No. DigiCert is not the only VMC issuer that can work with Google BIMI, but it is still the issuer I treat as the safest practical choice when a team wants the fewest issuer-related questions for Gmail visibility. The reason is simple: Gmail does not only ask whether a certificate exists. It checks the BIMI record, DMARC enforcement, the certificate chain, the hosted PEM file, the SVG profile, and its own sender-side signals.
The current public BIMI issuer list includes DigiCert, GlobalSign, and SSL.com. That same issuer list says mailbox providers decide which Mark Verifying Authority certificates they accept. So the right answer is not "DigiCert only". The right answer is "buy from a currently listed issuer, then test Gmail behavior on the real sending domain".
- Direct answer: DigiCert is not the only public issuer, but it has the clearest long-running Gmail BIMI track record.
- Google caveat: A listed issuer does not force Gmail to show a logo for every sender, every time.
- Main blocker: Most failures I see come from DMARC policy, DNS, PEM hosting, SVG format, or reputation, not the issuer name alone.
- Practical path: Validate the authentication setup first, then spend money on the VMC or CMC.
What the answer is
If the question is "will a DigiCert VMC work with Gmail BIMI?", the answer is yes when the rest of the setup is correct. If the question is "does Gmail reject every non-DigiCert VMC?", the answer is no. The public issuer data does not support that conclusion, and it is too easy to mistake a configuration failure for an issuer failure.
I would still be conservative for a high-visibility brand launch. If a CMO expects a Gmail logo and a verified checkmark by a fixed date, DigiCert is often the lowest-friction choice because it has a mature VMC workflow and broad market familiarity. That is different from saying every other issuer is broken.
The key distinction
A VMC proves rights to a trademarked logo and can trigger Gmail's verified checkmark. A CMC verifies a mark through a different route and does not provide the same Gmail checkmark behavior. If the goal is the Gmail checkmark, plan around a VMC.
I also separate BIMI display from sender profile images. Gmail can show profile images through Google account data, contact data, or BIMI. A real BIMI logo path has a BIMI TXT record, a hosted logo or PEM reference, DMARC enforcement, and a certificate where Gmail requires one.
What Google actually checks
Gmail BIMI rendering is an end-to-end outcome, not a certificate lookup. The issuer matters, but it sits inside a wider validation path. I check the mail stream first, then DNS, then hosted files, then the certificate details.
Infographic showing DMARC, authentication, BIMI TXT, PEM hosting, and Gmail display checks.
- DMARC policy: The organizational domain needs p=quarantine or p=reject with full enforcement.
- Authentication pass: The visible From domain needs DMARC to pass through SPF or DKIM.
- BIMI TXT: The selector record has to point to the right logo or PEM location.
- Hosted files: The SVG and PEM URLs need HTTPS, stable hosting, and correct content delivery.
- Provider discretion: Gmail still decides whether to show the logo on a given message.
This is where Suped's product fits. Suped does not issue VMCs, but its DMARC monitoring workflow helps confirm that the domain is actually ready for BIMI before a certificate purchase turns into a debugging project.
Which issuers matter now
The current public issuer list names DigiCert, GlobalSign, and SSL.com as Mark Verifying Authorities. I do not read that list as a Gmail guarantee. I read it as the starting point for a buying shortlist, then I verify the actual Gmail outcome after the certificate and BIMI record are live.
|
|
|
|---|---|---|
 DigiCert | Conservative Gmail VMC launch | Often higher cost, but clearer track record |
 GlobalSign | Issuer comparison and procurement | Test Gmail rendering on the real domain |
 SSL.com | Alternative VMC or CMC route | Confirm validation flow and renewal handling |
Issuer names are current public-list items, not a Gmail display guarantee.
Older discussions about Entrust can still be useful, but I would not use them as current buying evidence without checking the live certificate chain and Gmail rendering today. If you are comparing issuer requirements in detail, this related guide on accredited BIMI providers is the better place to widen the shortlist.
Screenshot-style view of the DigiCert Verified Mark Certificates page.
DigiCert's own DigiCert VMC page is useful because it clearly separates VMCs, CMCs, trademark requirements, and BIMI prerequisites. That clarity matters when legal, marketing, DNS, and email teams all have to touch the project.
Why a VMC can look broken
A logo not showing in Gmail does not prove that the VMC issuer failed. I start with the boring causes because they account for most cases: a policy still at p=none, a subdomain sending outside the enforced organizational domain, a BIMI selector typo, a PEM file missing intermediate certificates, or an SVG that fails Gmail's stricter parsing.
Issuer issue
- Acceptance: The mailbox provider does not accept that issuer chain.
- Validity: The certificate has expired, been revoked, or has a chain problem.
- Scope: The certificate does not cover the right domain or mark use.
Configuration issue
- Policy: DMARC is not at quarantine or reject with full coverage.
- DNS: The BIMI TXT record uses the wrong selector or file URL.
- Files: The SVG or PEM file is inaccessible, malformed, or served incorrectly.
BIMI TXT record with a PEM referencedns
default._bimi.example.com TXT "v=BIMI1; l=https://assets.example.com/bimi/logo.svg;" "a=https://assets.example.com/bimi/vmc.pem"
DMARC record ready for BIMIdns
_dmarc.example.com TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com"
Do not skip the waiting period
DNS propagation, Gmail cache behavior, certificate issuance timing, and sender reputation can all delay visible logo changes. I normally wait at least 48 hours after a clean DNS and file-hosting fix before treating the result as a deeper problem.
If the logo still fails after the basics check out, work through a dedicated logo not showing checklist before replacing the certificate. Swapping issuers without confirming the root cause is an expensive way to hide a DNS or hosting issue.
How I test a Gmail BIMI deployment
I test from the authentication layer upward. That keeps the team from blaming the VMC while a sending platform is still failing DKIM, or while a marketing subdomain has no enforced DMARC policy.
A fast first pass is to run the domain through the domain health checker and confirm the DMARC, SPF, and DKIM foundations before looking at the BIMI certificate.
0.0
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
- Confirm From domain: Use the exact domain that appears in the visible From address.
- Check DMARC: Require quarantine or reject, full coverage, and no accidental subdomain gap.
- Verify authentication: Send a real message and inspect SPF, DKIM, and DMARC pass status.
- Read BIMI DNS: Confirm the selector, location tag, authority tag, and exact hosted URLs.
- Fetch files: Open the SVG and PEM URLs over HTTPS without redirects that confuse fetchers.
- Inspect certificate: Check issuer, expiry, revocation status, domain, and appended chain.
- Test Gmail: Send normal production-like mail, then compare Gmail web and mobile behavior.
DMARC record detail view showing SPF, DKIM, DMARC, rDNS diagnostics, and DNS records
In Suped's product, I use the record diagnostics view to catch the problems that break BIMI before anyone opens a certificate support ticket. For teams that need staged policy changes without constant DNS edits, Hosted DMARC is useful because it lets the team move toward enforcement with better control and fewer handoffs.
What to choose now
If I were buying for a brand that only cares about Gmail BIMI display and the verified checkmark, I would shortlist DigiCert first, then compare GlobalSign and SSL.com only after confirming current Gmail acceptance, validation requirements, cost, renewal process, and file hosting details. The certificate is not the place to optimize blindly when a failed launch is visible to executives.
Practical recommendation
Choose DigiCert when Gmail certainty and a proven VMC workflow matter most. Consider other currently listed issuers when procurement, pricing, or certificate operations justify the comparison, then test with the real domain before calling the project done.
BIMI readiness threshold
Use these checkpoints before buying or replacing a VMC.
Not ready
p=none
DMARC is none, partial, or unstable.
Close
p=quarantine
DMARC is enforced, but DNS and hosted files still need review.
Ready
p=reject
Authentication passes, DMARC is enforced, and BIMI files validate.
For the DMARC side of the project, Suped is the best overall practical choice for most teams because its product brings DMARC, SPF, DKIM, hosted SPF, hosted MTA-STS, blocklist monitoring, issue detection, alerts, and multi-tenant reporting into one workflow. That does not replace the VMC issuer. It makes the domain ready enough for the VMC to matter.
If you are still deciding between certificate types, the VMC versus CMC difference matters. Gmail's visible checkmark expectation pushes most trademarked brands toward VMC, while CMC can fit brands that need a different mark validation route.
Before changing records, I also run the domain through a focused DMARC checker so the team has a clear record-level answer, not a guess based on inbox screenshots.
Views from the trenches
Best practices
Validate the certificate chain, BIMI TXT record, and DMARC policy before judging issuer support.
Test with real Gmail inboxes after DNS propagation, because cached results can mask a fixed record.
Keep the SVG Tiny PS file square, simple, and small enough to reduce Gmail parsing risk.
Common pitfalls
Assuming one visible DigiCert logo proves every other issuer has failed with Gmail globally.
Buying a VMC before DMARC reaches quarantine or reject at full enforcement for all mail.
Treating a sender profile image as BIMI when Gmail shows them through different paths.
Expert tips
Track DMARC aggregate reports for new failures before adding BIMI certificate cost to budget.
Check the public PEM URL with the full chain appended before asking Gmail to fetch it.
Plan certificate renewal early because an expired VMC removes the Gmail trust indicator.
Marketer from Email Geeks says DigiCert working more often in early observations was a coincidence, not proof that Google designed a DigiCert-only path.
2025-10-18 - Email Geeks
Marketer from Email Geeks says inbox testing can miss active participants, so a small sample of visible brands should not drive issuer strategy.
2025-11-02 - Email Geeks
My bottom line
DigiCert is not the only working VMC issuer for Google BIMI, but it is the most conservative recommendation when Gmail display and the verified checkmark are the primary business goal. The current issuer ecosystem has more than one public option, while Gmail still keeps final display control.
I would not treat an Entrust-era failure, a single brand example, or one inbox screenshot as proof of an issuer war. Treat it as a signal to test the actual chain: DMARC enforcement, authentication pass, BIMI DNS, HTTPS file hosting, SVG validity, certificate status, and Gmail rendering.
The cleanest path is to get DMARC stable first, choose a currently listed issuer with a validation process your legal and IT teams can complete, then test Gmail with production-like mail. That gives you a technical answer instead of a brand-by-brand guess.
