What is the cost of VMC certificates and are there cheaper alternatives?
Published 29 Jul 2025
Updated 21 Jun 2026
10 min read
Summarize with
Updated on 23 Jun 2026: We updated this guide for current VMC and CMC pricing, RFC 9989 DMARC syntax, and clearer CMC decision guidance.
A VMC certificate normally costs about $1,350 to $1,500+ per year per certificate in current direct public pricing. DigiCert lists its Mark Certificate subscription at $1,416 per year, and Sectigo lists VMC pricing from $1,350 per year. The cheaper certificate alternative is a CMC, which Sectigo lists from $990 per year. Some partner and reseller quotes advertise lower annual prices, so compare the certificate term, validation help, logo hosting, and renewal support before treating a quote as cheaper.
The direct answer is that there is no legitimate free VMC. There is also no dependable free CMC path today, because both VMC and CMC issuance require manual identity and logo validation. Cheaper paths exist, but each one changes the outcome: use a CMC, publish BIMI without a certificate for mailbox providers that accept it, delay the certificate until DMARC enforcement is stable, or skip BIMI until the logo benefit has a clear business case.
- Typical VMC price: Budget roughly $1,350 to $1,500+ per year for one logo and one base domain.
- Cheaper certificate: A CMC is the practical lower-cost option when a registered trademark is not ready.
- Lower quotes: Partner and reseller prices can be lower than direct CA pages, but the included setup work varies.
- Cheapest path: BIMI without a certificate costs less, but it will not satisfy every major mailbox provider.
- Biggest hidden cost: Getting to DMARC enforcement without blocking legitimate mail usually costs more than the certificate.
The short answer on VMC cost
Treat VMC pricing as an annual operating cost, not a one-off setup fee. You pay for the certificate, the validation work, and the renewal cycle. You also need the technical setup around it: DMARC at enforcement, working SPF and DKIM, a compliant BIMI SVG, and a BIMI DNS record that points to the logo and certificate.
As of June 2026, current direct pricing puts the certificate itself in a fairly narrow band. DigiCert Mark Certificates show a 12-month subscription price of $1,416. Sectigo lists VMC pricing from $1,350 per year and CMC pricing from $990 per year. For a broader explanation of the difference, Sectigo's CMC and VMC differences page is useful because it separates trademark validation from the rest of the BIMI work. Prices can change, so use them as planning anchors rather than renewal guarantees.
|
|
|
|
|---|---|---|---|
VMC | $1,350+ | Verified logo | Trademark needed |
CMC | $990+ | Logo display | Less assurance |
BIMI only | $0 cert | DNS logo record | Limited display |
No BIMI | $0 cert | No logo work | No BIMI mark |
Public pricing examples in USD, checked in June 2026.
Public annual price examples
Approximate direct public list prices and lower-cost paths in June 2026.
DigiCert Mark Certificate
1,416 USD/yearSectigo VMC
1,350 USD/yearSectigo CMC
990 USD/yearBIMI without certificate
0 USD/yearWhy VMC pricing stays high
The price is high because a VMC is not a normal domain-validated certificate. The certificate authority has to validate the organization, domain control, logo ownership, trademark registration, and the person requesting the certificate. That is closer to extended validation work than to automated web TLS issuance. That manual logo evaluation is also why VMC and CMC issuance has not become a free, fully automated process.
The market is also small. VMC buyers are usually brands that already send enough email for inbox identity to matter. That keeps prices closer to other manual validation products than to low-cost web certificates.
What a VMC validates
- Trademark: The logo must match a registered mark or accepted government mark.
- Organization: The legal entity must pass business identity checks.
- Requester: The person requesting the certificate has to be validated.
- Domain: The domain must pass control and email authentication checks.
What a CMC changes
- Trademark: A registered trademark is not required.
- Logo history: The logo usually needs public use history.
- Cost: The price is lower because trademark validation is removed.
- Signal: The inbox result is not the same as a trademark-backed VMC.
The certificate is rarely the only cost
The certificate line item is visible, but the bigger work is often DMARC enforcement. If a domain has years of marketing, product, support, billing, and sales senders, budget time for sender discovery, SPF cleanup, DKIM fixes, monitoring, and a controlled move to p=reject.
Cheaper alternatives that actually exist
There are four real alternatives to paying full VMC pricing. None of them is a perfect substitute, so the right choice depends on whether you need the Gmail verified checkmark, whether your logo is trademarked, and whether the domain is already at DMARC enforcement.
For free VMC searches, the answer is no. Manual validation is the limiting factor: the issuer still has to validate the organization, requester, domain control, logo evidence, and certificate request. For logo display without a VMC, the answer is sometimes, and the limits are covered in this BIMI without VMC explainer.
DigiCert Mark Certificates pricing screen for VMC and CMC options.
|
|
|
|
|---|---|---|---|
CMC | Yes | No trademark | Lower signal |
BIMI only | Yes | Testing | Patchy support |
Wait | For now | Low volume | No mark |
DMARC first | Yes | Unready domains | Delayed BIMI |
Use this to choose the cheapest path that still meets the inbox outcome you need.
CMC is the best cheaper certificate option
If you do not have a registered trademark, CMC is the clearest lower-cost path. It still requires validation, DMARC enforcement, and a BIMI-ready logo, but it removes the trademark requirement. A Prior Use Mark CMC usually needs at least 12 months of public logo use. For a deeper side-by-side treatment, use this VMC versus CMC guide.
When auditing an existing BIMI setup, use the BIMI TXT record only to find the certificate URL in a=. The reliable VMC vs CMC signal is the certificate's subject:markType field. Registered Mark and Government Mark identify VMC, while Prior Use Mark and Modified Registered Mark identify CMC. If a= is blank or missing, the setup is self-asserted BIMI rather than VMC or CMC.
What to fix before buying
Do not buy a VMC or CMC until the domain can hold a DMARC policy of p=quarantine or p=reject in full enforcement. For new records, do not use the old pct staging tag; RFC 9989 removed it. BIMI eligibility depends on an enforced policy, working SPF or DKIM, and a record that receivers can evaluate consistently. If DMARC is still at p=none, spend the money on authentication cleanup first.
Suped's DMARC monitoring is built for that pre-VMC phase: collect aggregate reports, find every sender, identify SPF and DKIM failures, and move policy in stages. For teams that need CNAME-based policy control, Suped's hosted DMARC workflow helps make policy changes without repeated DNS edits.
Suped DMARC dashboard showing email volume, authentication health, and source breakdown
Example DMARC record ready for BIMIDNS
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; adkim=s; aspf=s
That record is only an example. The right policy depends on what your reports show. Before you move to enforcement, use a DMARC checker to validate syntax, then send real email and confirm passing authentication at the mailbox level.
DMARC checker
Look up a domain's DMARC record and catch policy issues.
?/7tests passed
Once DMARC is enforced, the BIMI record points to the SVG logo and, for VMC or CMC use, the certificate file. Keep the DNS record short and clear, and host both files on reliable HTTPS endpoints.
Example BIMI record with certificateDNS
v=BIMI1; l=https://example.com/bimi/logo.svg; a=https://example.com/bimi/vmc.pem
How to choose without wasting money
Do not make this decision by asking whether $1,350 is expensive in isolation. The better question is whether a verified inbox logo is worth the annual certificate cost plus the work needed to keep the domain eligible.
For a brand that sends high-volume customer email, has a registered trademark, and already runs DMARC at enforcement, a VMC is usually a clean purchase. For a smaller sender still discovering mail sources, waiting keeps that budget available for authentication first. You can check the wider domain health before buying the certificate.
When a VMC makes financial sense
Use these practical thresholds before committing to an annual certificate renewal.
Not ready
p=none
DMARC is monitoring only, senders are still unknown, or DKIM gaps remain.
Almost ready
p=quarantine
Most mail passes authentication and policy is moving through quarantine.
Ready
p=reject
Policy is enforced, reports are monitored, and the logo file is BIMI compliant.
VMC buying decision flow for DMARC readiness, trademark status, and CMC alternatives.
The practical order of operations
- Enforce DMARC: Reach quarantine or reject without blocking real mail.
- Fix the logo: Prepare a square SVG Tiny 1.2 profile logo under the size limit.
- Pick certificate: Use VMC for a registered mark, or CMC when the logo lacks registration.
- Monitor renewal: Track expiry, DNS changes, and authentication drift after launch.
Suped supports the part that makes VMC possible: getting to enforcement, spotting authentication issues, monitoring policy, and keeping sending sources clean after launch. Suped's product also brings SPF, DKIM, DMARC, hosted SPF, hosted MTA-STS, blocklist monitoring (blacklist monitoring), alerts, and multi-tenant reporting into one platform, which matters when the certificate is only one part of the workflow.
Views from the trenches
Best practices
Confirm DMARC enforcement before pricing a VMC, because certificates will not fix policy gaps.
Budget for certificate renewal, trademark work, SVG cleanup, and DMARC monitoring.
Test BIMI with real messages after DNS changes, because inbox support varies by provider.
Common pitfalls
Buying a VMC before enforcement creates a certificate that cannot deliver value yet.
Treating CMC as a free path causes surprises because validation and renewals still apply.
Ignoring certificate expiry removes the logo and checkmark even when DNS still looks valid.
Expert tips
Use CMC when the logo has public history but the registered trademark is not ready yet.
Keep the BIMI SVG tiny, square, script-free, and hosted over reliable HTTPS before review.
Review aggregate DMARC reports weekly after enforcement so new senders do not break quietly.
Marketer from Email Geeks says VMC pricing feels high, but the certificate is one line item once DMARC enforcement, legal review, and logo validation are included.
2021-07-13 - Email Geeks
Marketer from Email Geeks says certificate prices tend to stay in a narrow band because validation is manual and the buyer pool is low volume.
2021-07-13 - Email Geeks
The practical buying decision
A VMC costs enough that it should only be bought when the brand has a clear reason to display a verified logo in supported inboxes and the domain is already technically eligible. If DMARC enforcement is not finished, the cheaper and smarter move is to finish DMARC first.
If the logo is not trademarked, choose CMC or wait for the trademark instead of forcing a VMC path. If the brand has a registered mark, sends meaningful email volume, and cares about Gmail's verified mark, the annual VMC fee is easier to justify.
The cheapest useful plan is usually this: monitor DMARC, fix every sender, move to quarantine or reject, prepare the SVG, test BIMI, then buy the certificate that matches the logo's legal status. That sequence avoids paying for a certificate before the domain can use it.
