Skip to content
DDMARC
Core conceptThe DDMARC Library

VMC Assistance for BIMI: How to Get a Verified Mark Certificate

A step-by-step guide to obtaining a Verified Mark Certificate (VMC) for BIMI — prerequisites, trademark requirements, certificate authorities, cost, and timeline.

5 min readRevised By the DDMARC editors

What is a VMC?

A Verified Mark Certificate (VMC) is a digital certificate that attests your organization is authorized to use a specific logo. It is the cryptographic proof that mailbox providers require before they will display your brand logo next to your messages through BIMI (Brand Indicators for Message Identification).

Without a VMC (or its non-trademark sibling, a CMC — see below), most major mailbox providers will publish your BIMI record but will not render your logo. The certificate is what turns "BIMI configured" into "logo actually shown."

Why BIMI Needs a VMC

BIMI lets you publish a logo via DNS, but on its own it provides no guarantee that the logo belongs to you. To prevent impersonation, mailbox providers such as Gmail, Apple Mail, and Yahoo require evidence of authorization. A VMC supplies that evidence by binding your logo to a registered trademark, validated by an authorized Certificate Authority.

Prerequisites — Check These Before You Apply

VMC issuance is gated on getting your email-authentication house in order first. You will need:

  • DMARC at enforcement. Your domain's DMARC policy must be set to p=quarantine or p=reject — not p=none. See none vs reject.
  • A registered trademark for your logo. The logo you want displayed must be a trademark registered with a recognized intellectual-property office (e.g. USPTO, EUIPO, UKIPO, IP Australia). This is the single most common blocker.
  • An SVG Tiny Portable/Secure (SVG P/S) logo. The logo must be a square, profile-style image in the restricted SVG Tiny P/S format — not a standard SVG, PNG, or JPG.
  • A published, valid BIMI record at default._bimi.yourdomain.com referencing both the logo and the certificate.

VMC vs CMC

If your logo is not a registered trademark, you may still qualify for a Common Mark Certificate (CMC). CMCs cover logos that have been in consistent prior use but are not trademarked. Support varies by mailbox provider, and the displayed treatment can differ from a full VMC. If you hold a trademark, a VMC is the stronger choice.

How to Get a VMC — Step by Step

Step 1 — Confirm DMARC enforcement. Move your domain to p=quarantine or p=reject and confirm legitimate mail still passes. Rushing to enforcement without monitoring first risks blocking real email.

Step 2 — Register (or confirm) your trademark. If the logo is not yet trademarked, begin registration early — this is typically the longest lead-time item.

Step 3 — Prepare the SVG P/S logo. Convert your logo to the SVG Tiny P/S profile: square aspect ratio, no scripting, no external references, solid background.

Step 4 — Choose a Certificate Authority. VMCs are issued by a small number of authorized CAs — currently DigiCert and Entrust. Apply through your chosen CA's VMC process.

Step 5 — Complete validation. The CA verifies your organization's identity and your right to the trademarked logo. Be ready to provide trademark registration details and respond to organizational verification.

Step 6 — Install and publish. Host the issued certificate (PEM) alongside your SVG logo and reference both in your BIMI DNS record.

Cost and Timeline

A VMC is an annual certificate; pricing is set by the issuing CA and typically runs on the order of roughly $1,000–$1,500 per year. Issuance commonly takes anywhere from a few days to several weeks, driven mostly by trademark and organizational validation. If your trademark is not yet registered, plan for considerably longer — trademark registration itself can take months.

Readiness Checklist

  • DMARC policy at p=quarantine or p=reject
  • SPF and DKIM aligned and passing for your sending sources
  • Registered trademark for the logo (or CMC-eligible prior use)
  • Square logo converted to SVG Tiny P/S
  • Chosen CA (DigiCert or Entrust)
  • Hosting in place for the SVG logo and certificate over HTTPS
  • Valid default._bimi DNS record

How DDMARC Helps

DDMARC checks your BIMI readiness as part of domain monitoring: it validates your DMARC enforcement status, flags whether SPF and DKIM are aligned, and inspects your BIMI record so you know exactly which prerequisites are met before you spend on a certificate. Get your authentication to enforcement with confidence using our policy guidance, then pursue your VMC knowing the foundations are solid.

— Fin.
ShareX / TwitterLinkedIn
&Read next

Related essays

  1. 01
    Core concept5 min read

    What is BIMI?

    Learn how Brand Indicators for Message Identification (BIMI) displays your brand logo in email inboxes.

  2. 02
    Comparison4 min read

    BIMI vs No BIMI: Is It Worth Implementing?

    Evaluate the benefits of implementing BIMI for your domain — brand visibility, trust, and deliverability improvements.

  3. 03
    Core concept5 min read

    What is DMARC?

    Learn how DMARC protects your domain from email spoofing and phishing attacks with policy-based authentication.

Free to start · 14-day trial · no card

From spoofed to enforced.

p=none
5 min
p=quarantine
Week 2
p=reject
Week 4–6
Get started freeTalk to sales

Drop to free Monitor plan on day 15 · no charge unless you opt in