The short answer: you need a VMC if you want the strongest BIMI outcome, especially a verified Gmail checkmark and the broadest certificate-backed logo display. You do not need a VMC to publish a BIMI record, and you do not always need one to get some logo display. A CMC is now the main paid alternative for Gmail logo display without a registered trademark, and self-asserted BIMI can still work with some mailbox providers that do not require a certificate.
I would not start by buying the certificate. Start by proving the domain is ready: DMARC must be at enforcement, the logo must be in the right SVG format, and the trademark or common mark evidence must match the logo you want displayed. If DMARC monitoring shows failed authentication across real sending sources, BIMI will be blocked no matter how much the certificate costs.
The hard part for many teams is jurisdiction. A VMC depends on a logo trademark from an intellectual property office accepted by the issuer and by the mailbox providers that trust that issuer. A trademark in Argentina or Uruguay, for example, should be treated as a problem until the issuer confirms acceptance. A trademark in the United States, the European Union, the United Kingdom, Canada, Australia, Germany, Brazil, Japan, India, South Korea, Switzerland, France, Spain, Sweden, Denmark, or New Zealand is more likely to fit current VMC workflows, but the issuer has the final say.
The direct answer
For BIMI with a VMC, the requirements are technical, legal, and operational. Technically, your organizational domain must use DMARC at p=quarantine or p=reject with pct=100. Legally, the logo normally needs to be a registered trademark in an accepted jurisdiction. Operationally, you need issuer validation, a compliant SVG Tiny PS logo, a hosted PEM certificate file, and a BIMI TXT record.
- VMC: Best for brands that have an accepted registered logo trademark and want the Gmail verified checkmark.
- CMC: Best when Gmail logo display matters but the logo is not registered as a trademark.
- Self-asserted BIMI: Best when the budget is zero and limited mailbox provider coverage is acceptable.
- No BIMI: Best when DMARC is not yet stable, because logo work should wait until authentication is clean.
Do not confuse certificate types
A standard TLS certificate, self-signed certificate chain, or ordinary domain validation certificate is not a VMC or CMC. Gmail will not treat it as BIMI evidence. The Let's Encrypt thread is useful because it explains why fully automated free issuance does not map cleanly to logo validation.
Google Workspace Admin BIMI setup requirements with VMC or CMC certificate fields.
Requirements before buying a VMC
The VMC purchase should be the last step in the sequence. I want the domain, DNS, logo file, and reporting pipeline ready first. The BIMI Group describes the core VMC requirements: a registered trademark, an SVG Tiny PS logo, DMARC enforcement, and a BIMI DNS record. The issuer then verifies the organization, logo rights, domain control, and certificate request.
|
|
|
|---|---|---|
DMARC | Enforced | Blocks spoofing |
Policy | 100 percent | No partial rollout |
Logo | SVG Tiny PS | Required format |
Trademark | Accepted office | VMC validation |
Hosting | HTTPS | Fetchable files |
Core BIMI and VMC readiness checks
DMARC policy that can qualify for BIMIDNS
_dmarc.example.com. 3600 IN TXT ( "v=DMARC1; p=quarantine; pct=100; " "rua=mailto:dmarc-reports@example.com" )
Before changing records, run the domain through a domain health checker and confirm SPF, DKIM, and DMARC are passing for real mail streams. BIMI is sensitive to the actual message path, not only the existence of DNS records.
?
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
Trademark jurisdiction and cost realities
The jurisdiction issue is simple in concept and annoying in practice. The VMC issuer needs a trademark it can validate against an accepted intellectual property office. It does not matter that your company is legitimate in its home country if the mark is only registered with an office the issuer does not accept.
For a Latin American company, Brazil is the common regional path I would check first. If the mark is only in Argentina or Uruguay, ask the issuer before spending money. The practical alternatives are filing in a supported jurisdiction, using a CMC where Gmail logo display is enough, or publishing self-asserted BIMI for providers that accept it. For word-only marks, read the word mark requirements before assuming a brand name registration will qualify the logo.
Cost decision bands
Use these rough annual certificate ranges before adding trademark filing, legal work, SVG preparation, and implementation time.
Self-asserted BIMI
$0
No certificate fee, limited provider reach.
CMC
$650-$1,100
Lower-cost certificate path, no trademark requirement.
VMC
$750-$1,700
Trademark-backed certificate path with Gmail checkmark.
In 2026, I would budget about $1,000 per year as the normal VMC expectation, with lower or higher quotes depending on issuer, reseller, term length, and validation work. The certificate fee is only one part of the cost. A new trademark filing can add filing fees, legal review, translations, logo revisions, and months of waiting.
Issuer names to quote
- Current MVAs: Check DigiCert, GlobalSign, and SSL.com for VMC or CMC availability.
- Older notes: Entrust appears in older BIMI material, so confirm current mailbox acceptance before relying on an old quote.
- Price check: Quote more than one issuer because reseller pricing and validation scope change the final cost.
Ask this before paying
- Jurisdiction: Will this exact trademark office be accepted for a VMC?
- Logo match: Does the registered mark match the SVG that will be embedded?
- Mailbox reach: Which major mailbox providers currently accept certificates from this issuer?
- Renewal: What happens if validation evidence changes before renewal?
VMC, CMC, and certificate-free BIMI compared
The main alternatives are concrete. Choose VMC when the verified mark is worth the money. Choose CMC when Gmail logo display matters but the trademark is not ready. Choose self-asserted BIMI when the cost is unjustified and you accept limited support. A deeper CMC versus VMC comparison helps when procurement needs the differences spelled out.
|
|
|
|
|
|---|---|---|---|---|
VMC | Required | $750-$1,700 | Gmail badge | High friction |
CMC | Not required | $650-$1,100 | Gmail logo | No badge |
Self-asserted | Not required | $0 | Limited logo | Sparse support |
No BIMI | Not needed | $0 | No logo | No benefit |
BIMI implementation paths
VMC path
- Best fit: Recognized brands with registered logo trademarks.
- Benefit: Gmail verified checkmark and strongest certificate signal.
- Risk: Trademark jurisdiction or logo mismatch stalls validation.
CMC or self-asserted path
- Best fit: Small teams, newer brands, and low-volume senders.
- Benefit: Lower cost or no certificate purchase.
- Risk: No Gmail checkmark and less predictable provider support.
The certificate-free option is legitimate, but it is easy to overestimate. Yahoo, Fastmail, and some other BIMI-supporting providers can display self-asserted logos, but Gmail requires a VMC or CMC for BIMI logo display. For more on that narrow path, use BIMI without a VMC as a follow-up.
Implementation steps I would follow
I use this order because it avoids paying for a certificate before the domain can use it. The work is mostly DNS and evidence collection, but the logo file and issuer validation need careful handling.
- Inventory: List every sender using the domain and fix SPF or DKIM failures before enforcing DMARC.
- Enforce: Move the organizational domain to quarantine or reject at full coverage.
- Prepare: Convert the logo to SVG Tiny PS and keep it visually matched to the mark evidence.
- Validate: Ask the issuer to confirm trademark jurisdiction, mark type, mailbox acceptance, and price.
- Publish: Host the SVG or PEM over HTTPS and publish the BIMI TXT record.
- Monitor: Track DMARC failures, BIMI fetch errors, certificate expiry, and policy drift.
BIMI certificate decision path from DMARC enforcement to VMC, CMC, or self-asserted BIMI.
BIMI record without a certificateDNS
default._bimi.example.com. 3600 IN TXT ( "v=BIMI1; " "l=https://assets.example.com/bimi.svg; " "a=" )
BIMI record with a VMC or CMC PEMDNS
default._bimi.example.com. 3600 IN TXT ( "v=BIMI1; " "l=; " "a=https://assets.example.com/bimi.pem" )
If you need to create the first DMARC record before working toward BIMI, use the DMARC record generator and stage the policy carefully. For BIMI, skip p=none as the final state; it is useful for learning, not for certificate-backed logo display.
Where Suped fits
Suped is our DMARC reporting and email authentication platform, and it is the best overall practical choice for most teams preparing for BIMI because the biggest risk is not the TXT record itself. The risk is buying a certificate before DMARC, SPF, DKIM, sender inventory, and policy enforcement are stable.
Hosted DMARC configuration dialog showing policy controls, CNAME setup, and expanded advanced options
For this workflow, Suped helps with automated issue detection, steps to fix authentication problems, real-time alerts, hosted DMARC, hosted SPF, SPF flattening, hosted MTA-STS, and blocklist (blacklist) monitoring. The MSP and multi-tenant dashboard also matters when an agency needs to move several client domains toward enforcement before discussing BIMI.
The practical sequence is: get reporting clean, stage the policy, verify the sources, then decide between VMC, CMC, and self-asserted BIMI. Suped's Hosted DMARC makes that staging easier when DNS access is slow or split across teams.
Views from the trenches
Best practices
Confirm the issuing MVA accepts your trademark office before budgeting certificate spend.
Move DMARC to quarantine or reject at full coverage before changing the BIMI record.
Treat CMC as a practical bridge when a registered logo trademark is the main blocker.
Common pitfalls
Assuming a local trademark automatically works for VMC creates expensive validation delays.
Buying a certificate before fixing DMARC leaves the logo invisible in strict mailboxes.
Using an ordinary TLS certificate in the BIMI record does not satisfy certificate checks.
Expert tips
Ask issuers for current mailbox acceptance details before choosing the lowest quoted price.
Register the logo mark, not only the word mark, if the VMC goal is broad visibility.
Keep the PEM URL stable and monitor expiration dates; expired certificates break display.
Expert from Email Geeks says self-asserted BIMI can be worth publishing for Yahoo, Fastmail, and La Poste, but it will not satisfy Gmail or iCloud certificate requirements.
2024-07-31 - Email Geeks
Expert from Email Geeks says a VMC depends on an accepted trademark office, so Argentina or Uruguay registrations need issuer confirmation before purchase.
2024-08-01 - Email Geeks
Practical decision
If the brand has a registered logo trademark in an accepted jurisdiction and sends enough mail for inbox branding to matter, buy a VMC after DMARC is enforced. If the trademark is missing or stuck in an unsupported jurisdiction, price a CMC and check whether Gmail logo display without the checkmark is enough. If certificate spend is hard to justify, publish self-asserted BIMI and treat it as a limited branding improvement.
For Argentina or Uruguay specifically, I would not assume a VMC will be issued from those registrations alone. I would ask current MVAs for a written answer, then compare that answer with the cost and timeline of filing in a supported jurisdiction such as Brazil, the United States, the European Union, the United Kingdom, Canada, Germany, Australia, Japan, India, or South Korea.
The cost question then becomes business math, not only email authentication. If the certificate costs $1,000 per year and the list is small, it is hard to defend. If the brand sends high-volume customer mail and the trademark path is clean, VMC is the cleanest route. Either way, do the DMARC work first.
