VMC vs CMC: How to tell which BIMI certificate a domain is using
Michael Ko
Co-founder & CEO, Suped
Published 20 Jul 2025
Updated 20 Jul 2025
6 min read
In the world of email marketing and deliverability, visual trust indicators are becoming increasingly important. One of the most significant advancements in this area is Brand Indicators for Message Identification, or BIMI. BIMI allows brands to display their official logo next to their messages in the recipient's inbox, providing immediate brand recognition and a layer of trust. It is a powerful tool that leverages the DMARC email authentication standard to prevent spoofing and build confidence.
To implement BIMI, you need a special digital certificate to verify your logo. There are two types of certificates you can use: a Verified Mark Certificate (VMC) and a Common Mark Certificate (CMC). While both help get your logo into the inbox, they indicate different levels of verification and accessibility. A common question is how to tell which one a company is using. Let us examine the process.
Understanding VMC and CMC
A Verified Mark Certificate (VMC) is the original, high-assurance certificate for BIMI. The key requirement for obtaining a VMC is that your logo must be a registered trademark with a recognized intellectual property office. This process involves a rigorous verification check by a Certificate Authority (CA) to confirm that you are the legitimate owner of the trademark. Because of this strict validation, a VMC is considered the highest level of validation and enables the blue checkmark next to your logo in providers like Gmail.
A Common Mark Certificate (CMC) is a newer, more accessible alternative. Recognizing that the trademark requirement was a significant barrier for many businesses, the industry introduced the CMC. This certificate does not require a registered trademark. Instead, the validation process is simpler, often verifying your organization's identity and control over the domain. While a CMC allows you to display your logo via BIMI, it typically does not grant you the blue verified checkmark. It increased BIMI accessibility for more brands.
Trademark Required: Yes, the logo must be a registered trademark.
Validation
Rigorous verification of trademark ownership and organization identity.
Visual trust signal
Displays logo and often a blue verified checkmark in supported clients like Gmail.
Cost
Generally higher, often starting around $1,500 per year plus trademark registration costs.
Requirement
Trademark Not Required: No trademark is needed for the logo.
Validation
Simpler validation of organization identity and domain control.
Visual trust signal
Displays the logo but typically without any additional verified mark.
Cost
Generally lower, making BIMI more accessible to smaller businesses.
Why the distinction matters
The primary difference lies in the level of trust conveyed. A VMC provides a much stronger signal to mailbox providers and users because the logo has been legally trademarked and verified. This is why Google rewards it with a visible checkmark, similar to verified accounts on social media. It tells the world that not only is the email authenticated via DMARC, but the brand identity itself has been validated to a high standard.
The introduction of the CMC increased accessibility. The process of registering a trademark can be long, expensive, and is not always feasible for every business. CMCs allow a much wider range of organizations to enhance their email presence with a logo. It prioritizes brand recognition for all, even if it comes with a slightly lower tier of identity verification.
For a sender, the choice between them depends on your goals and budget. If you have a trademarked logo and want the highest level of trust and the visual benefits that come with it, a VMC is the way to go. If you do not have a trademark or are looking for a more straightforward path to displaying your logo, a CMC is an excellent and effective option.
How to technically identify the certificate type
So, how can you check what a specific company is using? You cannot just tell by looking at the logo in your inbox (unless you see the blue checkmark in Gmail, which is a strong hint for a VMC). You need to dig into their DNS records and inspect the certificate itself. It is a two-step process.
First, you need to find the domain's BIMI record. This is a TXT record located at default._bimi.yourdomain.com. You can use a command line tool like dig to look it up.
Check BIMI Recordbash
dig default._bimi.google.com TXT
This command queries the DNS for the BIMI TXT record for google.com.
The result will contain a URL in the a= tag, which points to the certificate file (usually ending in .pem). This is the certificate you need to inspect. Once you have this URL, you can download the certificate and use a tool like OpenSSL to read its contents and find the distinguishing field.
Finding the OID
The key is to look for a specific Object Identifier (OID) within the certificate's extensions. VMCs are required to include a trademark extension. While CMCs follow the same base BIMI structure, they will lack this specific trademark OID. One of the fields in the cert identifies it as such.
The command
You can inspect the certificate using the following OpenSSL command:
This command prints the contents of the certificate file in human-readable text.
In the output, you are looking for an X.509v3 extension related to BIMI. If it is a VMC, you will find an entry that explicitly references a trademark. If that specific identifier is missing, but the certificate is otherwise valid for BIMI, you can conclude it is a CMC. It is a technical distinction, but it is the definitive way to tell the two apart.
Ultimately, the distinction between a VMC and a CMC reflects the evolving nature of email identity. What started as a high-bar, trademark-only system has adapted to become more inclusive. Both certificate types contribute to a safer email ecosystem. The VMC offers unparalleled trust, while the CMC provides broad accessibility.
Knowing how to check the certificate type is a useful skill in the email deliverability space. It allows you to understand the level of investment and verification a brand has put into its BIMI implementation. Whether it is the premium trust of a VMC or the accessible branding of a CMC, seeing a logo in your inbox is a clear sign that the sender takes authentication seriously.
Frequently asked questions
0.0
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
Gmail.
Spamhaus
0Spam
Cisco
NoSolicitado
URIBL
abuse.ro
ALPHANET
Anonmails
Ascams
BLOCKEDSERVERS
Calivent Networks
EFnet
JustSpam
Kempt.net
NordSpam
RV-SOFT Technology
Scientific Spam
Spamikaze
SpamRATS
SPFBL
Suomispam
System 5 Hosting
Team Cymru
Validity
www.blocklist.de Fail2Ban-Reporting Service
ZapBL
2stepback.dk
Fayntic Services
ORB UK
technoirc.org
TechTheft
