BIMI's promise is that a logo in the inbox is genuinely the sender's. A DNS record and an SVG file alone cannot prove that — anyone can point a record at any image. So the major mailbox providers ask for something stronger: a certificate that independently attests the logo belongs to the organisation and that the organisation controls the domain. There are two kinds, the Verified Mark Certificate (VMC) and the newer Common Mark Certificate (CMC), and this guide explains what each is, who issues them, what they cost, and how to choose.
The certificate URL goes in the a= parameter of your BIMI record. It must be a real
certificate from an authorised certificate authority — a self-signed file is never accepted.
Verified Mark Certificate (VMC)
A VMC is the original and most widely supported BIMI certificate. It binds your logo to your domain and, crucially, attests that the logo is a registered trademark owned by your organisation. That trademark requirement is what gives a VMC its weight — and what makes it the more demanding option to obtain.
What it requires:
- A registered trademark of the logo. The mark must be registered with an accepted trademark office — for example the UK IPO, the EUIPO, the USPTO, IP Australia, the Japan Patent Office or the Canadian Intellectual Property Office, among others. The SVG logo you publish has to match the registered mark.
- Organisation validation. Like a business-validated TLS certificate, the CA verifies your organisation's legal existence and its control of the domain before issuing.
Who issues them: only a small number of certificate authorities are authorised to issue VMCs. In practice that has meant DigiCert and Entrust. Because the list of authorised issuers is short and can change, it is worth confirming current providers before you buy.
What it costs: a VMC is typically in the region of US$1,000–1,500 per year, though pricing varies by CA and reseller and can be higher. On top of that, if you do not already hold a suitable registered trademark, you need to budget for the cost and — more significantly — the time of obtaining one, which can run to many months or longer depending on the jurisdiction.
Validity: VMCs are issued for a limited term (on the order of a year) and are renewed periodically. The underlying trademark must remain valid for the certificate to stay trustworthy, so renewal is an ongoing commitment rather than a one-off.
Common Mark Certificate (CMC)
A CMC was introduced to widen BIMI beyond organisations that hold a registered trademark. It still requires organisation validation and still must come from an authorised CA, but it does not require the logo to be a registered trademark. That opens BIMI to logos that are, for example, in prior use without registration, in the public domain, or belong to government and public-sector bodies whose marks are not trademarked in the usual way.
The trade-off is support. Because a CMC makes a weaker claim — it does not assert trademark ownership — it is not treated identically to a VMC everywhere. Some inboxes accept a CMC and display the logo; others, at least historically, have shown logos only when backed by a VMC, and reserve any "verified" tick for VMC-backed logos. Support has been expanding as the standard matures, but it is more variable than for a VMC, so check the requirements of the specific mailboxes that matter to your audience.
Allow time for issuance
A BIMI certificate is not an instant purchase like a domain-validated TLS certificate. Because the CA has to verify both your organisation and — for a VMC — your trademark, issuance can take anywhere from a few days to several weeks, depending on how quickly you can supply documentation and how cleanly the checks go. If you do not yet hold a registered trademark and intend to pursue a VMC, the trademark itself is the long pole: registration commonly takes many months. Plan the certificate as the last step of a project with a lead time, not a same-day task, and start the organisation validation early so it is not what holds up your launch.
VMC or CMC — which do you need?
The decision usually comes down to two questions:
- Do you already hold a registered trademark of your logo? If yes, a VMC is the natural choice: it has the widest support and, with the largest providers, unlocks the verification tick as well as the logo.
- No trademark, or an unregistrable/public mark? A CMC lets you adopt BIMI without one, accepting that display support may be narrower for now. The alternative is to register a trademark and pursue a VMC — worthwhile if broad, ticked display matters to you, but slower and more expensive.
A reasonable rule of thumb: if your logo is already a registered trademark, get a VMC; if it is not and you need a logo in supporting inboxes sooner rather than later, a CMC is the pragmatic route while you decide whether a trademark is worth pursuing.
Before you buy a certificate
A certificate is the last piece, not the first. It is only worth purchasing once the groundwork is done, because without it the certificate buys you nothing:
- Your domain has DMARC at enforcement on aligned SPF and DKIM.
- You have a compliant SVG Tiny PS logo that matches the mark the certificate will cover.
- For a VMC, the logo is a registered trademark you own.
With those in place, obtain the certificate from an authorised CA, publish it over HTTPS, and add
its URL to the a= parameter of your BIMI record. Then run the
BIMI checker to confirm the record, DMARC policy, logo and certificate all
validate together.
Related guides
- What is BIMI? — how the pieces fit together.
- BIMI and DMARC — the prerequisite to sort out first.
- BIMI SVG logo requirements — the logo the certificate covers.
- SSL Studio — check certificate validity, expiry and chains.