A Verified Mark Certificate (VMC) is a digital certificate that proves your organization owns a trademarked logo and allows that logo to display in recipients’ email inboxes. The certificate connects your authenticated domain to your brand’s visual identity — so when someone receives your email, they see your logo instead of a generic avatar.
VMCs work within the BIMI (Brand Indicators for Message Identification) standard, but they’re not the same thing. BIMI is the protocol that tells mailbox providers where to find your logo. The VMC is the proof that you own it. Without the certificate, major providers like Gmail won’t display your logo at all — even if your BIMI record is configured correctly.
The requirements are:
- DMARC at the enforcement level
- A legally registered trademark
- A logo converted to SVG Tiny PS format
- Validation by a Certificate Authority like DigiCert or Entrust
Annual costs run $1,000-1,500, and the trademark requirement alone can add 6-12 months if your logo isn’t already registered.
In this guide that we’ve prepped, you’ll learn:
- What a VMC does (and what it doesn’t)
- The step-by-step process to obtain a VMC
- How the certificate fits into BIMI and DMARC
- Requirements for trademark, logo format, and validation
- Whether a VMC is worth the investment for your organization
- Which mailbox providers require certificate-backed verification
- VMC vs CMC vs self-asserted BIMI — which path fits your situation
Quick skim — VMC overview
The table below summarizes what a Verified Mark Certificate does, what it requires, and what it delivers.
| Aspect | Details |
| Full name | Verified Mark Certificate |
| Also known as | VMC, mark certificate, BIMI certificate |
| What it does | Proves logo ownership so mailbox providers display your brand in inboxes |
| Certificate type | X.509 digital certificate |
| Works with | BIMI standard (referenced in the a= evidence attribute) |
| Prerequisite | DMARC at enforcement (p=quarantine or p=reject) |
| Logo requirement | Registered trademark + SVG Tiny PS format |
| Issued by | Certificate Authorities (DigiCert, Entrust, Sectigo, GlobalSign) |
| Annual cost | $1,000-1,500 |
| Gmail indicator | Blue verified checkmark next to sender name |
How does a VMC work
A Verified Mark Certificate cryptographically binds your trademarked logo to your sending domain. The certificate proves three things at once: you own the trademark, you control the domain, and the logo file matches the registered mark.
Authentication function
When your email arrives, the recipient’s mailbox provider checks your BIMI DNS record. That record contains two URLs — one pointing to your logo file (the l= attribute) and one pointing to your VMC (the a= evidence attribute). The provider fetches both, validates that the certificate is legitimate, and confirms the logo matches your domain.
Only after this validation does the logo become eligible to display. Eligibility doesn’t guarantee display (providers apply their own reputation filters), but without the VMC, the logo never enters consideration at all.
Trust signal function
The VMC does more than technical validation.
In Gmail specifically, a valid VMC triggers the blue verified checkmark — a visual indicator that tells recipients the sender’s identity has been rigorously validated. That checkmark can’t be faked or self-asserted. It requires Certificate Authority validation of trademark ownership, domain control, and applicant identity.
For recipients, this matters because email impersonation remains widespread. Phishing emails often use familiar brand names without any verification. The checkmark creates a visible distinction between legitimate senders and everyone else.
What it doesn’t do
A common misconception is that VMCs don’t improve email deliverability directly. Your emails won’t reach more inboxes because you have a certificate.
The DMARC enforcement required to qualify for a VMC improves deliverability — the certificate itself is purely a visual trust layer.
Organizations expecting inbox placement benefits from VMC implementation often discover this distinction the hard way (usually after spending several months and thousands of dollars on the process).
How does a VMC work with BIMI?
BIMI and VMC are related but distinct. BIMI is the standard that defines how logos display in email. VMC is the certificate that proves you’re allowed to display yours.
The relationship
Consider BIMI as the publication layer and VMC as the verification layer:
default._bimi.[domain]
a= certificate URL
trademark ownership
Entrust, Sectigo
Your BIMI DNS record lives at default._bimi.[yourdomain.com] and contains two key parameters. The l= attribute points to your logo file (an SVG hosted over HTTPS). The a= attribute points to your VMC (a PEM file also hosted over HTTPS). When both validate successfully, the mailbox provider has everything needed to display your logo.
Self-asserted alternative
The a= attribute is technically optional. If you leave it blank, you create a “self-asserted” BIMI record — you’re claiming the logo is yours without third-party verification.
Some providers (Yahoo, AOL) may accept self-asserted logos for high-reputation senders. Gmail and Apple Mail won’t. They require certificate-backed proof, which is why VMC matters for most organizations targeting consumer inboxes.
Why does a VMC require DMARC enforcement?
VMC isn’t a standalone system. The certificate only works when your email authentication foundation is already in place. DMARC at enforcement is the gatekeeper.
Authentication dependency
The VMC validation chain looks like this:
- SPF authorizes your sending servers
- DKIM cryptographically signs your messages
- DMARC ties SPF and DKIM together with policy enforcement
- BIMI publishes your logo location and certificate reference
- VMC proves you own the logo
If any layer fails, the logo doesn’t display. Most critically, DMARC must be at enforcement level — either p=quarantine or p=reject. Monitoring mode (p=none) doesn’t qualify, even if your authentication is technically passing.
Enforcement requirements
| Setting | Requirement |
| Policy (p=) | quarantine or reject |
| Percentage (pct=) | 100 |
| Subdomain policy (sp=) | Cannot be set to none |
| Alignment | SPF or DKIM must align with From domain |
Organizations still at p=none face a common dilemma that moving to enforcement risks breaking legitimate email flows from third-party senders.
Analyzing DMARC reports to identify all sending sources — and configuring proper authentication for each — typically takes weeks to months. Rushing this step to qualify for a VMC faster often backfires when legitimate mail starts failing authentication.
What are the requirements for a VMC?
The prerequisites fall into four categories: trademark, logo format, DMARC, and validation. Missing any one blocks the entire process.
Trademark requirements
Your logo must be legally registered with a recognized intellectual property office. Recognized jurisdictions include:
- IP Australia
- Japan Patent Office
- UK Intellectual Property Office
- Korea Intellectual Property Office
- Canadian Intellectual Property Office
- European Union Intellectual Property Office (EUIPO)
- United States Patent and Trademark Office (USPTO)
- National Institute of Industrial Property (INPI) — Brazil
- Controller General of Patents, Designs & Trade Marks — India
The trademark must be active (not expired or pending) and must match the logo you plan to use. Certificate Authorities verify this directly against official registries. If your logo isn’t trademarked yet, expect 6-12 months for the registration process — and that timeline can stretch longer if the application faces objections.
Logo requirements
The technical specifications are strict. Your logo must be converted to SVG Tiny PS (Portable/Secure) format, which is more restrictive than standard SVG.
| Requirement | Specification |
| Format | SVG Tiny 1.2 / SVG Tiny PS |
| Profile | baseProfile=”tiny-ps” version=”1.2″ |
| Shape | Square, 1:1 aspect ratio |
| Centering | Logo must be centered within the canvas |
| Background | Solid color (non-transparent recommended) |
| Size | Under 24KB (some sources say 32KB) |
| Content | No scripts, external links, or embedded fonts |
| Text | Must be converted to outlines |
| Metadata | Must include <title> tag with company name |
Most designers find this format unfamiliar. Standard SVG exports from Adobe Illustrator or Figma don’t meet the requirements without manual modification. The BIMI Group provides conversion guidance, and some Certificate Authorities offer logo preparation services (for additional fees).
DMARC requirements
As covered above, your DMARC policy must be at enforcement with 100% application:
- p=quarantine or p=reject
- pct=100 (not 50 or lower)
- sp cannot be set to none
- Either SPF or DKIM must align with your From domain
Validation requirements
The Certificate Authority performs identity validation similar to Extended Validation (EV) SSL certificates. This is where VMC differs from most digital certificates — the process involves human verification, not just automated checks.
- Domain ownership confirmation
- Face-to-face confirmation in some cases
- Trademark verification against IP office registries
- Business registration verification against legal records
- Applicant identity verification (often requires video call or notarized documents)
The rigor is intentional. VMCs provide high-assurance identity validation precisely because the process is difficult to fake.
How do you obtain a VMC?
The process involves multiple stages, and timeline varies based on your starting point. Organizations with existing DMARC enforcement and registered trademarks can complete the process in 2-4 weeks. Organizations starting from scratch may need 12-18 months.
Step-by-step process
Approved Certificate Authorities
Four CAs currently issue VMCs:
| Certificate Authority | Notes |
| DigiCert | One of the first VMC issuers and is widely recognized |
| Entrust | Co-developer of VMC technology and also BIMI-qualified |
| Sectigo | Offers VMCs with competitive pricing |
| GlobalSign | Full VMC support with enterprise focus |
Pricing clusters around $1,000-1,500 annually across providers. Some resellers (like SSL2BUY) facilitate purchases from these CAs at varying price points.
Validation timeline
Once you submit your application, expect 5-10 business days for validation if the documentation is complete. Delays typically occur when:
- Domain ownership verification fails
- Identity documents require additional confirmation
- The CA requests a video call, and scheduling takes time
- Trademark records don’t match the submitted logo exactly
After validation completes, the CA issues your VMC as a PEM file. You’ll need to host this file (along with your SVG logo) on a publicly accessible HTTPS server, then publish a BIMI DNS record pointing to both files.
What is the difference between VMC and CMC?
Common Mark Certificates (CMC) offer an alternative path for organizations that can’t meet VMC requirements. The key differences involve trademark requirements, visual indicators, and provider support.
Comparison overview
VMC advantages
VMC provides the highest level of verification:
- Blue verified checkmark in Gmail
- Logo display in both Gmail and Apple Mail
- Full validation of trademark ownership
- Strongest brand protection signal
CMC advantages
CMC offers accessibility for organizations without trademarks:
- Lower cost (~$990/year)
- Works for Yahoo and AOL (pilot program)
- Faster issuance timeline (often 5-10 days)
- No trademark registration required (typically requires 12+ months of documented logo usage instead)
Self-asserted path
If you leave the a= attribute blank in your BIMI record, you’re creating a self-asserted configuration — without any certificate or third-party verification.
Yahoo and AOL may accept self-asserted logos for high-reputation bulk senders, but Gmail and Apple Mail won’t display anything without a certificate backing.
For organizations serious about Gmail visibility (which processes roughly half of all consumer email opens), the VMC path is unavoidable despite its cost and complexity.
Which mailbox providers require a VMC?
Provider requirements vary, and support continues evolving. The table below reflects current status.
| Provider | VMC required | CMC accepted | Self-asserted | Notes |
| Gmail | Yes | No | No | Blue checkmark with VMC |
| Apple Mail | Yes | No | No | iOS 16+, macOS Ventura 13+ |
| Yahoo Mail | No | Pilot | Pilot (high-rep) | Reputation-based display |
| AOL Mail | No | Pilot | Pilot (high-rep) | Same infrastructure as Yahoo |
| Fastmail | No | Yes | Varies | Works for sent/received |
| Zoho Mail | Yes | No | No | Requires VMC for display |
| La Poste | Varies | Varies | Varies | European provider |
Gmail specifics
Gmail provides the most visible trust signal: the blue verified checkmark next to the sender name. This checkmark only appears with VMC-backed BIMI — not with CMC or self-asserted configurations. For brands whose email audiences skew heavily toward Gmail users, this visual distinction makes VMC the only practical option.
Provider limitations
Even with a valid VMC, logo display isn’t guaranteed. Providers apply their own reputation heuristics:
- Spam complaint rates
- Bulk sender classification
- Engagement history (opens, clicks)
- Sender reputation and domain reputation scores
A technically perfect VMC setup paired with a poor email reputation may still result in no logo display. The certificate proves you’re eligible — the provider decides whether to actually show it.
Why do businesses invest in VMCs?
The investment is substantial, so understanding the actual value proposition matters.
Brand visibility
VMC puts your logo in front of recipients before they open anything. In crowded inboxes, visual recognition can influence which emails get attention. Some organizations report open rate improvements of 10-30% after implementing BIMI with VMC, though results vary significantly based on audience and existing brand recognition.
Security signaling
For industries where phishing and brand impersonation are major concerns (financial services, e-commerce, healthcare), the blue checkmark provides a visible trust signal that’s difficult to fake. Legitimate emails stand out from spoofing attempts that can’t obtain VMC certification.
Competitive positioning
As more organizations adopt BIMI, those without a logo display may eventually look less professional by comparison. The standard is still relatively new, so early adoption provides temporary differentiation.
What VMC doesn’t provide
Worth repeating: VMC doesn’t improve deliverability, doesn’t prevent all phishing attacks (lookalike domains can still operate), and doesn’t guarantee logo display. Organizations with unrealistic expectations often find the investment disappointing.
Is a VMC worth the investment?
The answer depends on your starting point, your audience, and what you’re hoping to achieve.
When to invest
VMC makes sense when:
- Your logo is already trademarked
- You’ve reached DMARC enforcement
- Your audience primarily uses Gmail and Apple Mail
- Brand recognition in the inbox carries strategic value
- Your brand is frequently targeted by impersonation attempts
When to wait
VMC probably isn’t worth it when:
- You’re still working toward DMARC enforcement
- You’re expecting direct deliverability improvements
- The $1,000-1,500 annual cost doesn’t fit your budget
- Your audience is heavily Outlook-based (Microsoft doesn’t support BIMI)
- Your logo isn’t trademarked (and you don’t want to invest 6-12 months in registration)
Decision framework
Frequently asked questions
Here are some commonly asked questions about VMCs:
VMC doesn’t directly affect inbox placement. Your emails won’t reach more inboxes because you have a certificate. The confusion arises because the DMARC enforcement required to qualify for a VMC genuinely improves deliverability — but that improvement comes from authentication, not the certificate itself. Organizations expecting deliverability gains from VMC specifically should adjust expectations. The certificate provides visible trust signaling, not spam-folder avoidance.
Yes, but with limitations. You can publish a BIMI record with only the l= attribute (logo URL) and leave the a= attribute (certificate URL) blank — this creates a self-asserted configuration. Yahoo and AOL may display self-asserted logos for high-reputation bulk senders. Gmail and Apple Mail won’t display anything without certificate-backed verification. If your audience primarily uses those providers, self-asserted BIMI provides minimal practical value.
Timeline depends on your starting point. If you have DMARC enforcement, a registered trademark, and a compliant SVG logo ready, expect 2-4 weeks for CA validation and issuance. If you need to register a trademark first, add 6-12 months. If you’re still moving DMARC to enforcement, add weeks to months depending on your sending complexity. The validation process itself typically takes 5-10 business days once documentation is complete.
The Certificate Authority validates your logo against official trademark registries. If the submitted logo differs from the registered mark (different colors, modified elements, stylized versions), validation fails. Some variations may be acceptable if they’re covered by the trademark registration, but organizations often discover their working logo has drifted from the official registered version. Resolving this mismatch can add weeks to the process.
You typically need one VMC per organizational domain (the top-level domain used for sending). Subdomains can inherit from the organizational domain’s VMC in most configurations. If you send from multiple unrelated domains, each requires its own certificate. Organizations with complex multi-brand portfolios may need multiple VMCs, which multiplies both cost and administrative overhead.
VMC validation mirrors Extended Validation (EV) SSL certificate processes because the stakes are similar — the certificate provides high-assurance identity verification that recipients rely on to trust the sender. The rigor is intentional. Video calls, notarized documents, and trademark verification all exist to make impersonation difficult. A certificate that was easy to obtain would provide little actual trust value.
When your VMC expires, mailbox providers stop displaying your logo because the certificate chain no longer validates. Gmail will revert to showing generic avatars for your messages. You’ll need to renew with your Certificate Authority before expiration — most CAs send reminders 60-90 days in advance. Plan renewals proactively to avoid display gaps. Letting a VMC lapse means going through validation again, which can take days to weeks.
