VMC and CMC certificates for BIMI

The certificates that let inbox providers trust your logo — who issues them, what they cost, and which one you need.

BIMI's promise is that a logo in the inbox is genuinely the sender's. A DNS record and an SVG file alone cannot prove that — anyone can point a record at any image. So the major mailbox providers ask for something stronger: a certificate that independently attests the logo belongs to the organisation and that the organisation controls the domain. There are two kinds, the Verified Mark Certificate (VMC) and the newer Common Mark Certificate (CMC), and this guide explains what each is, who issues them, what they cost, and how to choose.

The certificate URL goes in the a= parameter of your BIMI record. It must be a real certificate from an authorised certificate authority — a self-signed file is never accepted.

Verified Mark Certificate (VMC)

A VMC is the original and most widely supported BIMI certificate. It binds your logo to your domain and, crucially, attests that the logo is a registered trademark owned by your organisation. That trademark requirement is what gives a VMC its weight — and what makes it the more demanding option to obtain.

What it requires:

Who issues them: only a small number of certificate authorities are authorised to issue VMCs. In practice that has meant DigiCert and Entrust. Because the list of authorised issuers is short and can change, it is worth confirming current providers before you buy.

What it costs: a VMC is typically in the region of US$1,000–1,500 per year, though pricing varies by CA and reseller and can be higher. On top of that, if you do not already hold a suitable registered trademark, you need to budget for the cost and — more significantly — the time of obtaining one, which can run to many months or longer depending on the jurisdiction.

Validity: VMCs are issued for a limited term (on the order of a year) and are renewed periodically. The underlying trademark must remain valid for the certificate to stay trustworthy, so renewal is an ongoing commitment rather than a one-off.

Common Mark Certificate (CMC)

A CMC was introduced to widen BIMI beyond organisations that hold a registered trademark. It still requires organisation validation and still must come from an authorised CA, but it does not require the logo to be a registered trademark. That opens BIMI to logos that are, for example, in prior use without registration, in the public domain, or belong to government and public-sector bodies whose marks are not trademarked in the usual way.

The trade-off is support. Because a CMC makes a weaker claim — it does not assert trademark ownership — it is not treated identically to a VMC everywhere. Some inboxes accept a CMC and display the logo; others, at least historically, have shown logos only when backed by a VMC, and reserve any "verified" tick for VMC-backed logos. Support has been expanding as the standard matures, but it is more variable than for a VMC, so check the requirements of the specific mailboxes that matter to your audience.

Allow time for issuance

A BIMI certificate is not an instant purchase like a domain-validated TLS certificate. Because the CA has to verify both your organisation and — for a VMC — your trademark, issuance can take anywhere from a few days to several weeks, depending on how quickly you can supply documentation and how cleanly the checks go. If you do not yet hold a registered trademark and intend to pursue a VMC, the trademark itself is the long pole: registration commonly takes many months. Plan the certificate as the last step of a project with a lead time, not a same-day task, and start the organisation validation early so it is not what holds up your launch.

VMC or CMC — which do you need?

The decision usually comes down to two questions:

A reasonable rule of thumb: if your logo is already a registered trademark, get a VMC; if it is not and you need a logo in supporting inboxes sooner rather than later, a CMC is the pragmatic route while you decide whether a trademark is worth pursuing.

Before you buy a certificate

A certificate is the last piece, not the first. It is only worth purchasing once the groundwork is done, because without it the certificate buys you nothing:

  1. Your domain has DMARC at enforcement on aligned SPF and DKIM.
  2. You have a compliant SVG Tiny PS logo that matches the mark the certificate will cover.
  3. For a VMC, the logo is a registered trademark you own.

With those in place, obtain the certificate from an authorised CA, publish it over HTTPS, and add its URL to the a= parameter of your BIMI record. Then run the BIMI checker to confirm the record, DMARC policy, logo and certificate all validate together.

Related guides