Do I need a separate VMC for each subdomain?

Generally, no. A single Verified Mark Certificate (VMC) issued for your organizational domain (e.g., yourcompany.com ) should cover all its subdomains (e.g., marketing.yourcompany.com ). The BIMI record is typically published at the root domain, and its verification extends to subdomains, provided they meet DMARC alignment requirements. Learn more about how BIMI trickles down to subdomains .

Is a VMC always required for BIMI logo display?

While BIMI can be implemented without a VMC for some email clients, major providers like Google and Apple Mail require a VMC to display your logo. The VMC acts as a verifiable proof of trademark ownership, which is crucial for these providers to trust and display your brand's image. This is also how you can implement a blue check mark on Gmail .

My BIMI logo isn't displaying, even with a VMC. What should I check?

If your BIMI logo is not showing up, first verify your DMARC policy is enforced (p=quarantine or p=reject). Then, ensure your BIMI DNS record is correctly published and points to your VMC and SVG logo. Check that your logo meets all SVG format requirements and is hosted securely. Finally, confirm that your VMC is active and correctly linked. You can also review our guide on why your BIMI logo might not be showing .

Can I display a different logo for a specific subdomain?

Yes, if you wish to display a different logo for a specific subdomain, you can publish a separate BIMI record directly on that subdomain. This record will override the organizational domain's BIMI record for that particular subdomain, allowing you to control which logo is displayed. This can be useful for marketing or transactional subdomains with unique branding requirements. Learn how to apply BIMI to a specific subdomain .

How do BIMI VMC certificates work with sub-domains and why are they important for email logo display? - Technical - Email deliverability - Knowledge base

Brand Indicators for Message Identification, or BIMI, has transformed how brand logos appear in email inboxes. It gives senders greater control over their brand's visual identity, fostering trust and recognition among recipients. A critical component for full BIMI adoption, especially with major mailbox providers like Google and Apple, is the Verified Mark Certificate (VMC).

A common question that arises is how VMC certificates interact with subdomains. Do you need a separate VMC for each subdomain, or does a single certificate cover your entire domain structure? Understanding this nuance is key to efficient and cost-effective BIMI implementation and ensuring your brand logo displays consistently across all your email sending identities.

Understanding BIMI and VMC

BIMI functions by allowing an organization to publish a DNS record that points to a brand's logo. This logo is then displayed by supporting email clients next to authenticated email messages. The primary goal of BIMI is to provide visual assurance to recipients that an email truly originates from the claimed brand, thereby reducing phishing and spoofing attempts. However, BIMI alone isn't always enough to guarantee logo display.

This is where Verified Mark Certificates (VMCs) come into play. A VMC is a digital certificate that validates the ownership of a legally registered, trademarked logo. Issued by a Certificate Authority (CA), a VMC serves as undeniable proof that your organization has the right to use the specific logo you're attempting to display via BIMI. Think of it as a digital deed for your brand's visual identity.

For BIMI to work, robust email authentication protocols are essential. You must have a DMARC policy enforced, meaning your DMARC record must be set to 'quarantine' or 'reject'. This ensures that your email sending domain is properly authenticated, which is a prerequisite for BIMI to even be considered by mailbox providers. You can learn more about DMARC, SPF, and DKIM to ensure your foundation is solid.

The importance of VMCs for major mailbox providers

Many leading mailbox providers, including

Gmail and

Apple Mail, require a VMC to display your BIMI logo. This is a critical point: without a VMC, your logo simply won't appear in these inboxes, regardless of your BIMI DNS record. A VMC provides the necessary verification that these providers need to trust and display your logo.

How VMCs work with subdomains

One of the most common misconceptions about VMCs, particularly when dealing with large organizations or those with complex email infrastructures, is the belief that each subdomain requires its own VMC. This is generally not the case. In most scenarios, a single VMC obtained for your organizational domain (also known as your root domain or top-level domain, TLD) can extend its verification to all legitimate subdomains.

The BIMI record is typically published on the organizational domain, and if configured correctly, its verification should trickle down to the subdomains. This means that if you have a VMC for yourcompany.com, it can also authenticate the logo for emails sent from marketing.yourcompany.com or transactional.yourcompany.com, as long as they are properly authenticated with DMARC.

This unified approach significantly streamlines the BIMI implementation process and reduces costs, as you avoid the expense and complexity of managing multiple VMCs. The key is to ensure your BIMI DNS record points to the VMC associated with the root domain. For a deeper dive into how BIMI behaves with subdomains, explore our guide on how BIMI trickles down to subdomains.

Example BIMI DNS record for organizational domainDNS

default._bimi.yourcompany.com. IN TXT "v=BIMI1; l=https://yourcompany.com/bimi/logo.svg; a=https://yourcompany.com/bimi/vmc.pem"

While a VMC at the organizational level typically covers subdomains, there might be specific cases where you want to display a different logo for a particular subdomain, or perhaps not display a logo at all. In such situations, you can publish a specific BIMI record directly on that subdomain, which will override the organizational domain's record. This gives you granular control over your brand's appearance across different sending identities.

Why VMCs are crucial for logo display

The importance of VMCs for email logo display, especially in the context of subdomains, cannot be overstated. Beyond the technical requirements, there are significant brand and security benefits. A verified logo adds a layer of professionalism and authenticity to your emails, making them stand out in crowded inboxes.

Recipients are more likely to open and engage with emails that feature a recognizable and verified brand logo. This visual cue builds immediate trust, reducing the likelihood of your emails being marked as spam or ignored. It's a powerful tool for brand recognition and customer confidence, as detailed in this step-by-step guide.

From a security perspective, a VMC-backed BIMI implementation reinforces your commitment to email security. By displaying a verified logo, you're signaling to both recipients and mailbox providers that your emails are legitimate and that you've taken steps to prevent unauthorized use of your brand. This can indirectly contribute to better email deliverability by improving your domain's reputation with various mailbox providers. For more insights into the broader benefits, explore the benefits and requirements of BIMI.

Furthermore, a VMC is increasingly becoming a standard for displaying logos in major email clients. Without it, you're missing out on the most impactful visual branding opportunity in the inbox. This means your emails might look less trustworthy or professional compared to competitors who have implemented BIMI with VMC.

Implementation considerations and best practices

Implementing BIMI with a VMC requires careful attention to detail to ensure your logo displays correctly across all your sending domains and subdomains. Here are some key considerations:

Trademark your logo: Your logo must be a legally registered trademark in a recognized intellectual property office for you to obtain a VMC. This is a non-negotiable prerequisite. You can consult our guide on VMC certificate requirements.
DMARC enforcement: Ensure your organizational domain has a DMARC policy set to p=quarantine or p=reject. This is a fundamental requirement for BIMI.
Proper DNS record configuration: Your BIMI TXT record needs to be correctly published in your DNS, pointing to both your SVG logo file and your VMC. Double-check your record for any syntax errors or misconfigurations. Use our guide to validate your BIMI SVG and certificate.
VMC procurement: Obtain your VMC from an accredited Certificate Authority. These CAs are responsible for verifying your trademark ownership and issuing the certificate. You can find more information on BIMI accredited certificate providers.

While a single VMC generally suffices for subdomains, always confirm with your Certificate Authority about specific subdomain coverage, especially if you have highly distinct subdomains or complex organizational structures. This ensures that your brand logo is consistently displayed, enhancing trust and engagement across all your email communications.

Views from the trenches

Best practices

Ensure your DMARC policy is set to 'quarantine' or 'reject' for the organizational domain before VMC implementation, as this is a core requirement.

Always publish your BIMI record at the organizational domain level to ensure all subdomains can inherit the VMC verification.

Regularly monitor your BIMI implementation and DMARC reports to catch any issues early that might prevent logo display.

Common pitfalls

Thinking you need a separate VMC for each subdomain, which leads to unnecessary costs and complexity.

Not having a strong DMARC enforcement policy, preventing BIMI from working effectively.

Using a logo that isn't trademarked or not having the trademark registered in a jurisdiction recognized by the VMC provider.

Expert tips

Use a BIMI checker tool after publishing your records to ensure they are valid and correctly configured.

Consider a phased rollout for BIMI implementation, starting with a small sending volume or a less critical subdomain.

Engage with your email service provider (ESP) to confirm their support for BIMI and VMC, as some providers offer assistance or specific configurations.

Marketer view

A marketer from Email Geeks says they found that a VMC certificate at the organizational domain level is sufficient, meaning separate certificates for subdomains are typically not needed.

2025-01-09 - Email Geeks

Expert view

An expert from Email Geeks says that a VMC issued for the main domain will indeed cascade down, allowing the logo to display for subdomains as well.

2025-01-10 - Email Geeks

Reinforcing your brand presence

BIMI and VMC certificates are powerful tools for enhancing your email deliverability, branding, and overall email security. While the landscape of email authentication is constantly evolving, understanding how VMCs work with subdomains is crucial for a scalable and effective strategy. By securing a single VMC for your organizational domain, you can effectively ensure your brand logo is consistently displayed across all your sending subdomains, reinforcing trust and recognition with every email.