checkmark isn't needed), the 'a=' tag would be omitted. Keep in mind that BIMI is still evolving, and staying updated with provider-specific requirements is key to maintaining consistent logo display.
Views from the trenches
Best practices
Ensure your DMARC policy is at enforcement (p=quarantine or p=reject) before deploying BIMI, as it is a strict prerequisite.
Always use a publicly accessible, HTTPS-secured URL for your SVG logo and certificate files.
Validate your BIMI DNS record using online tools after publication to catch any syntax errors or misconfigurations.
Monitor your DMARC reports closely after BIMI implementation to ensure alignment and authentication are working as expected.
Consider obtaining a VMC if the blue verified checkmark in Gmail is a key branding goal for your organization.
Common pitfalls
Neglecting DMARC enforcement, which will prevent BIMI from working, especially with Google and Gmail.
Using an SVG logo that is not properly formatted to SVG Tiny PS, leading to display issues.
Hosting your BIMI assets (logo, certificate) on an insecure server (HTTP instead of HTTPS).
Failing to update your BIMI record if your logo or certificate URL changes, causing the logo to disappear.
Expecting immediate logo display across all mailboxes, as propagation and caching can cause delays.
Expert tips
For brands testing BIMI or those without a registered trademark, a Common Mark Certificate (CMC) is now a viable option for Gmail logo display.
Even with a VMC-backed BIMI, some minor UI elements in Gmail might still rely on Google profile images, so a hybrid approach can be beneficial.
The BIMI working group is actively exploring ways to simplify the VMC certification process to increase adoption.
While workarounds for logo display existed, they lack the security backing of BIMI and are likely to be phased out by major providers.
Remember that BIMI's primary value is in enhancing brand trust and combating phishing through visual authentication, not direct email deliverability improvements.
Marketer view
A marketer from Email Geeks says that you absolutely need a VMC for Google, but other mailbox providers may not require one, such as Fastmail and Yahoo, as of now.
2022-03-14 - Email Geeks
Marketer view
A marketer from Email Geeks says that if you have a Google Workspace account, you can add an image to your profile, which will display next to your messages, though it's not the same as BIMI.
2022-03-14 - Email Geeks
Final thoughts on BIMI and VMCs for Gmail
The landscape of BIMI and Verified Mark Certificates has evolved, particularly with Google's and Gmail's support for Common Mark Certificates (CMCs). While a VMC was previously a hard requirement for Gmail logo display, you now have more flexibility. The critical takeaway is that while BIMI can function without a VMC for some providers, Google and Gmail still require a verified certificate, whether a VMC (for trademarked logos and the blue checkmark) or a CMC (for non-trademarked logos).
The primary benefit of BIMI, regardless of the certificate type, is the enhanced trust and brand recognition it provides. By visually verifying your brand in the inbox, you help recipients quickly identify legitimate emails and differentiate them from phishing attempts. This visual authentication, combined with a robust DMARC enforcement policy, significantly strengthens your email security posture.
For brands committed to maximizing their email deliverability and reputation, a comprehensive BIMI implementation is no longer optional but a strategic imperative. It's about building a recognizable and trustworthy presence in the inbox, which translates into better engagement and protection against brand impersonation.
To ensure your logo consistently appears as intended across all major mailbox providers, including Google and Gmail, prioritize strong email authentication and consider which type of verified mark certificate best suits your brand's trademark status and objectives. This will set you up for long-term success in the evolving email landscape.
Google and Gmail has been a point of confusion for many. Historically, Gmail was among the providers that required a VMC for BIMI logo display. This requirement ensured an extra layer of verification, tying the visual brand element directly to a legally registered trademark. However, recent developments have introduced new options.
Yahoo Mail and 
Fastmail supported BIMI without a VMC. For these providers, simply having a properly configured BIMI DNS record and an enforced DMARC policy was sufficient to display a logo. However, the VMC added an extra layer of trust that was especially valued by Google.
