Verified Mark Certificate: Tutorial & Examples

BIMI (Brand Indicators for Message Identification) is an email specification that allows email senders to display branded logos along with emails.

The presence of the logo helps recipients trust that the email really comes from your brand, among other benefits. However, BIMI has a mechanism in place to discourage impersonators from using logos that they don’t legitimately own. Specifically, BIMI relies on the Verified Mark Certificate (VMC) to accomplish this.

The VMC certifies you to use your logo with BIMI. However, to acquire a VMC you must pay a registration authority and undergo a verification process to demonstrate your identity and legitimate ownership of the branded logo.

In this article, we will teach you:

  • Why BIMI is worth setting up
  • How Verified Mark Certificates work in the context of BIMI
  • How to acquire a Verified Mark Certificate
  • How to make sure your BIMI setup is working

Benefits of BIMI

A VMC is only worth acquiring because of the value provided by BIMI. Let’s briefly overview how BIMI benefits brands.

Benefit Description
Mitigate phishing Recipients are less likely to trust mail impersonating you that lacks the BIMI logo that usually accompanies your marketing content.
Building brand trust Recipients feel safer opening your content because it’s less likely to be a phishing attempt.
Increase open rates By drawing more attention and leveraging increased trust, you can attract more recipients to open your email and outcompete other contents in their inbox.
Messages standout Displaying a logo next to your message in recipients’ inboxes makes your emails more noticeable.

Understanding VMC

Anyone with DMARC configured can set up BIMI by implementing some simple DNS changes and serving an icon over the web. 

A Verified Mark Certificate (VMC) is what makes BIMI so valuable for anti-phishing. A VMC is issued by an authority that makes sure you are not impersonating someone else’s brand. To issue a VMC, there are strict requirements. For example, the requirements may include the following:

“In order to  get a VMC, organizations must go through a series of validation procedures  similar to  getting an EV SSL certificate. During the process, an individual’s identity validation is required as well as face-to-face confirmation by a notary, lawyer or via a video call directly with a member of DigiCert’s validation team. 

DigiCert’s validation team will also have a video call with the applicant where they hold their ID in front of the camera. Finally, DigiCert must also validate   that your logo is  officially and legally  trademarked  and formatted correctly. ”

Source: How do I get a Verified Mark Certificate (VMC)?

The annual price from DigiCert is $1,499 USD, which discourages low-level bad actors from spamming many different fraudulent applications, hoping to get one through on a fluke.

Some mail providers will not display the logo if you try to set up BIMI without VMC.
Some mail providers will not display the logo if you try to set up BIMI without VMC.

Technically, some mail providers don’t require VMC for BIMI. For example, Yahoo:

“We currently do not require VMCs to be set up for BIMI logos to appear in Yahoo applications. However if a BIMI record includes a VMC, we will use it to inform the overall BIMI eligibility.”

Yahoo’s BIMI requirements

Nevertheless, we highly recommend you acquire a VMC if you want to set up BIMI. Most providers require it, and even Yahoo notes it’s a plus.

How to set up a Verified Mark Certificate

Email security is already an acronym soup of different protocols: DMARC, SPF, DKIM, MTA-STS, etc. BIMI builds on top of the rich ecosystem of email security protocols, and you must o set up a strong DMARC policy before using BIMI.

Specifically, your DMARC policy must be set to either quarantine or reject. It cannot be none.

For more information on setting up a strong DMARC policy, check out our Email Security Best Practices guide.

Acquiring a VMC

To get a VMC, you must purchase it from an authorized provider. Currently, only two organizations offer VMC’s: DigiCert and Entrust. For our example, we’ll use a VMC from DigiCert, but the process is nearly identical either way. First, you’ll have to pay for a VMC. You can do this on GoGetSSL.

DigiCert charges 1,499 for a VMC via their market.
DigiCert charges 1,499 for a VMC via their market.

Before you can receive your VMC, you must go through the verification process. According to DigiCert’s VMC FAQ,  the verification process includes the following steps:

  1. Face-to-face confirmation by a notary, lawyer, or via a video call directly with a member of the validation team.
  2. The validation team will also have a video call with the applicant where they hold their ID in front of the camera.
  3. Finally, they must also validate that your logo is officially and legally trademarked and formatted correctly. 

After completing the process, you will receive a .pem file containing your VMC. If you read the file, it should look similar to this:

$ cat bimi_vmc.pem

-----BEGIN CERTIFICATE-----
MIILZTCCCU2gAwIBAgIQDZOioApcXGnRJP7rbVT4lTANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xNzA1BgNVBAMT
LkRpZ2lDZXJ0IFZlcmlmaWVkIE1hcmsgUlNBNDA5NiBTSEEyNTYgMjAyMSBDQTEw
[...]
-----END CERTIFICATE-----

Congratulations, you have a VMC! Next, you’ll need to deploy it.

Valimail logo

See if your organization is protected

Start Assessment

How to deploy a VMC

To deploy your BMC, you must do two things:

  1. Host the VMC’s .pem file on the web
  2. Point your BIMI record to the URL containing the .pem file.

You can host the VMC file anywhere on the web. You should use a domain and server you control for security. Finally, note that the file must be accessible via HTTPS (not plaintext HTTP). The given path and subdomain are not important – you will use your BIMI record to point to whatever URL you choose to host the VMC file. 

You can verify that the file is web accessible using a browser or the curl command:

$ curl https://icanhazip.com/.well-known/vmc/bimi_vmc.pem


-----BEGIN CERTIFICATE-----
MIILZTCCCU2gAwIBAgIQDZOioApcXGnRJP7rbVT4lTANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xNzA1BgNVBAMT
LkRpZ2lDZXJ0IFZlcmlmaWVkIE1hcmsgUlNBNDA5NiBTSEEyNTYgMjAyMSBDQTEw
[...]
-----END CERTIFICATE-----

Your BIMI record should then use the “a” attribute to point to the URL where you host the VMC file. It should be a TXT record on the default._bimi subdomain look something like this:

v=BIMI1; l=https://www.example.com/path/to/logo/example.svg; a=https://www.example.com/path/to/vmc/VMC.pem;

You can learn more about how to set up a BIMI record by reading the pertinent chapter of this guide: BIMI Record

Verifying BIMI works

Once you have BIMI setup, it’s time to ensure it works as expected. Valimai’s web-based BIMI validation tool is the easiest way to do this.

Valimail’s BIMI checker lets you know if your domain is BIMI ready.
Valimail’s BIMI checker lets you know if your domain is BIMI ready.

The tool does more than just pass or fail you. It will tell you which specific criteria you passed or failed. Additionally, it will show your BIMI record and logo, so you can easily ensure that everything looks as you expect it to.

Resources for deploying BIMI

In this article, we’ve focused mainly on VMC. However, VMC is only important because it is a necessary part of BIMI. If you need more general guidance on setting up BIMI, consult the other chapters of this guide. Setting up BIMI manually is not trivial, and the process can be tedious and error-prone. That’s doubly true for beginners. Consider a commercial BIMI solution like Valimail Amplify if you want a more seamless process.

Amplify is an automated BIMI solution that enables you to easily drive new brand impressions, increase email open rates, and control brand consistency at scale.

– https://www.valimail.com/products/amplify/

You can also find good BIMI-related information by using the BIMI Group FAQ

Valimail logo

Fast track your journey to
BIMI Automation with Valimail Amplify

Get Free Visibility

snap icon

Choose a simple solution for easily getting your logo in inboxes

mail icon

Implement BIMI at a fraction of the cost and time compared to deploying it manually

discount icon

Increase open-rates and visibility for your marketing content

Conclusion

BIMI is an exciting new addition to the world of email marketing and security. Deploying BIMI requires a Verified Mark Certificate, which you can purchase from certain authorized sources. Although this may seem inconvenient, it’s a key feature that allows authorities to ensure that BIMI logos are authentic.

A VMC costs around $1,499 USD (depending on where you buy it). For this price tag, you acquire an essential ingredient for BIMI. Recipient mailboxes use the VMC to infer that you, the sender, are authorized to use the branded logo in emails. This makes it harder for spammers to abuse BIMI to impersonate other companies’ brands.

Get started for free
with Monitor

Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.

Explore all Valimail
has to offer

Go one step further than visibility…Take action! Reach DMARC enforcement faster. Stay compliant with evolving sender requirements. All while protecting your brand.

Phishing and BEC protection starts with your domain — verify your DMARC status with the Valimail Domain Checker.