How can I check if a domain uses Entrust or Digicert for BIMI, and should I avoid Entrust?
Matthew Whittaker
Co-founder & CTO, Suped
Published 13 Jul 2025
Updated 17 Aug 2025
6 min read
Brand Indicators for Message Identification (BIMI) is becoming increasingly important for establishing trust and brand recognition in email. At its core, BIMI allows your brand's logo to appear next to your emails in supporting inboxes, but this relies on a Verified Mark Certificate (VMC). Currently, DigiCert and Entrust are the only two Certificate Authorities (CAs) authorized to issue VMCs. However, recent developments, particularly concerning Entrust, have raised questions about which CA to choose and how to verify a domain's current VMC issuer. Let's delve into how to determine which provider a domain uses and whether Entrust should be avoided.
Understanding the VMC issuer for a domain is crucial for ensuring your BIMI implementation remains effective. If you're encountering issues with your logo not displaying, or you simply want to verify a competitor's setup, knowing how to identify the VMC provider is a valuable skill for email marketers and deliverability professionals.
How to identify your BIMI VMC issuer
There are several methods to check which Certificate Authority (CA) a domain is using for its BIMI Verified Mark Certificate. Each method offers a different level of detail and technical complexity, allowing you to choose the one that best suits your needs.
Inspecting the BIMI DNS record
The BIMI record itself, published in the domain's DNS, contains a pointer to the Verified Mark Certificate. By querying this DNS record, you can extract the URL of the VMC file, usually in a .pem format. This file can then be downloaded and inspected to determine its issuer. For example, a common BIMI selector is default, meaning the record would be default._bimi.yourdomain.com. Once you have the URL, you can use command-line tools like curl and openssl to extract the issuer information.
For a simpler approach, several online tools can automatically pull the BIMI data, including the certificate issuer. These tools are often more user-friendly and provide quick results without needing command-line expertise. They are also helpful for validating the overall BIMI record configuration. Websites like About My Email are excellent resources for this purpose.
Using an online BIMI checker can often provide a comprehensive report, including the VMC issuer, DMARC policy status, and SVG logo validation, making it an efficient option for quick checks.
Method
Pros
Cons
Manual inspection
Provides deep technical insight and direct certificate data.
Requires command-line proficiency (e.g., openssl). Can be time-consuming for multiple checks.
Online BIMI checkers
User-friendly, fast, provides a comprehensive overview of BIMI setup.
Relies on third-party tools, some may have limitations or require specific data.
The current situation with Entrust and BIMI
The question of whether to avoid Entrust stems from recent actions taken by major tech companies like Google and Apple regarding Entrust's certificates. Specifically, Google's Chrome team announced plans to distrust public TLS certificates issued by Entrust and its subsidiary, AffirmTrust, after October 31, 2024, due to a series of compliance failures. Similarly, Apple indicated that VMCs issued from Entrust public roots after November 15, 2024, would no longer be supported on Apple platforms.
While the primary concern for Google and Apple initially focused on general SSL/TLS certificates, the distrust has extended to BIMI VMCs (Verified Mark Certificates) issued by Entrust. This means that email clients from these providers may stop displaying logos for emails authenticated with an Entrust-issued VMC that was issued after the stated cut-off dates. This presents a significant challenge for brands relying on BIMI to enhance their email presence and trust.
The core issue revolves around Entrust's adherence to Certificate Authority/Browser Forum (CA/B Forum) Baseline Requirements and Apple Root Store Policy. Persistent compliance incidents have led to a loss of trust from major browsers and operating systems. While Entrust has stated that VMCs use a different root, the broader distrust in their public roots casts a shadow over all certificate types, including VMCs.
Implications for BIMI
If your VMC is from Entrust and was issued after the mentioned deadlines, there's a high probability your BIMI logo will no longer display in Gmail (Chrome), Apple Mail, and potentially other clients that follow Google and Apple's root store policies. This directly impacts brand visibility and perceived authenticity.
This situation highlights the importance of staying informed about CA trust changes and proactively managing your VMC certificates. For more information on why this is happening, you can read about Apple's distrust of Entrust.
Should you avoid Entrust for BIMI?
Given the ongoing distrust issues, the general consensus among email deliverability experts is to exercise caution when considering Entrust for new BIMI implementations. While Entrust may resolve their compliance issues in the future, the immediate risk of logos not displaying is a significant drawback.
Recommendations for new BIMI implementations
For new BIMI setups, DigiCert remains the safer and more reliable choice as a VMC issuer. They have maintained a strong reputation for compliance and trust with major mailbox providers. Prioritizing a CA with undisputed trust is vital for maximizing the reach and impact of your BIMI logo. You can learn more about DigiCert's role as a VMC issuer.
Recommendations for existing Entrust VMC users
If you already have an Entrust VMC, it's prudent to assess the potential impact. While Google stated they are assessing the situation for VMCs, Apple's stance is clearer. Preparing a contingency plan, including understanding the process, cost, and time required to switch to DigiCert, is a wise step. Proactive planning helps mitigate potential disruption to your brand's email presence.
Entrust
Current status: Facing distrust from major players like Google (Chrome) and Apple due to compliance issues.
Risk to BIMI: High risk of VMC-authenticated logos not displaying in prominent email clients.
Recommendation: Avoid for new BIMI implementations. For existing users, prepare a migration plan.
DigiCert
Current status: Maintains strong trust and compliance with CA/B Forum requirements.
Risk to BIMI: Low risk, VMC-authenticated logos expected to display consistently.
Recommendation: Recommended for all new BIMI implementations and as a migration target.
Final thoughts on BIMI and VMC providers
In conclusion, checking a domain's BIMI VMC issuer can be done through manual certificate inspection or by using readily available online tools. While Entrust has historically been a key player, recent issues with major tech companies like Google and Apple distrusting their certificates for general web traffic (and extending to VMCs for BIMI) mean that using Entrust for new BIMI implementations carries significant risk.
It's always better to prioritize stability and trust when it comes to email authentication. For current Entrust VMC users, understanding your options and preparing for a potential switch to a provider like DigiCert is a prudent step. For those starting with BIMI, opting for a universally trusted CA will help ensure your brand's logo consistently appears in recipients' inboxes, solidifying your email deliverability and brand reputation.
Views from the trenches
Best practices
Actively monitor announcements from major mailbox providers regarding CA trust policies.
For new BIMI setups, opt for a VMC provider with a stable and undisputed reputation for trust.
If currently using Entrust, develop a clear transition plan to an alternative VMC provider.
Common pitfalls
Assuming your Entrust VMC will remain valid indefinitely despite public distrust announcements.
Delaying assessment of alternative VMC providers, leading to rushed migrations or logo display issues.
Not understanding the distinction between general SSL/TLS certificates and VMCs.
Expert tips
Always consult the official documentation from the BIMI Group and major email providers for the latest requirements.
Consider engaging with a deliverability specialist to navigate complex VMC and BIMI issues.
Even if VMCs have different roots, a CA's overall compliance record impacts confidence across all their products.
Expert view
Expert from Email Geeks says manually pulling the certificate and inspecting it using tools like OpenSSL is a reliable way to identify the VMC issuer.
July 2, 2024 - Email Geeks
Expert view
Expert from Email Geeks says online tools like AboutMy.Email can easily pull BIMI data, including the certificate issuer, which is convenient.
Entrust are the only two Certificate Authorities (CAs) authorized to issue VMCs. However, recent developments, particularly concerning Entrust, have raised questions about which CA to choose and how to verify a domain's current VMC issuer. Let's delve into how to determine which provider a domain uses and whether Entrust should be avoided.
(Chrome) and 
Apple due to compliance issues.
