Verified Mark Certificate: What is VMC and why is it necessary

Every day, millions of phishing emails land in inboxes with only two initials in the sender avatar slot — indistinguishable from legitimate business communications. Recipients have no visual signal to separate an authentic email from your brand from one crafted by a threat actor spoofing your domain. This is the problem Verified Mark Certificates were built to solve.

A Verified Mark Certificate (VMC) is a specialized X.509 digital certificate that cryptographically binds your registered trademark to your sending domain and enables your verified brand logo to appear in the inbox avatar position. Combined with BIMI (Brand Indicators for Message Identification), it transforms your emails from anonymous text into visually verified brand communications that phishing actors structurally cannot replicate.

This guide explains the complete picture: what VMC is, how BIMI works technically, the difference between VMC and the newer Common Mark Certificate (CMC), the exact requirements and steps to implement it, and the security and engagement data that make the case for treating VMC as a business priority rather than a technical nicety.

What VMC Actually Does: Before and After in the Inbox

The most effective way to understand VMC’s value is to look at what happens in a recipient’s inbox with and without it. The difference is not subtle — it changes the entire trust signal available to the recipient before they open a single message.

The numbers behind that visual difference are significant. BIMI-enabled organizations see open rates increase by up to 39%, brand recall improve by 44%, and purchase likelihood rise by 32% compared to identical campaigns without logo display. (Source: BIMI Group / Redsift, 2025) These are not marginal gains — they represent the business value of a single trust signal added to the inbox.

How VMC and BIMI Work Together: The Technical Architecture

VMC does not operate in isolation. It is the authentication layer inside the BIMI system, which itself requires a full email authentication stack beneath it. Understanding the complete architecture prevents the misconfiguration errors that affect 53.6% of BIMI deployments. (Source: URIports, 2025)

The Five-Layer Stack (Bottom Up)

Each layer depends on the one below it. Skipping or misconfiguring any layer prevents the logo from displaying in the inbox — and the failures are often silent, with no error message shown to the sender.

1. SPF (Sender Policy Framework): A DNS TXT record that lists all servers authorized to send email from your domain. Required for DMARC to function. Must cover all sending sources: your own mail servers, ESP platforms, CRMs, transactional mail services, and any third-party senders using your domain.
2. DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to every outgoing email. The public key is published in DNS; receiving servers verify the signature. Both SPF and DKIM are required before DMARC can enforce a policy.
3. DMARC at enforcement: The DMARC policy must be p=quarantine or p=reject with pct=100. A p=none monitoring-only policy will not qualify for BIMI. The enforcement policy must be active for at least 30 consecutive days.
4. BIMI DNS record: A TXT record published at default._bimi.yourdomain.com specifying the URL of your SVG logo file (l= tag) and the URL of your VMC or CMC certificate PEM file (a= tag).
5. VMC or CMC: The certificate hosted as a PEM file at the URL in the BIMI record’s a= tag. When an email arrives, the receiving mail server fetches this URL and validates the certificate chain back to a trusted root, then renders the logo if validation passes.

VMC vs CMC vs No Certificate: Which One Do You Need?

The BIMI ecosystem evolved significantly in 2024 and 2025. Google’s September 2024 announcement of CMC support in Gmail fundamentally changed the certificate decision for many organizations, creating three distinct paths with different requirements, costs, and inbox coverage outcomes.

VMC: Maximum Coverage, Registered Trademark Required

VMC (Verified Mark Certificate) requires a registered trademark from a recognized authority such as the USPTO, EUIPO, UK IPO, or WIPO. The CA validates your trademark ownership during the issuance process, which is why VMC cannot be obtained for a trademark you do not legally own. This structural requirement is what makes VMC a genuine phishing deterrent rather than a cosmetic feature.

VMC provides the broadest inbox coverage: Gmail (with blue checkmark), Yahoo Mail, Apple Mail, and Fastmail. It is the only certificate that works with Apple Mail. Typical cost ranges from $1,000 to $1,500 per year depending on the CA. Certificates have a maximum validity of 397 days.

CMC: No Trademark Required — Gmail and Yahoo Only

Common Mark Certificate (CMC) was introduced by the BIMI Group and Google in September 2024 as an accessible alternative for organizations without registered trademarks. Instead of trademark registration, CMC requires proof that the logo has been continuously and publicly used on the sending domain for at least 12 consecutive months. Web archive verification (typically via the Wayback Machine) is the standard evidence.

CMC displays the logo in Gmail (without the blue checkmark) and Yahoo Mail. Apple Mail does not accept CMC. CMC is less expensive than VMC — typically $500 to $1,100 per year — and is the logical starting point for organizations that are building toward trademark registration or whose trademark applications are pending.

Self-Asserted BIMI: Yahoo Only, No CA Validation

A BIMI DNS record with an empty a= tag (no certificate) is called self-asserted BIMI. Yahoo Mail will display the logo from self-asserted BIMI records. Gmail will not. Apple Mail will not. Because there is no CA validation, a bad actor could theoretically deploy a self-asserted BIMI logo impersonating a brand on Yahoo — which is precisely the vulnerability that VMC and CMC were designed to eliminate in more security-conscious providers.

VMC Prerequisites and Step-by-Step Implementation

More than half of all BIMI deployments contain at least one configuration error. The prerequisites are well-defined and the steps are sequential — each one depends on the previous. Working through them systematically prevents the most common failures.

The Trademark Process (VMC Only)

Trademark registration is the step with the longest lead time and the one most organizations underestimate. A trademark application typically takes 3 to 12 months from filing to grant depending on the jurisdiction and whether any opposition is filed. The VMC cannot be issued until the trademark is granted — a pending application status does not qualify.

If your organization does not have a registered trademark and cannot wait for one, CMC is the practical path while the trademark application is in progress. A registered trademark in any of the accepted jurisdictions (USPTO, EUIPO, WIPO, and others) qualifies — it does not need to be registered in every market where you operate.

The SVG Tiny PS Logo Requirement

Both VMC and CMC require a logo in SVG Tiny PS format — a specific subset of the SVG 1.2 Tiny specification. Standard SVG files exported from Adobe Illustrator, Figma, or other design tools generally do not comply out of the box and must be converted and validated. The requirements:

• Format: SVG Tiny PS — standard SVG 1.1 files must be converted
• Maximum file size: 32 KB — complex logos with many paths may need simplification
• Aspect ratio: exactly 1:1 square — horizontal or vertical logos need padding added
• No embedded raster images: pure vector paths only, no PNG or JPEG embedded in the SVG
• No animations, no external references, no scripts

The BIMI Group provides an SVG validator at bimigroup.org that checks compliance before you submit to a CA. Submitting a non-compliant SVG is one of the most common causes of validation delay.

The BIMI DNS Record

Once the VMC is issued and the PEM file is hosted, the BIMI TXT record is added to DNS. The record must be published at the subdomain default._bimi.yourdomain.com (not at the root domain). Example format:

The Security Case for VMC: Why Phishing Actors Cannot Replicate It

The marketing language around VMC often emphasizes open rates and brand recognition. The security argument is actually stronger and more structurally sound — and it is the reason VMC is categorically different from visual branding tricks.

Why a Phishing Actor Cannot Fake a VMC-Backed Logo

The security guarantee of VMC comes from three interlocking properties that work together:

1. A VMC can only be issued for a trademark the applicant legally owns and can prove. The CA verification process includes trademark record validation. An attacker registering ‘yourbank-secure.com’ cannot obtain a VMC that displays the real bank’s trademarked logo — they would need to own the trademark.
2. DMARC at p=reject prevents exact-domain spoofing entirely. An email that falsely claims to be from yourcompany.com but was not sent from an authorized server will be rejected at the receiving mail server before it reaches the inbox. Without a DMARC-passing email, BIMI is never checked.
3. The VMC certificate chain is validated by the receiving mail server in real time against a trusted root CA. Even if an attacker could host a fake PEM file at a lookalike URL, the certificate would not pass CA chain validation because it was not issued by an authorized CA with verified trademark ownership.

The result: once you have VMC active, any email claiming to be from your domain that reaches Gmail or Apple Mail either carries your verified logo (proving it is legitimate) or carries nothing (raising immediate suspicion). The visual absence of the logo becomes a security signal in itself, training recipients over time to be skeptical of logo-less emails from familiar brand names.

DMARC Enforcement Is the Non-Negotiable Foundation

Many organizations deploy DMARC but leave it at p=none for months or years out of fear of breaking legitimate mail flows. p=none provides no protection. It is a monitoring mode that reports unauthorized sending but takes no action on it — phishing emails still reach inboxes.

Moving DMARC to p=quarantine and then p=reject requires a methodical approach: identify all legitimate sending sources, ensure all are SPF-authorized and DKIM-signing, review DMARC aggregate reports for authentication failures, resolve those failures, then raise the policy incrementally. This process typically takes four to eight weeks for organizations with well-managed email infrastructure and longer for complex enterprise setups with many third-party senders.

Troubleshooting: Why Your Logo Is Not Showing and How to Fix It

Deploying BIMI and VMC is not a one-step process, and the failure modes are often confusing because different providers have different requirements that are not always clearly documented. These are the exact scenarios with their root causes and fixes.

The Most Telling Diagnostic: Yahoo Shows Logo, Gmail Does Not

If your logo appears in Yahoo Mail but not in Gmail, the BIMI DNS record and SVG file are almost certainly correct. The problem is the certificate. Yahoo accepts self-asserted BIMI (no certificate required). Gmail requires a valid VMC or CMC. This specific symptom pattern points directly to one of three certificate issues: the a= tag in your BIMI record is empty or missing, the PEM file URL is unreachable or returns an error, or the certificate chain in the PEM file is incomplete (missing intermediate certificates).

Verifying the PEM File and Certificate Chain

The VMC PEM file must contain the complete certificate chain in the correct order: the VMC leaf certificate first, followed by any intermediate certificates, with the root certificate optionally included. A PEM file containing only the leaf certificate is a common installation error that causes chain validation failure. Test the PEM file by running:

The Entrust Exception (Apple Mail)

As of November 15, 2024, Apple stopped accepting VMC certificates issued by Entrust on or after that date. If you are an Entrust VMC customer and renewed after November 15, 2024, your certificate will not display in Apple Mail regardless of configuration. The solution is to obtain a new VMC from DigiCert, GlobalSign, or Sectigo instead. This is a CA trust store decision by Apple and is not expected to change.

Which Organizations Need VMC (And Which Should Start with CMC)

VMC is not a product for every organization. The cost, trademark requirement, and deployment complexity make it most valuable in specific contexts. Here is a practical framework for deciding which path makes sense.

Start with VMC if:

• Your organization already has a registered trademark and the logo is what you want displayed in email
• Apple Mail coverage matters — your customer base uses iOS Mail or macOS Mail at significant volume
• You want Gmail’s blue verified checkmark as a trust signal in customer-facing communications
• You operate in financial services, healthcare, government, or any sector where email phishing is a direct revenue or compliance risk
• Your brand has been impersonated in phishing campaigns or BEC (Business Email Compromise) attacks targeting your customers

Start with CMC if:

• You do not have a registered trademark or one is pending
• You want to capture BIMI engagement benefits now while pursuing trademark registration
• Your recipients are primarily Gmail and Yahoo users and Apple Mail coverage is not a priority
• Budget is a consideration and you want a lower-cost entry point to BIMI
• Google announced in 2025 that CMC logos can now use adapted versions of trademarks (partial elements, rearranged text, different fonts/colors), providing more flexibility than VMC for logo adaptation

Use self-asserted BIMI (no certificate) if:

• You are testing BIMI implementation and want to verify DNS and SVG configuration before purchasing a certificate
• Yahoo Mail is your primary target audience and you do not need Gmail or Apple Mail logo display
• You are preparing a CMC application and want partial display while the application is processed

Frequently Asked Questions

Can phishing actors use BIMI to make their fake emails look legitimate?

Not with a VMC or CMC. Both certificates require CA validation — VMC requires verified trademark ownership, CMC requires verified logo usage history and domain control. A phishing actor spoofing your brand from a fake domain cannot obtain a certificate that displays your trademarked logo. Without a valid certificate, Gmail and Apple Mail will not render any BIMI logo. Self-asserted BIMI (which Yahoo accepts) provides weaker protections, which is why Yahoo Mail carries less security value from BIMI than Gmail or Apple Mail.

How long does the VMC process take from start to finish?

If you already have a registered trademark: 2 to 6 weeks. Most of this time is the CA’s validation and issuance process (5 to 15 business days for the major CAs), plus the time needed to convert your logo to SVG Tiny PS format and configure DMARC enforcement. If you need to register a trademark first, add 3 to 12 months for the trademark process.

Does VMC affect email deliverability?

Indirectly, yes — but through DMARC rather than through the certificate itself. DMARC enforcement at p=reject stops unauthorized emails from being delivered (which is the point), and authenticated emails from your domain benefit from improved reputation signals with receiving mail servers. The VMC and BIMI layers sit above deliverability and affect recipient engagement rather than delivery rates directly.

What happens when my VMC expires?

Your logo stops appearing in BIMI-supporting inboxes when the VMC expires. The maximum validity is 397 days, so annual renewal is required. Most CAs send renewal alerts 30 to 60 days before expiry. Unlike web SSL certificates, an expired VMC does not cause a visible error for recipients — the logo simply disappears from the inbox avatar. Renew 30 days early to avoid any display gap.

Can I use one VMC for multiple sending domains?

No. Each VMC covers exactly one sending domain. If you send from multiple domains (yourcompany.com, yourcompany.co.uk, marketing.yourcompany.com), each sending domain that needs BIMI logo display requires its own VMC. Some CAs offer pricing incentives for multiple-domain VMC purchases. Consider which domains carry the most customer-facing email volume and prioritize those first.

What is the BIMI adoption rate and does it matter for my decision?

BIMI adoption grew 53% between September 2023 and September 2024, reaching 22,631 of the top 10 million domains. The current adoption rate means early movers in most industries still stand out visually in inboxes — competitors are unlikely to have VMC-backed logos yet. As adoption grows, having a verified logo will shift from a differentiator to a baseline expectation.