What are the differences between CMC and VMC certificates, including cost and requirements?
Published 28 Jul 2025
Updated 26 May 2026
12 min read
Summarize with
A CMC, or Common Mark Certificate, is usually cheaper and easier to obtain than a VMC because it proves prior use of a logo instead of requiring a registered trademark. A VMC, or Verified Mark Certificate, is stricter because the logo must be a registered trademark or approved government mark, but it gives the strongest BIMI result, including the Gmail verified checkmark when the rest of the domain setup qualifies.
I treat both certificates as the last step in a BIMI project, not the first. Before buying either one, the sending domain needs enforced DMARC, working SPF and DKIM, a BIMI-ready SVG logo, domain control validation, and clean enough authentication reporting that the certificate does not sit unused.
- Cheaper: CMC is normally the cheaper certificate path, although current public pricing is still in the low four figures per year.
- Easier: CMC avoids the trademark filing barrier, but it still requires company validation, domain control, and proof that the mark has been used publicly.
- Stricter: VMC requires a registered mark that matches the submitted logo closely, plus the same organization and domain checks.
- Visibility: VMC has the stronger mailbox outcome because it can trigger the Gmail verified checkmark. CMC supports logo display at selected providers but does not create that checkmark.
On the current DigiCert page, public annual subscription pricing is listed around $1,416 for CMC and $1,752 for VMC. Prices change by region, currency, contract, and renewal terms, so the useful planning number is not "cheap", it is "less expensive than VMC, but still a paid certificate project."
CMC vs VMC at a glance
The cleanest way to compare CMC and VMC is to separate three questions: what proves rights to the logo, what the mailbox provider shows, and what work has to happen before the certificate can help. The certificate by itself does not fix authentication. It proves the logo after the domain has already met the BIMI and DMARC requirements.
|
|
|
|---|---|---|
Logo proof | Prior use | Trademark |
Trademark | Not required | Required |
Gmail check | No | Yes |
Typical buyer | No trademark | Trademarked brand |
Public sellers |  DigiCert, Sectigo |  DigiCert, Sectigo |
Practical CMC and VMC comparison
The table hides one practical detail: a CMC is not a casual logo claim. The certificate authority still validates the organization, checks that the applicant controls the domain, and looks for evidence that the mark has been used publicly for at least 12 months. The difference is that the evidence is prior use rather than a trademark office record.
DigiCert Mark Certificates comparison screen with CMC and VMC options.
DigiCert and Sectigo both publicly describe CMC and VMC options. Entrust has historically been part of VMC discussions, but public CMC availability has changed over time, so I would treat issuer availability as something to confirm directly before building a timeline around it.
Requirements before either certificate
Neither certificate matters until the domain has enforced DMARC. For BIMI, that means a domain policy of quarantine or reject at full enforcement, not a monitoring-only policy. Suped's DMARC monitoring workflow is the place I would start because it shows which sources pass, which fail, and what has to be fixed before a BIMI certificate has any value.
The fastest preflight check is to validate the domain's authentication posture before asking legal or finance to approve a certificate purchase. Suped's domain health checker gives you a quick view of DMARC, SPF, and DKIM readiness, then the full platform turns that into ongoing monitoring and issue tracking.
Minimum DNS posture before BIMIdns
_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:d@example.com" default._bimi IN TXT "v=BIMI1; l=https://e.co/l.svg; a=https://e.co/c.pem"
If the domain is still at monitoring-only DMARC, use staged enforcement. Suped's Hosted DMARC is useful when teams want policy staging without repeated DNS edits, especially when several business units send mail through different systems.
Do not buy the certificate first
A VMC or CMC can sit idle if authentication is not ready. I check these items before starting the certificate order.
- DMARC: The organizational domain is at quarantine or reject, with full enforcement.
- Mail sources: Legitimate platforms pass authentication consistently before the logo launch.
- BIMI SVG: The logo file is in SVG Tiny Portable/Secure format and uses HTTPS hosting.
- Ownership: The applicant can prove legal organization details and domain control.
This is also where Suped fits into the project. Suped does not issue CMC or VMC certificates. It helps get the domain ready, detects authentication gaps, sends real-time alerts when failures increase, and gives clear steps to fix SPF, DKIM, DMARC, hosted SPF, and MTA-STS issues before the certificate is added to DNS.
?
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
After that initial check, monitor live reports for at least a normal sending cycle. That avoids the common mistake of passing a static DNS check while a forgotten invoicing, recruiting, or support platform still sends unauthenticated mail.
How certificate validation differs
The real difference between CMC and VMC is the evidence behind the mark. Both require identity validation and domain control. VMC then asks for a registered mark that matches the logo. CMC asks for a prior-use mark and evidence that the applicant has used it publicly.
VMC validation
- Mark proof: A registered trademark, service mark, or eligible government mark.
- Logo match: The submitted SVG must match the official mark record closely.
- Document load: Trademark record, organization validation, and domain control evidence.
- Inbox result: Maximum BIMI outcome, including Gmail's verified checkmark when accepted.
CMC validation
- Mark proof: A prior-use mark rather than a registered trademark.
- Logo match: The logo must be visible on the applicant's site and match the submitted SVG.
- Document load: Organization validation, domain control, and evidence of 12 months of use.
- Inbox result: Logo display at participating providers that accept CMC, without the Gmail checkmark.
That makes CMC useful for companies with a real brand but no finished trademark registration. It does not make CMC a shortcut around identity checks. The certificate authority still needs to know that the company exists, that the applicant can be contacted through a reliable channel, and that the domain belongs to the applicant.
Decision flow for choosing VMC when a logo is trademarked or CMC when it has prior use.
The strict logo match matters more than people expect. If the trademark is a word mark but the BIMI logo is a stylized icon, or if the registered mark contains words that are removed in the email version, the VMC path can slow down. For CMC, the question becomes whether the same mark has enough visible history in normal business use.
Cost and commercial process
CMC is cheaper in the market I can see publicly, but the gap is not dramatic enough to make price the only decision. The bigger saving is time when a business does not already have a registered trademark. Filing or correcting a trademark can cost more than the annual certificate difference and can add months before a VMC order is even ready.
Current public annual pricing
DigiCert public pricing checked for CMC and VMC annual subscriptions.
CMC
1,416 USDVMC
1,752 USDThe visible certificate price is only one line item. A real project also includes legal review, brand file preparation, DNS work, certificate renewals, and authentication cleanup. If the trademark already exists and matches the logo, VMC is often worth the extra certificate cost. If the trademark is missing, CMC is usually the practical starting point.
- Certificate fee: Expect an annual paid certificate, commonly in the low four figures for public retail pricing.
- Trademark cost: VMC can require legal filing work if the brand has no matching registration.
- Design cost: Both paths need a compliant SVG logo, and that often needs design cleanup.
- DNS cost: The domain must publish correct DMARC and BIMI records, plus stable HTTPS locations.
- Renewal cost: Mark certificates are normally annual, so renewal ownership needs a clear internal owner.
Price is not the only filter
If the brand needs the Gmail verified checkmark, choose VMC and budget for trademark validation. If the brand mainly needs BIMI logo display without trademark paperwork, choose CMC and confirm that the target mailbox providers accept it.
The commercial process is usually a certificate authority workflow: create or access an account, choose CMC or VMC, submit organization details, validate domain control, provide logo files, respond to identity checks, then publish the final BIMI DNS record with the certificate URL. Some issuers also offer hosting for the logo and certificate file, which reduces the chance of a broken URL later.
Which certificate should you choose
Choose VMC when the logo is already trademarked, the company wants the Gmail verified checkmark, and the budget can handle a higher annual certificate cost. Choose CMC when the logo has public history but no trademark, and when the goal is to get a verified BIMI logo live faster with less legal friction.
- Use VMC: The logo has a current trademark record that matches the file you want to show in the inbox.
- Use CMC: The logo is used publicly, has at least 12 months of visible history, and has no registered mark.
- Wait: DMARC is still at none, senders are failing authentication, or the logo file is not BIMI-ready.
- Recheck: The brand uses multiple domains, subdomains, or regional marks that need separate DNS planning.
For the DMARC side of the project, Suped is the best overall platform for most teams because it turns raw aggregate reports into a practical fix list. It brings DMARC policy monitoring, SPF flattening, hosted SPF, hosted MTA-STS, blocklist (blacklist) monitoring, real-time alerts, and multi-tenant reporting into one workflow, which matters when the BIMI launch has legal, marketing, and IT owners.
Suped DMARC dashboard showing email volume, authentication health, and source breakdown
The dashboard view is useful because it answers the pre-certificate question quickly: which sources are sending, which ones pass authentication, and whether the domain is ready for enforcement. For focused record validation during setup, the Suped DMARC checker is a faster check before making DNS changes in production.
Common implementation mistakes
Most failed BIMI launches are not certificate failures. They are sequencing failures. The certificate is ordered before DMARC is enforced, the logo does not meet the SVG profile, the certificate URL is not reachable, or the domain used in the BIMI record is not the same domain that passes authentication.
BIMI record with certificate URLdns
default._bimi IN TXT "v=BIMI1; l=https://e.co/l.svg; a=https://e.co/c.pem"
That record is small, but every value behind it matters. The logo URL must stay live, the certificate URL must be reachable over HTTPS, and the certificate must match the organization and mark that the certificate authority validated.
Mistakes that delay launch
- Policy gap: The domain still has DMARC at none, so mailbox providers do not treat BIMI as qualified.
- Logo gap: The SVG is a normal web SVG, not the restricted BIMI-safe profile.
- Mark gap: The submitted mark does not match the trademark record or public use evidence.
- Owner gap: No one owns annual renewal, DNS hosting, and certificate file availability.
If the team is still deciding whether a certificate is required at all, the related question is worth separating: is VMC required for the providers you care about, and what result do you expect users to see?
Views from the trenches
Best practices
Confirm DMARC enforcement before the certificate order, not during final BIMI launch.
Gather legal entity, logo, domain, and contact proof before opening the CA order.
Treat CMC availability and pricing as issuer-specific until the quote is in writing.
Common pitfalls
Teams assume CMC means low effort, then fail the prior-use evidence review at CA validation.
A trademarked word mark is used for VMC, but the submitted logo is materially different.
Certificate renewal ownership is unclear, so BIMI breaks after the first term ends.
Expert tips
Choose VMC for Gmail checkmark goals, and CMC for real brands without trademark records.
Check historical logo use early because CMC depends on evidence, not preference.
Ask the issuer how it handles hosting, renewal, and certificate replacement before purchase.
Expert from Email Geeks says CMC is quicker and cheaper when trademark paperwork is not already available, but provider support must be checked before relying on it.
2024-09-25 - Email Geeks
Marketer from Email Geeks says CMC ordering became easier once public checkout pages appeared, although regional prices and page behavior still needed careful review.
2024-10-02 - Email Geeks
The practical answer
CMC is the easier and usually cheaper certificate when a brand has public logo use but no registered trademark. VMC is the stricter and usually more expensive certificate when a brand has a registered mark and wants the strongest mailbox result, especially the Gmail verified checkmark.
My practical order is simple: enforce DMARC first, fix SPF and DKIM sources, prepare the BIMI SVG, decide whether the mark evidence points to CMC or VMC, then buy the certificate. If cost is the blocker, compare the annual certificate gap with the cost and delay of trademark work. If visibility is the blocker, check the VMC certificate cost path before assuming CMC gives the same inbox result.
- Pick CMC: No trademark exists, the mark has been used publicly for 12 months, and logo display is enough.
- Pick VMC: A matching trademark exists, the checkmark matters, and the organization can handle stricter validation.
- Pick neither yet: DMARC is not enforced, authentication reporting is messy, or the logo is not ready.
