Will my existing Entrust VMC still work?

Existing Entrust-issued VMCs will continue to function until their expiration date. However, for new VMCs or renewals after the acquisition, you will need to work with Sectigo, as Entrust is no longer directly issuing these certificates.

Is Sectigo an accepted VMC provider for Gmail and other major mailbox providers?

Yes, Sectigo is a recognized Certificate Authority for VMC issuance. While older BIMI Group documentation might not immediately reflect this change, Sectigo VMCs are accepted by major mailbox providers , including Google.

How do the pricing and processes of Sectigo and DigiCert compare?

Pricing for VMCs can vary between providers. DigiCert typically lists its pricing, while Sectigo's pricing information may require direct inquiry. It is advisable to contact both providers for current quotes before making a decision.

Is a VMC still mandatory for BIMI to work?

A VMC is essential for displaying your logo with BIMI for many major mailbox providers, including Google and Gmail . While some providers may support BIMI without a VMC (often for non-trademarked logos), a VMC provides the highest level of assurance and broadest display.

What are the recommended VMC providers for BIMI setup after Entrust's acquisition by Sectigo? - Technical - Email deliverability - Knowledge base

Q: What are the recommended VMC providers for BIMI setup now?

After Entrust's acquisition, the recommended VMC providers are primarily DigiCert and Sectigo . Sectigo has taken over Entrust's VMC business, making them a direct option for those seeking new VMCs or managing existing Entrust certificates.

The world of email authentication, particularly with Brand Indicators for Message Identification (BIMI), is constantly evolving. A significant recent change affecting Verified Mark Certificates (VMCs) for BIMI setup is Entrust's decision to stop issuing VMCs and their subsequent acquisition of this business by Sectigo. This has led to some confusion among those looking to implement BIMI or manage existing VMCs, especially regarding which providers are now recommended.

Before this acquisition, Entrust and DigiCert were the two primary Certificate Authorities (CAs) authorized to issue VMCs. Now, with Entrust stepping back from VMC issuance, the landscape has shifted, prompting questions about the most reliable paths forward. This article explores the current options and provides clarity on navigating the VMC provider space for your BIMI implementation.

Understanding the VMC landscape

Brand Indicators for Message Identification (BIMI) allows organizations to display their trademarked logos next to their authenticated email messages in supporting inboxes. For this to work in many major mailbox providers, a Verified Mark Certificate (VMC) is required. This certificate links your verified, trademarked logo to your domain, providing an additional layer of trust and visual brand recognition.

Historically, the BIMI Group's official list of VMC issuers highlighted Entrust DataCard and DigiCert as the only two accepted Mark Verifying Authorities. However, with Entrust's VMC business being acquired, this information can appear outdated on some resources, leading to confusion. It's important to remember that the BIMI standard relies on a chain of trust, and the Certificate Authority (CA) issuing the VMC must be trusted by the receiving email client.

The core purpose of the VMC is to establish a verifiable link between your brand's logo and your email sending domain, bolstering email security and deliverability. For a detailed understanding of the overall BIMI requirements and supported providers, it's crucial to ensure your domain meets all technical specifications, including a DMARC policy at enforcement (p=quarantine or p=reject).

Sectigo and the Entrust acquisition

Entrust's decision to exit the VMC issuance business, coupled with the acquisition of their existing VMC customer base by Sectigo, marks a significant shift. Sectigo, a prominent Certificate Authority previously known as Comodo CA, has now taken on the responsibility for servicing former Entrust VMC clients. This transition aims to ensure continuity for brands that previously obtained their VMCs from Entrust.

For existing Entrust VMC holders, the certificates issued before the transition date will remain valid until their expiration. However, any new VMCs or renewals after that date will typically be handled by Sectigo. The critical question for many is whether Gmail accepts Sectigo VMCs. While the official BIMI Group site may not always reflect the most current state of affairs immediately, Sectigo is indeed recognized as a valid issuer for BIMI, particularly as they assume the role previously held by Entrust in this specific market segment. This means that if you currently have an Entrust VMC, or are looking to acquire a new one, Sectigo is now a viable and recognized option.

The migration process involves moving customer data, not necessarily the underlying certificates themselves, which will continue to be anchored by their original issuing Certificate Authority until they expire. For new VMCs or renewals, Sectigo is expected to issue certificates that are compatible with BIMI requirements, including those of major mailbox providers like Google and Apple, which are crucial for widespread logo display.

Comparing VMC providers: Sectigo vs. DigiCert

With Entrust's VMC business now under Sectigo, the primary choices for new VMCs are DigiCert and Sectigo. Both are reputable Certificate Authorities that adhere to BIMI standards. When evaluating these providers, consider factors like pricing, customer support, and the ease of the issuance and renewal process.

While DigiCert has been a consistent leader in VMC issuance since the inception of BIMI, Sectigo now offers a direct pathway for those seeking new VMCs or migrating from Entrust. It's worth noting that Sectigo themselves state they offer Verified Mark Certificates that help display official logos. Another provider, GlobalSign, is also listed on the BIMI Group's VMC issuers page, but widespread support from major mailbox providers like Google and Gmail is a crucial factor to consider before committing.

Here's a comparison of key aspects between the two primary VMC providers:

DigiCert

Reputation: One of the original and most trusted VMC providers.
Acceptance: Widely accepted by major BIMI-supporting mailbox providers.
Process: Streamlined application and validation process for VMCs.
Support: Known for robust customer support.

Sectigo

Origin: Acquired Entrust's VMC customer base, known as Comodo CA previously.
Acceptance: Emerging as a strong contender due to the Entrust migration.
Transition: Actively migrating Entrust VMC customers, suggesting broad compatibility.
Pricing: Information can be less transparent online, often requiring direct inquiry.

Choosing between them might come down to your existing relationships, specific pricing offers, and the level of support you anticipate needing. Some reports suggest that Sectigo may be reselling DigiCert VMCs, which could streamline the process in the background, but this does not affect the end-user's experience or the certificate's validity.

Key considerations for BIMI and VMC setup

Regardless of the VMC provider you choose, a few foundational steps and considerations are critical for a successful BIMI implementation. Firstly, ensuring your logo is trademarked correctly is paramount, as VMCs only certify trademarked logos. Your trademark must be registered with an accepted intellectual property office (IPO) or trademark office globally, like the USPTO, EUIPO, or others.

Next, a robust DMARC policy with an enforcement level (p=quarantine or p=reject) is an absolute prerequisite for BIMI to function. Without strong DMARC, even a perfectly configured VMC won't lead to your logo displaying. If you're encountering DMARC verification failures, address those first.

Another consideration is the use of a Common Mark Certificate (CMC). While less common and with different requirements than VMCs, they are an alternative in some cases. However, for the widest adoption, VMCs are generally preferred.

Finally, monitor your BIMI implementation carefully. The BIMI Group's implementation guide provides a good starting point, but always check with your specific email service provider (ESP) and targeted mailbox providers for any unique requirements or updates.

Navigating the new VMC provider landscape

With Entrust's VMC business transitioning to Sectigo, the landscape for acquiring Verified Mark Certificates has certainly seen a shift. For new BIMI implementations, both DigiCert and Sectigo are now the recommended providers. While DigiCert maintains its strong standing, Sectigo is positioned to continue supporting the VMC ecosystem following the Entrust acquisition.

The key is to ensure your chosen provider issues VMCs that are trusted by major mailbox providers. Always prioritize a strong DMARC policy at enforcement and ensure your logo is correctly trademarked. The evolution of BIMI and VMCs underscores the importance of staying informed about changes in the email authentication space to maximize your brand's presence in the inbox.

Views from the trenches

Best practices

Always ensure your DMARC policy is set to quarantine (p=quarantine) or reject (p=reject) before applying for a VMC.

Verify your logo is a registered trademark in a recognized jurisdiction, as this is a strict VMC requirement.

Keep an eye on official BIMI Group updates for the latest list of accredited VMC issuers and mailbox provider support.

Common pitfalls

Attempting to implement BIMI without a DMARC policy at enforcement, which prevents logo display.

Using a logo that is not officially trademarked, leading to VMC application rejection.

Not accounting for the time it takes to obtain a VMC, which can involve validation delays.

Expert tips

Consider engaging with a BIMI expert or consultant if your organization's setup is complex.

Test your BIMI implementation thoroughly after receiving your VMC to ensure your logo displays correctly.

While Sectigo is now handling Entrust's VMC business, confirm that new certificates issued by Sectigo are under a CA root trusted by major mailbox providers.

Marketer view

Marketer from Email Geeks says that DigiCert seems like the most straightforward choice for new VMCs in the current landscape.

2024-05-01 - Email Geeks

Marketer view

Marketer from Email Geeks says that Sectigo was formerly known as Comodo CA, and they are now involved with VMCs.

2024-05-01 - Email Geeks

Conclusion

The acquisition of Entrust's VMC business by Sectigo reshapes the options for brands seeking to implement BIMI. While Entrust is no longer issuing new VMCs, existing ones remain valid until expiration, and Sectigo steps in as a key player for new issuances and renewals. DigiCert continues to be a leading and widely trusted provider.

For organizations looking to set up BIMI, the choice is primarily between DigiCert and Sectigo. It's important to perform due diligence, confirm pricing and process details, and always ensure your DMARC policy is in enforcement. Staying informed about updates from the BIMI Group and Certificate Authorities will help ensure your brand's logo is consistently displayed in supporting inboxes.