Verified Mark Certificate (VMC) for BIMI: Tutorial & Examples

A Verified Mark Certificate (VMC) for BIMI is a digital certificate that authenticates your trademarked logo for use in email communications.

Technically, it’s a specialized X.509 certificate issued by authorized Certificate Authorities that cryptographically binds your organization’s legally trademarked logo to your domain. VMCs enable your brand logo to appear in the avatar slot of email clients that support BIMI (Brand Indicators for Message Identification), most notably Gmail and Yahoo Mail.

This boosts brand visibility, trust, and email engagement.

BIMI (Brand Indicators for Message Identification) is an email specification that allows email senders to display branded logos along with emails.

The VMC certifies you to use your logo with BIMI. However, to acquire a VMC you must pay a registration authority and undergo a verification process to demonstrate your identity and legitimate ownership of the branded logo.

Unlike self-asserted BIMI implementations (which work with some providers but not others), VMCs require rigorous validation of both your organization’s identity and trademark ownership. That’s why they’re the gold standard for displaying your brand in recipients’ inboxes while simultaneously protecting against email impersonation attacks.

In this article, we will teach you:

• Why BIMI is worth setting up
• How Verified Mark Certificates work in the context of BIMI
• How to acquire a Verified Mark Certificate
• How to make sure your BIMI setup is working

What is a Verified Mark Certificate (VMC)?

A Verified Mark Certificate (VMC) is a digital certificate that validates your organization’s trademarked logo for display in email inboxes alongside your messages.

A VMC is what makes BIMI so valuable for anti-phishing. A VMC is issued by an authority that makes sure you are not impersonating someone else’s brand. To issue a VMC, there are strict requirements. For example, the requirements may include the following:

“In order to  get a VMC, organizations must go through a series of validation procedures  similar to  getting an EV SSL certificate. During the process, an individual’s identity validation is required as well as face-to-face confirmation by a notary, lawyer or via a video call directly with a member of DigiCert’s validation team. 

For example, DigiCert’s validation team will also have a video call with the applicant where they hold their ID in front of the camera. Finally, DigiCert must also validate   that your logo is  officially and legally  trademarked  and formatted correctly. ”

The annual price from DigiCert is $1,499 USD, which discourages low-level bad actors from spamming many different fraudulent applications, hoping to get one through on a fluke.

Technically, some mail providers don’t require VMC for BIMI. For example, Yahoo:

“We currently do not require VMCs to be set up for BIMI logos to appear in Yahoo applications. However if a BIMI record includes a VMC, we will use it to inform the overall BIMI eligibility.”

– Yahoo’s BIMI requirements

Nevertheless, we highly recommend you acquire a VMC if you want to set up BIMI. Most providers require it, and even Yahoo notes it’s a plus.

How to set up a Verified Mark Certificate

Email security is already an acronym soup of different protocols: DMARC, SPF, DKIM, MTA-STS, etc. BIMI builds on top of the rich ecosystem of email security protocols, and you must set up a strong DMARC policy before using BIMI.

Specifically, your DMARC policy must be set to either quarantine or reject. It cannot be none.

For more information on setting up a strong DMARC policy, check out our Email Security Best Practices guide.

How to get a VMC

To get a VMC, you must purchase it from an authorized provider. Currently, only two organizations offer VMC’s: DigiCert and Entrust. For our example, we’ll use a VMC from DigiCert, but the process is nearly identical either way.

First, you’ll have to pay for a VMC. You can do this on GoGetSSL.

Before you can receive your VMC, you must go through the verification process. According to DigiCert’s VMC FAQ,  the verification process includes the following steps:

1. Face-to-face confirmation by a notary, lawyer, or via a video call directly with a member of the validation team.
2. The validation team will also have a video call with the applicant where they hold their ID in front of the camera.
3. Finally, they must also validate that your logo is officially and legally trademarked and formatted correctly. 

After completing the process, you will receive a .pem file containing your VMC. If you read the file, it should look similar to this:

$ cat bimi_vmc.pem

-----BEGIN CERTIFICATE-----
MIILZTCCCU2gAwIBAgIQDZOioApcXGnRJP7rbVT4lTANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xNzA1BgNVBAMT
LkRpZ2lDZXJ0IFZlcmlmaWVkIE1hcmsgUlNBNDA5NiBTSEEyNTYgMjAyMSBDQTEw
[...]
-----END CERTIFICATE-----

Congratulations, you have a VMC! Next, you’ll need to deploy it.

How to deploy a VMC

To deploy your BMC, you must do two things:

1. Host the VMC’s .pem file on the web
2. Point your BIMI record to the URL containing the .pem file.

You can host the VMC file anywhere on the web. You should use a domain and server you control for security. Finally, note that the file must be accessible via HTTPS (not plaintext HTTP). The given path and subdomain are not important – you will use your BIMI record to point to whatever URL you choose to host the VMC file. 

Your BIMI record should then use the “a” attribute to point to the URL where you host the VMC file. It should be a TXT record on the default._bimi subdomain look something like this:

v=BIMI1; l=https://www.example.com/path/to/logo/example.svg; a=https://www.example.com/path/to/vmc/VMC.pem;

You can learn more about how to set up a BIMI record by reading the pertinent chapter of this guide: BIMI Record. 

Verifying BIMI works

Once you have BIMI setup, it’s time to ensure it works as expected. Valimai’s web-based BIMI validation tool is the easiest way to do this.

The tool does more than just pass or fail you. It will tell you which specific criteria you passed or failed. Additionally, it will show your BIMI record and logo, so you can easily ensure that everything looks as you expect it to.

Take the first step to better protection

BIMI is an exciting new addition to the world of email marketing and security. Deploying BIMI requires a Verified Mark Certificate, which you can purchase from certain authorized sources. Although this may seem inconvenient, it’s a key feature that allows authorities to ensure that BIMI logos are authentic.

A VMC costs around $1,499 USD (depending on where you buy it). For this price tag, you acquire an essential ingredient for BIMI. Recipient mailboxes use the VMC to infer that you, the sender, are authorized to use the branded logo in emails. This makes it harder for spammers to abuse BIMI to impersonate other companies’ brands.