Summary
Apple has announced its intent to distrust Certificate Authorities (CAs) and certificates issued by Entrust, including those for S/MIME and Verified Mark Certificates (VMCs). This move is a significant development for email senders and marketers who rely on VMCs for Brand Indicators for Message Identification (BIMI) implementation. Unlike Google's prior distrust, which notably excluded VMCs, Apple's decision broadens the impact, necessitating a review of current certificate providers to maintain brand visibility and email trust signals. The transition requires prompt action to migrate to a trusted alternative CA, such as DigiCert, to ensure continued deliverability and brand integrity across Apple's ecosystem.
Key findings
- Expanded distrust: Apple's distrust extends to both S/MIME and VMCs from Entrust, a broader scope than Google's previous actions.
- Impact on BIMI: Organizations using Entrust VMCs for BIMI will see their brand logos no longer display in Apple Mail clients once the distrust takes effect.
- Migration required: A swift migration to an alternative VMC issuer, such as DigiCert, is necessary to maintain email authentication and brand trust.
- Existing certificates: Certificates issued before the effective distrust date (e.g., November 15th) may still be valid until expiry, but proactive replacement is advised.
Key considerations
- Proactive planning: Start planning your migration strategy immediately if you're an Entrust VMC user to avoid disruptions to your email programs.
- Alternative providers: Investigate alternative BIMI certificate vendors that are fully trusted by major email clients, including Apple.
- Apple's stance: Refer to the official Apple Support documentation on certificate changes for precise details and timelines.
- BIMI compliance: Ensure your new VMC complies with all BIMI requirements to maintain its effectiveness.
What email marketers say
Email marketers have expressed concern and a need for quick action following Apple's announcement. Many were aware of Google's previous distrust, but Apple's inclusion of VMCs for BIMI adds a new layer of urgency, as it directly impacts brand visibility and recipient trust in Apple Mail environments. The general sentiment is one of needing to move away from Entrust and swiftly transition to alternative, trusted Certificate Authorities to avoid potential disruption to email deliverability and brand presentation.
Key opinions
- Initial surprise: Some marketers were surprised by Apple's broad distrust encompassing VMCs, as Google had previously excluded them.
- Actionable steps: Many immediately recognized the need to switch VMC providers, with DigiCert often cited as the primary alternative.
- Brand impact: There's a clear understanding that failure to migrate will result in the loss of brand logo display for BIMI-enabled emails in Apple clients.
- Urgency: While existing certificates might have a grace period, the consensus leans towards replacing them as soon as conveniently possible.
Key considerations
- Verify VMC status: Marketers should check their current VMC provider to confirm if they are impacted by Apple's decision.
- Migration readiness: Be prepared to switch your VMC provider quickly to avoid any loss of brand trust signals. Sectigo provides further details on the implications.
- Budget for new VMCs: Consider the costs associated with new VMC certificates and integrate them into your deliverability budget.
- Monitor BIMI display: Continuously monitor how your BIMI logo displays across different email clients, especially Apple Mail, after any changes.
Marketer view
Email marketer from Email Geeks indicates they received a notification from Entrust regarding changes, which they initially attributed to Branded Mail but then realized was related to a broader distrust issue.
Marketer view
Email marketer from Email Geeks expressed surprise, stating they had not yet received the Entrust notification regarding the changes in certification.
What the experts say
Email deliverability experts have quickly analyzed Apple's announcement, noting its broader scope compared to Google's previous stance on Entrust certificates. They emphasize that Apple's distrust of VMCs has direct consequences for BIMI adoption and display. Experts advise a pragmatic and proactive approach, recommending that organizations using Entrust for any certificate service, especially VMCs, should already have a migration plan in place or develop one immediately. The consensus is a strong recommendation to switch to trusted alternative Certificate Authorities like DigiCert to ensure compliance and maintain sender reputation.
Key opinions
- Broader impact: Experts highlight that Apple's distrust specifically includes VMCs, which distinguishes it from Google's earlier, more limited action.
- Migration imperative: It's considered long overdue for organizations using Entrust to have a migration plan, irrespective of specific distrust announcements.
- DigiCert preference: DigiCert is consistently recommended as the go-to alternative for VMCs.
- Grace period awareness: While existing certificates might have a temporary grace period, the advice is to transition to a new provider as soon as is practical.
Key considerations
- Strategic shift: View this as an opportunity to review and strengthen your overall email authentication strategy, not just a reactive change.
- Beyond VMCs: If using Entrust for anything, prepare a migration plan, as their overall reputation as a CA is under scrutiny.
- Long-term planning: This event underscores the dynamic nature of email deliverability. Word to the Wise advises stopping Entrust use for BIMI certificates.
- Authentication basics: Ensure your core email authentication (DMARC, SPF, DKIM) is robust alongside your VMC.
Expert view
Expert from Email Geeks suggests that Apple's distrust specifically targets the Entrust Certificate Authority (CA) issue, rather than a broad move related to Branded Mail.
Expert view
An expert on SpamResource.com notes that the broader distrust of Entrust by browser vendors and email clients is a developing story, with Apple's inclusion of VMCs marking a significant escalation in implications for email marketers.
What the documentation says
Official documentation from Apple and other security entities confirms the planned distrust of Entrust certificates. This decision stems from a re-evaluation of Entrust's compliance with baseline requirements for Certificate Authorities, indicating a commitment to maintaining a robust and secure digital certificate ecosystem. The documentation specifies that new certificates issued by Entrust after a certain date will no longer be trusted, impacting S/MIME and VMC functionality across Apple's platforms. This move aligns with broader industry efforts to enhance security and prevent potential misuse of digital certificates, emphasizing the importance of adhering to stringent CA operational standards.
Key findings
- Distrust scope: Apple's official communication confirms the distrust applies to both Entrust's S/MIME and VMC certificates.
- Effective dates: Specific dates are provided after which new Entrust-issued certificates will not be trusted by Apple operating systems and applications.
- Industry alignment: The distrust reflects broader industry concerns and actions regarding Entrust's compliance with established CA guidelines.
- Security enhancement: This action is part of Apple's ongoing commitment to strengthening the security and trustworthiness of its platforms.
Key considerations
- Stay informed: Regularly consult Apple's official support channels for updates on trusted CAs and certificates.
- Certificate lifecycle management: Implement robust processes for managing certificate lifecycles to ensure timely renewals and migrations.
- Compliance with standards: Ensure your chosen CA adheres to the latest industry standards and trust policies of major platforms.
- BIMI provider selection: Choose a BIMI accredited certificate provider that is widely recognized and trusted.
Technical article
Official Apple Support documentation highlights that Apple devices will no longer trust TLS certificates, S/MIME certificates, or VMCs issued by Entrust after specific dates, advising users to obtain new certificates from trusted Certificate Authorities.
Technical article
A blog post by Sectigo, another CA, clarifies that Apple's distrust extends to Entrust's legacy root certificates, impacting a wide range of digital security elements beyond just web traffic, including email signing.
Related resources
5 resources
Related pages
What are the key differences between BIMI certificate vendors Entrust and DigiCert?
How can I check if a domain uses Entrust or Digicert for BIMI, and should I avoid Entrust?
What are the requirements and alternatives for implementing BIMI with VMC certificates, especially regarding trademark jurisdiction and costs?
Is DigiCert the only working VMC issuer for Google BIMI?
What is the cost of VMC certificates and are there cheaper alternatives?
A guide to BIMI accredited certificate providers
A guide to validating your BIMI SVG and certificate
Which email clients actually support BIMI?
A simple guide to DMARC, SPF, and DKIM
Email deliverability issues: getting your messages to the inbox in 2025
