BIMI Certificates Explained: VMC, CMC, and the Trademark Verification Chain

A BIMI logo in someone's inbox isn't just a DNS record pointing to an image — it's the visible endpoint of a verification chain involving a specific type of digital certificate that most domain owners have never heard of

BIMI (Brand Indicators for Message Identification) allows a verified logo to display next to emails from your domain in supporting inboxes. The previous article on this site covered the basic BIMI DNS setup — a TXT record pointing to a logo file and (optionally) a certificate. This article goes deeper into that certificate: what a Verified Mark Certificate (VMC) actually is, why it exists, who issues them, and what the BIMI ecosystem looks like from the certificate authority side.

Why BIMI needs a certificate at all

Without any certificate requirement, BIMI's logo display could be exploited: anyone could set up SPF, DKIM, and DMARC for a domain (the authentication prerequisites for BIMI), point a BIMI record at any logo image — including a well-known brand's logo — and potentially have that logo displayed for emails from a domain that has nothing to do with the actual brand.

The Verified Mark Certificate (VMC) addresses this by requiring proof that the entity setting up BIMI actually has the legal right to use the logo being displayed — typically by verifying that the logo corresponds to a registered trademark, and that the certificate requester is the trademark holder (or authorised to act on their behalf).

What's actually in a VMC

A VMC is built on standard X.509 certificate technology (the same underlying technology as SSL/TLS certificates for websites), but with specific extensions relevant to BIMI:

• It includes the logo image itself (typically as an embedded SVG, in a specific BIMI-compliant format)
• It includes information linking the certificate to a verified trademark registration
• It's issued by a small number of specific Certificate Authorities that have been authorised by major email providers (particularly Google and Yahoo, who have been prominent in driving BIMI's VMC requirement) to issue this specific certificate type

The trademark requirement is the key gatekeeping mechanism: because trademark registration involves its own legal process (with national or regional trademark offices) and ongoing requirements, requiring a VMC tied to a registered trademark significantly raises the barrier compared to simply controlling a domain's DNS records — someone would need to either own the relevant trademark or have a fraudulent trademark registration (a much higher-effort and higher-risk path) to obtain a VMC for a given logo.

Who issues VMCs

As of the time BIMI's VMC requirement became prominent, a limited number of Certificate Authorities have been authorised to issue VMCs — this is a deliberately small ecosystem compared to the much larger number of CAs that issue standard SSL/TLS certificates, reflecting the more specialised verification process involved (checking trademark status, not just domain control).

The verification process for obtaining a VMC typically involves:

• Providing trademark registration documentation for the logo/mark
• Domain verification (proving control over the domain that will use the VMC, similar in concept to domain validation for SSL certificates, though for a different purpose)
• The CA cross-references the trademark registration against official trademark databases
• Once verified, the CA issues the VMC containing the logo and the verification details

Cost: VMCs are generally a paid service (unlike basic domain-validated SSL certificates, which are available for free from providers like Let's Encrypt) — reflecting the more involved verification process and the smaller, specialised ecosystem of issuers.

Common Mark Certificates (CMC): an alternative for unregistered trademarks

Recognising that not every organisation wanting to use BIMI has a formally registered trademark for their logo (registration processes, costs, and timelines vary significantly by country and aren't accessible to every organisation, particularly smaller ones or those in early stages), a related certificate type — the Common Mark Certificate (CMC) — has emerged as an alternative path in some implementations, with somewhat different verification requirements than a full VMC tied to registered trademark status.

The specifics of CMC requirements and which email providers recognise CMCs (as opposed to requiring full VMCs) have been evolving, and is an area where checking current requirements from major email providers (particularly any provider whose BIMI support you're specifically targeting) is more reliable than relying on information that may become outdated as this ecosystem develops.

Which email providers actually check for VMCs

BIMI display behaviour — including whether a VMC is required, optional, or not yet relevant — varies between email providers, and this has been an evolving area:

• Some major providers have made VMC a requirement for logo display in their BIMI implementation
• Other providers' BIMI support (where it exists) may have different requirements, including potentially displaying logos based on DMARC enforcement alone, without a VMC requirement, at least in some configurations or rollout phases

The practical implication: the value of obtaining a VMC depends partly on which email providers your audience predominantly uses, and what those specific providers' current BIMI requirements are — this is genuinely a "check current documentation from the specific providers relevant to your audience" situation, given how this ecosystem has continued to develop.

BIMI logo format requirements

Separate from the certificate question, BIMI has specific requirements for the logo image itself:

SVG format with Tiny PS profile: BIMI requires logos in a specific, restricted subset of SVG (SVG Tiny Portable/Secure, sometimes referred to as SVG-PS) — this is a deliberately restricted SVG profile that excludes features like scripts, external references, and certain other SVG capabilities that could otherwise pose security concerns if arbitrary SVG content were displayed in email clients.

Square aspect ratio: BIMI logos are generally expected to be square (or displayed within a square/circular frame by the receiving email client) — a typical company logo that's a horizontal wordmark may need a square icon/mark variant created specifically for BIMI purposes, distinct from the horizontal logo used elsewhere.

Why the restricted SVG profile matters: converting an existing logo (which might be in a standard SVG, PNG, or other format, potentially with full SVG features like embedded scripts or external image references if it's a complex SVG) to the BIMI-compliant SVG Tiny PS format often requires using specific conversion tools or services, rather than simply renaming a file — generic SVG files frequently fail BIMI validation due to features the restricted profile doesn't allow.

How BIMI fits with the broader authentication setup

To recap the dependency chain (covered in more detail in the previous BIMI setup article and the full email authentication audit article on this site):

1. SPF and DKIM must be correctly configured — these are foundational email authentication mechanisms
2. DMARC must be configured with sufficient enforcement (typically p=quarantine or p=reject, not p=none) — DMARC ties SPF/DKIM results to the visible "From" domain, which is what BIMI logo display relates to
3. BIMI DNS record is published, pointing to the logo (and optionally the VMC)
4. VMC (where required by the target email provider) provides the trademark verification layer on top of the DNS-level setup

Each layer depends on the ones below it — a VMC doesn't help if DMARC isn't properly enforced, and DMARC enforcement without correct underlying SPF/DKIM will cause legitimate email to be affected, which is why DMARC deployment (covered in a previous article on moving from p=none to p=reject carefully) should be solid before pursuing BIMI specifically.

How to use the BIMI Lookup tool on sadiqbd.com

1. Check your current BIMI record — see whether a BIMI TXT record exists for your domain and what it points to
2. Verify the logo URL is accessible — confirm the referenced SVG file loads correctly
3. Check for a VMC reference — see whether your BIMI record includes a certificate reference (the a= tag in the BIMI record), and if so, whether it's accessible
4. Use as part of pre-launch verification — before relying on BIMI for brand display, verify each component of the record is correctly configured and accessible

Frequently Asked Questions

Do I need a VMC to set up BIMI at all? This depends on which email providers you're targeting and their current requirements — some BIMI configurations may display logos without a VMC for certain providers, while others require it. Given that this has been an evolving area, checking current documentation from the specific major email providers relevant to your audience (rather than relying on potentially outdated general information) is the most reliable approach.

What if my organisation doesn't have a registered trademark for our logo? This is a genuine practical barrier for some organisations — trademark registration has its own costs, timelines, and requirements that vary by jurisdiction and aren't accessible to every organisation. The CMC pathway (described above) and the variation in provider requirements both relate to this — but again, current specifics are worth verifying directly given the evolving nature of this space.

Is the BIMI Lookup tool free? Yes — completely free, no sign-up required.

Try the BIMI Lookup tool free at sadiqbd.com — check your domain's BIMI configuration, logo accessibility, and certificate reference.