Summary
The question of whether a Verified Mark Certificate (VMC) works on a subdomain not explicitly listed in the certificate is crucial for email marketers and technical teams implementing Brand Indicators for Message Identification (BIMI). While DMARC policies can often apply to subdomains from an organizational domain, VMC validation for BIMI is typically more stringent and tied to the specific domain (or subdomain) for which the certificate was issued. This distinction often leads to confusion, as senders might expect the VMC to automatically cover all subdomains under a parent domain's certificate, similar to how some DMARC policies function.
Key findings
- Explicit listing: VMCs generally require the specific subdomain to be explicitly listed or covered by a wildcard in the certificate for successful validation.
- BIMI validation: If a BIMI record is published for a subdomain, the VMC associated with that record must validate for that exact subdomain, not just the organizational domain.
- Certificate mismatch errors: Common errors like 'certificate is valid for example.tech, not edu.example.tech' indicate that the VMC does not cover the subdomain in question.
- Subdomain independence: BIMI records, including their VMCs, can be unique for subdomains, independent of the organizational domain's records. For more on this, read about applying BIMI to a specific subdomain.
Key considerations
- VMC scope: Understand that VMCs are generally tied to specific domain names or wildcards, unlike how some DMARC policies inherit.
- Certificate types: Some certificates, like Extended Validation (EV) certificates often used for VMCs, may require explicit listing of each subdomain, potentially not allowing wildcard certificates. This is mentioned in a discussion about SSL certificates.
- Dedicated VMCs: If you are using multiple subdomains for email streams, you may need a separate VMC for each, or a wildcard VMC that covers all subdomains, if available from your provider.
- BIMI and subdomains: For comprehensive guidance, consider exploring how BIMI VMC certificates work with subdomains.
What email marketers say
Email marketers often encounter issues with VMCs on subdomains when they assume a single certificate for the organizational domain will suffice for all subdomains. The general consensus among marketers is that explicit configuration is usually required, deviating from the 'trickle down' expectation that might be seen with other email authentication protocols like DMARC. This can lead to unexpected failures in BIMI logo display if not properly addressed.
Key opinions
- Common assumption: Many marketers initially believe that a VMC on the organizational domain automatically applies to its subdomains.
- Subdomain specific issue: A common problem is a certificate validation failure when the subdomain is not explicitly listed in the VMC, even if the main domain is.
- BIMI record placement: Some suggest only placing the BIMI entry (and implicitly, the VMC reference) on the organizational domain if it's the only certificate covering the subdomains, but this depends on the certificate type.
- Testing is key: Marketers emphasize using BIMI testing tools to verify VMC validity for each subdomain precisely. Reviewing BIMI SVG and certificate validation guidance can be helpful.
Key considerations
- BIMI and DMARC alignment: For BIMI to work, the sender's domain must pass DMARC authentication, which can be influenced by how DMARC policy applies to subdomains.
- Certificate costs: Obtaining separate VMCs or a wildcard VMC for numerous subdomains can increase costs and management complexity.
- Provider support: Ensure your VMC provider offers options for wildcard certificates or certificates covering multiple specific subdomains if needed.
- Strategic deployment: Marketers should strategize whether they need BIMI on all subdomains or only on the primary sending domain to simplify VMC management. This relates to BIMI record flexibility for subdomains.
Marketer view
Email marketer from Email Geeks indicates they deployed a BIMI record, including the VMC, across their organizational domain and subdomains. However, they received a certificate validation error stating the certificate was valid for the main domain, not the specific subdomain, raising questions about VMC trickle-down behavior.
Marketer view
Email marketer from Email Geeks mentioned they were under the impression that a VMC would still function on a subdomain even if the subdomain wasn't explicitly listed in the certificate. This highlights a common misunderstanding of VMC scope.
What the experts say
Experts emphasize that while BIMI records can be configured at the subdomain level, the underlying VMC must technically validate for that specific subdomain. This often means the certificate needs to explicitly include the subdomain's name or be a properly issued wildcard certificate. The validation algorithm is complex, requiring precise alignment between the VMC's subject alternative names (SANs) and the domain from which the BIMI record is published.
Key opinions
- VMC validation algorithm: Experts describe the process of checking VMC validity for subdomains as 'detailed' and requiring careful manual inspection to troubleshoot errors.
- Direct subdomain support: Even if a VMC is on the main domain, a BIMI record found at a subdomain can be used by the mailbox provider. However, the VMC itself must validate for the specific subdomain. This is highlighted by BIMI Group's FAQ.
- Certificate chain: The VMC must be correctly linked in the BIMI record's 'l=' tag, and the full certificate chain must be valid and trusted for the specific subdomain.
- Role of DMARC: Experts reinforce that BIMI, including VMC usage, is contingent on the domain passing DMARC authentication, whether for the parent domain or specific subdomains. Learn about DMARC policy covering subdomains for BIMI.
Key considerations
- Wildcard VMCs: While technically possible, obtaining a VMC with a wildcard (e.g., *.example.com) that covers all subdomains can be more complex or costly due to the stricter validation requirements for VMCs.
- Mailbox provider interpretation: Different mailbox providers might have slight variations in how they interpret and validate VMCs for subdomains, though the core requirement for certificate validity remains.
- San and common name: Ensure the VMC's Subject Alternative Name (SAN) or Common Name (CN) field includes the exact subdomain being used for the BIMI record.
- Impact on logo display: An incorrectly configured VMC for a subdomain will prevent the brand logo from displaying, impacting brand visibility. Consider if a VMC is mandatory for BIMI in your specific setup.
Expert view
Expert from Email Geeks requested to see the specific results page from the testing tool, indicating that the problem might lie in how the validation tool interprets the VMC or how the setup is described, rather than a fundamental issue.
Expert view
Expert from wordtothewise.com states that a VMC (and underlying SSL/TLS certificate) must have the exact hostname or a wildcard that explicitly covers the subdomain for the certificate validation to succeed. Any mismatch will lead to failure.
What the documentation says
Official documentation and technical specifications for BIMI and VMCs consistently state that the VMC must be valid for the specific domain (or subdomain) from which the email is sent and where the BIMI record is published. Unlike DMARC's organizational policy inheritance, VMC validation requires a direct match or explicit wildcard coverage. This ensures the authenticity and verifiable ownership of the logo displayed. BIMI Group's FAQs provide clarity on this specific aspect.
Key findings
- BIMI Group's stance: The BIMI Group FAQ clarifies that if a BIMI record is found at a subdomain, the mailbox provider can use it, even if it differs from the organizational domain's record, implying the VMC must validate for that specific subdomain.
- X.509 certificate standards: Standard X.509 certificate validation requires the hostname (or subdomain) to match the Common Name or Subject Alternative Name (SAN) fields in the certificate.
- Wildcard certificate limitations: For some types of certificates, especially Extended Validation (EV) certificates, wildcard certificates may not be issued, or each subdomain must be explicitly listed. This is echoed in discussions about SSL certificates for subdomains.
- Separate records: It is possible and often necessary to define specific BIMI records for subdomains, which would then require a VMC that validates for that specific subdomain. Learn more about setting up BIMI records for multiple subdomains.
Key considerations
- BIMI record location: The BIMI record is a DNS TXT record published at the sending domain or subdomain, pointing to the SVG logo and the VMC. Its presence at the subdomain signals the need for subdomain-specific VMC validation.
- Certificate authority requirements: VMC issuance follows strict guidelines from Certificate Authorities (CAs). These guidelines dictate how subdomains are covered and whether wildcards are permitted. For more info, check BIMI accredited certificate providers.
- DNS configuration: Proper DNS configuration is critical, ensuring the VMC URL is accessible and the certificate chain is correctly published and verifiable.
- Technical expertise: Implementing VMCs for subdomains often requires a deeper technical understanding of SSL/TLS certificates and DNS than general marketing tasks.
Technical article
Documentation from BIMI Group FAQs clarifies that if a BIMI record is present at a subdomain, mailbox providers can indeed use it, even if it differs from the organizational domain's BIMI record. This implies that the VMC associated with the subdomain's BIMI record must be valid for that specific subdomain.
Technical article
Documentation from Let's Encrypt Community Support forums indicates that for HTTPS/TLS/SSL certificates, if subdomains are missing from a certificate created by tools like Certbot, it typically means they were not explicitly included or covered by a wildcard during the issuance process. This applies directly to VMC validation.
Related resources
3 resources
Related pages
How do BIMI VMC certificates work with sub-domains?
Do I need a VMC for BIMI to work with Google?
Is VMC mandatory for BIMI implementation?
How to apply BIMI to a specific subdomain?
Does a parent domain need BIMI for subdomain BIMI?
How to set up BIMI for multiple subdomains?
Will BIMI work on multiple levels of subdomains?
A guide to validating your BIMI SVG and certificate
A guide to BIMI accredited certificate providers
Does an organizational DMARC policy cover subdomains for BIMI?
