Getting your brand's logo to appear in your customers' inboxes is a powerful way to build trust and recognition. That's the promise of BIMI (Brand Indicators for Message Identification). But to unlock the full potential of BIMI, especially with major mailbox providers like Gmail and Apple, you need something called a Verified Mark Certificate, or VMC. This isn't just another acronym to add to the pile; it's a crucial piece of the email authentication puzzle that validates you are who you say you are.
The journey to getting a VMC can seem complicated. It involves trademarking your logo, getting your DMARC policy in order, and then navigating the world of Certificate Authorities (CAs). The final step, choosing a provider, is critical because not just any CA can issue a VMC. Only a select few have been accredited by the BIMI Group to perform the rigorous checks required. You must understand what these certificates are, who can issue them, and what to consider when choosing a provider for your business.
What is a Verified Mark Certificate (VMC)?
Think of a VMC as a digital passport for your brand's logo. It's a certificate that proves your organization has the legal right to use the logo you want to display in emails. This verification is what gives mailbox providers the confidence to show your logo next to your messages, assuring recipients that the email is legitimately from you and not a phishing attempt. It's a key part of how BIMI and VMCs work together to enhance email security and brand presence.
Before you can even apply for a VMC, there are some important prerequisites. First and foremost, you must have DMARC configured for your domain with a policy of enforcement. This means your DMARC record must be set to p=quarantine or p=reject. A policy of p=none won't cut it. Second, your logo must be a registered trademark with a recognized intellectual property office. This is non-negotiable and often the longest part of the process for many brands.
This strict validation process is precisely why a VMC is so valuable. It is a verifiable link between your authenticated domain and your legally owned brand mark. While some providers might show a BIMI logo without a VMC, the most prominent players like Google require this certificate to ensure the system remains trustworthy. Without it, you are missing out on the majority of inboxes where you would want your logo to appear.
Who are the BIMI accredited certificate providers?
You can't just go to any SSL certificate vendor and ask for a VMC. The authority to issue these specialized certificates is limited to a small number of providers who have passed a strict accreditation process. The AuthIndicators Working Group, the body behind BIMI, maintains an official list of Mark Verifying Authorities (MVAs) that are permitted to issue VMCs.
Currently, the two primary CAs that have been accredited to issue VMCs are DigiCert and Entrust. These companies are established players in the digital security space and have the infrastructure and processes required to handle the rigorous verification that a VMC demands. You can purchase a VMC directly from them or through one of their many resellers.
The role of these accredited providers is to be the gatekeepers of the BIMI ecosystem's visual trust layer. Their job involves multiple verification steps, such as confirming your organization's identity, validating your control over the domain, and most importantly, verifying that your logo is a registered trademark and that you are the rightful owner. This meticulous process ensures that only legitimate brands can display their logos, preventing bad actors from impersonating trusted companies in the inbox.
Reputation
As the first CA accredited to issue VMCs, DigiCert has a long-standing reputation in the email security community. They have a well-defined process and extensive documentation.
A major global CA with a broad portfolio of security products. Entrust is the other primary provider of VMCs, offering a competitive alternative for businesses.
When deciding between DigiCert and Entrust, or their resellers, you're generally choosing between two highly reputable CAs. For a long time, the choice came down to pricing, existing relationships, or specific reseller bundles. DigiCert, being the first to market, has extensive experience and is often the default choice for many businesses starting their BIMI journey.
Entrust provides a solid alternative, backed by its long history as a Certificate Authority. For organizations that already use Entrust for other security products, it can be a convenient and logical choice to keep certificate management under one roof. Both providers follow the same core set of validation standards mandated by the BIMI Group, so the end product, a valid VMC, is functionally identical.
Important warning about Entrust
Recent developments have made this choice more critical. Google has announced its intent to distrust public TLS certificates from Entrust, and Apple has already taken similar steps. While this primarily affects website SSL/TLS, it has a direct impact on VMCs. For instance, Apple will not trust VMCs issued by Entrust after a certain date. This means if you want your logo to appear in Apple Mail, an Entrust VMC will not work.
Because of these recent events, it is currently advisable to choose DigiCert or a reseller that provides DigiCert VMCs to ensure maximum compatibility across all mailbox providers that support BIMI, especially Apple. This situation is evolving, but for now, DigiCert is the most reliable choice for getting your logo displayed everywhere.
The process of getting a VMC
The path to obtaining a VMC is methodical and requires careful preparation. As mentioned earlier, the first step is achieving DMARC enforcement. This signals to mailbox providers that you have control over your email sending domain and are actively preventing fraudulent use. Without a p=quarantine or p=reject policy, your VMC application will not proceed.
Next is the trademark requirement. Your logo must be an active, registered trademark with an intellectual property office recognized by the VMC issuers. This can be a lengthy and expensive process if you haven't done it already. Once trademarked, you need to create an SVG version of your logo that conforms to the specific BIMI profile, which has strict requirements on file structure and content.
With those prerequisites in place, you can finally apply for your VMC through your chosen provider. This involves a verification process where you'll need to prove your identity and your organization's legitimacy. After issuance, you receive the certificate file, which you host on a public server. The final step is to publish a BIMI DNS record pointing to your SVG logo and your new VMC file.
BIMI DNS record exampledns
default._bimi.yourdomain.com IN TXT "v=BIMI1; l=https://media.yourdomain.com/logo.svg; a=https://media.yourdomain.com/vmc.pem;"
This DNS record tells mailbox providers where to find your logo (l=) and the Verified Mark Certificate (a=) that proves you own it.
Implementing BIMI with a VMC is undoubtedly a significant undertaking, but the payoff is substantial. You are participating in a new global standard for visual email authentication. Choosing the right accredited provider is a key part of that process. Because of the current situation, DigiCert is the most reliable choice for ensuring broad compatibility.
By navigating the requirements and carefully selecting a provider, you can increase customer trust and improve engagement with every email you send. It is a clear signal to your recipients that you take their security seriously.
0.0
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
