What is a Verified Mark Certificate (VMC)?

A Verified Mark Certificate (VMC) is a digital certificate that authenticates your trademarked logo for use with BIMI. It proves that your organization has the right to display a particular logo, enhancing brand recognition and trust in email communications.

Why are DigiCert and Entrust the main VMC providers for BIMI?

Historically, DigiCert and Entrust were the initial and primary CAs accredited to issue VMCs. While new CAs may emerge, these two have been the most widely recognized for BIMI implementation.

Does Entrust's certificate distrust impact my BIMI logo display?

Yes, it can. Recent distrust actions by Google and Apple towards Entrust 's root certificates mean that VMCs issued by Entrust may not enable your logo to display in email clients that rely on these browser trust stores.

How do the prices for VMCs from Entrust and DigiCert compare?

Historically, DigiCert VMCs have generally been more expensive than Entrust's by several hundred dollars annually. However, this could vary based on specific deals or reseller agreements, and the cost difference may be offset by trust issues with one vendor.

How long does it take to implement a BIMI VMC?

Setting up a VMC involves trademark registration, SVG logo formatting, and DNS record updates. The entire process, from initial application to logo display, can take several weeks or even months, primarily due to the trademark validation step and DNS propagation times.

What are the key differences between BIMI certificate vendors Entrust and DigiCert? - Technical - Email deliverability - Knowledge base

When you're looking to implement Brand Indicators for Message Identification (BIMI), a Verified Mark Certificate (VMC) is crucial for displaying your brand's logo in recipient inboxes. Historically, DigiCert and Entrust have been the two primary certification authorities (CAs) authorized to issue these certificates. While both ultimately provide a VMC that enables your logo to appear in supporting inboxes, there are some noteworthy differences, particularly concerning cost and, more recently, browser trust.

The choice between them often came down to minor procedural variations and, significantly, price. However, recent developments concerning trust in

Entrust's certificates by major browser vendors have added a new layer of complexity to this decision. I’ll delve into these differences and explain what factors should guide your choice.

The role of verified mark certificates in BIMI

A Verified Mark Certificate (VMC) is a digital certificate that authenticates your organization's logo, linking it to your DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy. This is a critical component for BIMI, as it ensures that only verified, trademarked logos are displayed next to your sender name in the inbox. For BIMI to function, your domain must also be at an enforced DMARC policy, meaning p=quarantine or p=reject.

The validation process for a VMC is rigorous. It involves verifying both your organization's identity and the ownership of the trademarked logo you wish to display. This thorough validation is what gives VMCs their credibility and helps email recipients trust the sender's identity. To learn more about the complete setup, review our guide on the requirements and implementation steps for BIMI.

While the core function of a VMC is universal, the journey to obtaining one from a certified authority can differ slightly in terms of required documentation, processing times, and cost. For a deeper understanding of BIMI certificates and their types, you can consult the BIMI Group's official resources.

Recent trust considerations: Entrust and major mailbox providers

A significant development impacting the choice between DigiCert and Entrust is the recent decision by major browser vendors, specifically

Google Chrome and

Apple, to distrust certain certificates issued by

Entrust. This distrust stems from compliance incidents and affects the validity of

Entrust's root certificates.

The direct consequence of this distrust is that any BIMI VMCs issued by

Entrust may not be recognized or trusted by email clients that rely on these browser root stores. This means that your meticulously set up BIMI logo might not appear for users of these clients, undermining the very purpose of implementing BIMI. For more details on this situation, you can read about Google's decision to distrust Entrust.

This situation has led many organizations using

Entrust for their VMCs to consider migrating to

DigiCert to ensure consistent logo display across all supporting email clients. It’s a clear indication that while price might be a factor, the underlying trust in the CA is paramount for the success of your BIMI implementation. You can find more information on how this affects

AppleBIMI and your VMCs.

Important consideration

Due to the recent distrust announcements from major browser vendors like

Google and

Apple, it is strongly recommended that organizations avoid purchasing new BIMI VMCs from

Entrust for the time being. This move by the browsers casts significant doubt on the effectiveness of

Entrust VMCs in displaying your logo as intended.

Comparing the VMC offerings: process and pricing

Setting aside the recent trust issues, the fundamental difference between

DigiCert and

Entrust for BIMI VMCs primarily came down to pricing structures and minor variations in their customer support or API integration experiences. The core process of obtaining a VMC involves rigorous validation steps, which are largely standardized across accredited CAs by the BIMI Group. This means the end result, a valid VMC, should technically function the same way from either provider, provided they are trusted.

Pricing has historically been a notable difference.

DigiCert VMCs have typically been priced higher than

Entrust's offerings, sometimes by several hundred dollars per year, especially for single-domain certificates. However, pricing can vary based on multi-year commitments, reseller agreements, or specific enterprise needs. It is always wise to get direct quotes from both vendors or their partners to confirm the current pricing for your specific use case. You can explore a broader overview of BIMI implementation costs.

Feature	DigiCert	Entrust
Market presence	Leading global CA, strong in SSL/TLS and enterprise solutions.	Established CA, recognized in digital security products.
Historical pricing	Generally higher initial and renewal costs.	Often more competitive pricing initially.
Browser trust	Maintained strong trust with major browsers.	Experienced recent distrust from Google, Apple, and Mozilla.
Multi-domain VMC	Offers VMCs supporting multiple domains.	Offers multi-domain support, but with additional per-domain fees.

It’s worth noting that while the technical process might be largely similar, the perceived customer service, ease of use of their portals, and API capabilities for automated deployments can vary. Some organizations might prefer one vendor over the other based on their existing infrastructure or prior experience with SSL/TLS certificate management.

Choosing the right BIMI certificate vendor for your needs

When choosing a BIMI certificate vendor, the primary consideration should be the long-term effectiveness of your BIMI implementation. This means prioritizing the consistent display of your logo across all supporting email clients and minimizing any potential deliverability issues, like your emails ending up in the spam folder or on a blacklist (or blocklist).

Given the recent distrust of

Entrust certificates by major industry players,

DigiCert emerges as the more reliable choice for new BIMI VMC purchases. While it might come at a higher cost, the assurance that your logo will consistently appear as intended is invaluable for brand visibility and trust. DigiCert remains a trusted VMC issuer.

Current market standing

DigiCert: Widely trusted across the industry with no current widespread distrust issues impacting BIMI VMCs.
Entrust: Faces distrust from major browser vendors, potentially limiting BIMI logo display.

Overall considerations

Trust: Prioritize vendors with undisputed trust from all major email clients and browser root programs.
Longevity: Consider the vendor's reputation and long-term stability in the CA ecosystem.
Cost vs. value: A lower price might not be a saving if your logo doesn't display due to trust issues.

Ultimately, while the technical output of a VMC is standardized, the reputation and trust status of the issuing CA are critical. The goal of BIMI is to enhance your brand's visibility and email trust, and this can only be achieved if the VMC is universally accepted. Always consult BIMI accredited certificate providers for the most up-to-date information.

Regularly checking your BIMI implementation is also essential, especially after any changes to certificate validity or if you notice your logo isn't appearing as expected. Using a reliable email deliverability tester can help ensure your BIMI records are correctly configured and recognized by mailbox providers. For ongoing monitoring, consider tools that provide insight into DMARC reports and overall deliverability health.

Views from the trenches

Best practices

Always verify the latest browser and mailbox provider trust lists for VMC issuers before purchase.

Prioritize the certification authority's long-term reputation and stability over initial cost savings.

Ensure your DMARC policy is set to quarantine or reject before acquiring a VMC for BIMI.

Common pitfalls

Choosing a VMC vendor solely based on lower cost without considering their current trust status.

Failing to update your BIMI records or re-issue certificates when a CA faces distrust.

Expecting your BIMI logo to appear without a DMARC policy at enforcement.

Expert tips

Stay informed about industry news regarding certificate authorities and their trust status.

Consult with an email deliverability expert when navigating complex BIMI implementations.

Consider a multi-year VMC purchase only after confirming the CA's stable trust status.

Marketer view

A marketer from Email Geeks says that the end result of using either Entrust or DigiCert for a VMC should be no different, although the specific processes might vary.

2022-08-11 - Email Geeks

Marketer view

A marketer from Email Geeks shared that their experience with both vendors' processes was largely similar.

2022-08-11 - Email Geeks

Key considerations for your BIMI implementation

While

DigiCert and

Entrust both provide Verified Mark Certificates essential for BIMI, the recent landscape has shifted significantly. The primary distinctions now lie less in their procedural differences or historical pricing and more in their current standing regarding browser and email client trust.

For organizations looking to implement BIMI effectively and ensure their logo is consistently displayed, it is critical to choose a CA whose certificates are fully trusted across the ecosystem. This will help you maximize your brand's presence and reinforce email authentication efforts.