Key Takeaways
- A Verified Mark Certificate (VMC) authenticates a trademarked logo for display in email inboxes under the BIMI standard.
- VMC enhances brand trust, visibility, and engagement, and works in concert with DMARC, SPF, DKIM, and the mailbox provider’s logic.
- BIMI is expanding across major email providers, making VMCs a requirement for logo display.
- The best VMC providers have trusted root certificates, rigorous validation processes, and secure issuance infrastructure.
- Organizations must achieve DMARC enforcement (p=quarantine or p=reject) before VMC approval.
- PowerDMARC streamlines DMARC compliance, BIMI configuration, and VMC issuance for organizations via GlobalSign.
Demonstrating brand identity directly in the inbox strengthens email trust, engagement, and recognition. Brand Indicators for Message Identification (BIMI) and Verified Mark Certificates (VMCs) help organizations authenticate their trademarked logos and display them in supported inboxes such as Gmail.
A VMC is a high-assurance digital certificate that validates brand ownership over its logo. With BIMI adoption accelerating, securing a VMC is essential in some cases, as many providers like Google (Gmail), and Apple Mail now require it for BIMI logo display. However, not all providers use VMC as mandatory; some may accept self-asserted logos or other mechanisms depending on their policies.
What Makes a Good VMC Provider?
The credibility of a VMC provider is a critical factor for a successful implementation. Key technical and operational markers distinguish a superior provider.
- Authorization and Trust Store Presence: The Certificate Authority (CA) must be an authorized VMC issuer with its root certificate present in all major trust stores.
- Rigorous Validation Engine: The provider must operate a strict validation process. This process must cross-reference both organizational identity data and official trademark databases. The validation must follow the “Minimum Security Requirements for Issuance of Mark Certificates” as maintained by the AuthIndicators Working Group (the AWG).
- Expert Technical Support: The support team must have the expertise to troubleshoot the entire BIMI framework. This includes DMARC policy prerequisites, SVG tiny-ps file specifications, and the correct syntax for the final BIMI DNS record.
- Secure Issuance Infrastructure: The CA’s own Public Key Infrastructure must be secure.
- DMARC Compliance Pathway: The provider may offer a clear path for DMARC compliance as an added benefit. This can be through in-house diagnostic tools or partnerships with specialized DMARC management platforms.
Before getting started, you can review the latest requirements for VMC issuance as listed by the BIMI group.
List of VMC Certificate Providers
Here’s a breakdown of CAs currently issuing Verified Mark Certificates that you may consider. The BIMI group lists the first 3 Mark Verifying Authorities (MVAs) in their VMC Issuer Information documentation.
Disclaimer: The AuthIndicators Working Group (AWG) develops the technical specifications for the BIMI protocol but does not authorize or certify any Mark Verifying Authority (MVA) to issue BIMI certificates. Each mailbox provider supporting BIMI independently determines whether to accept an MVA’s certificates. Acceptance criteria may vary across providers, and approval by one provider does not guarantee acceptance by others.
1. GlobalSign
Overview: GlobalSign positions its VMC offering as an extension of its core business: high-scale Public Key Infrastructure (PKI) and identity management.
Key Features:
- The company’s foundation in high-scale PKI provides a robust and reliable infrastructure for certificate lifecycle management.
- The validation process requires the applicant to possess a logo registered with a recognized trademark office for their specific geographic region.
- Final deployment involves hosting the issued Privacy Enhanced Mail (PEM) file on a public web server and configuring the corresponding BIMI TXT record in the domain’s DNS. PowerDMARC simplifies this process through Hosted BIMI – a one-stop BIMI deployment and management solution that helps domain owners get their GlobalSign VMC directly through PowerDMARC, convert their BIMI logo into BIMI-compliant SVG, host their BIMI logo and certificate, and appear in inboxes faster!
Why Choose Them: GlobalSign comes off as a fit for enterprises and technically-minded organizations that prioritize a clear, step-by-step implementation process. They position themselves as particularly well-suited for companies that have not yet reached DMARC enforcement and require a streamlined, vendor-assisted path to meet all BIMI prerequisites.
2. SSL.com
Overview: SSL.com issues a broad range of digital certificates (SSL/TLS, code signing, document signing) under its published Certificate Policy / Certification Practice Statement (CP/CPS). They also support the issuance of “Mark Certificates” (which include Verified Mark Certificates) as defined per the AuthIndicators (BIMI) requirements.
Key Features:
- SSL.com issues Mark Certificates (MC) in accordance with the “Minimum Security Requirements for Issuance of Mark Certificates” (MC Requirements) maintained by the AuthIndicators Working Group (AWG).
- Mark Certificates (including VMCs) from SSL.com must meet the requirements specified for “Mark Certificates” in their CP/CPS.
- SSL.com maintains a Mark Certificate Subscriber Agreement in its public repository.
- SSL.com publishes its root and intermediate certificates (including those for VMC) in its repository. For example, SSL.com includes VMC root CAs in its certificate repository.
Why Choose Them: If you are already using SSL.com for other certificates (TLS, code signing, etc.), using SSL.com’s Mark Certificate offering could allow you to consolidate certificate relationships under one vendor. Their operations are subject to their published CP/CPS, which includes Mark Certificate rules and publicly available legal / policy documents. Their certificate repository includes VMC / Mark Certificate roots and intermediates, showing they have invested in supporting VMC trust infrastructure.
3. DigiCert
Overview: DigiCert is a dominant force in the high-assurance digital certificate market, and its approach to mark certificates reflects this enterprise focus. They manage VMCs through their established CertCentral platform, a familiar interface for many IT departments already handling TLS/SSL lifecycles. A key market differentiator is the Common Mark Certificate (CMC), an alternative for organizations to validate logos that are established through common law use but are not yet formally registered trademarks.
Key Features:
- The platform supports both VMCs for registered trademarks and Common Mark Certificates (CMCs) for unregistered, in-use logos.
- Issuance of a VMC from DigiCert is one of the validated paths to enable the blue authenticated checkmark in Gmail’s inbox.
- Certificate and logo SVG files can be hosted directly by DigiCert or self-hosted on the organization’s own infrastructure.
- The system allows for configurations that use multiple logos, useful for managing different sub-brands or seasonal campaigns under a single domain.
- All mark certificates are managed within the DigiCert CertCentral portal, integrating them into the same workflow as other enterprise PKI assets.
Why Choose Them: DigiCert may be considered a practical choice for large organizations already utilizing the CertCentral platform for managing other digital certificates. The unified management environment simplifies procurement and oversight. Furthermore, their CMC offering provides a unique and viable path for businesses with strong, established brands that are still navigating the formal trademark registration process.
4. Sectigo
Overview: Sectigo’s market strategy is to broaden access to the BIMI standard beyond large enterprises with registered trademarks. Their core differentiator is providing two distinct certificate paths. Alongside the standard VMC, they offer a Common Mark Certificate (CMC) designed specifically for organizations that have an established logo through public use but have not completed the formal trademark registration process.
Key Features:
- The company issues both VMCs for government-registered trademarks and CMCs for logos validated through 12+ months of continuous public use.
- Their validation process mandates that a domain’s DMARC policy must be set to p=quarantine or p=reject for at least 30 days before an application can be approved.
- The required logo asset must be a square SVG file format, accessible via a public HTTPS URL.
Why Choose Them: Sectigo may be considered a practical option for small to medium-sized businesses (SMBs), startups, and organizations with established but unregistered brand logos. Their CMC product provides a functional pathway to implementing BIMI without the immediate legal overhead of trademark registration, making them a good fit for businesses that need to deploy brand indicators quickly.
VMC Provider Comparison
| Provider | Key Features | Maybe Suited For |
|---|---|---|
| GlobalSign | Structured implementation path; automated certificate management to reduce IT workload, and centralized management for multiple entities and users. | Enterprises that need a guided, end-to-end solution for both BIMI configuration and VMC issuance. |
| SSL.com | Offers a broad range of certificates, including SSL/TLS, code signing, document signing, and Verified Mark Certificates (VMCs) under a publicly documented Certificate Policy / Certification Practice Statement (CP/CPS). | Organizations of all sizes that want to manage multiple certificate types under a single trusted CA, with SSL.com’s PKI as the trust anchor. |
| DigiCert | Unified management via CertCentral; offers CMC for unregistered logos; as well as blue checkmark enablement in Gmail. | Large organizations already invested in the DigiCert ecosystem; companies with established but unregistered brands. |
| Sectigo | Cost-effective options; offers lower-priced CMC for unregistered logos; straightforward process. | Small to medium-sized businesses (SMBs), startups, and brands needing a quick, budget-friendly path to BIMI |
PowerDMARC and GlobalSign: Get Your VMC within Days!
The main obstacle for VMC adoption is not the certificate purchase but the prerequisite of achieving a DMARC enforcement policy. PowerDMARC, in collaboration with GlobalSign, bridges this gap by integrating the two distinct phases of BIMI readiness: DMARC compliance and certificate issuance.
- The process begins by using the PowerDMARC platform to address the main technical barrier: safely escalating a domain’s DMARC policy to p=quarantine or p=reject without impacting the delivery of legitimate email.
- The platform provides the necessary aggregate report analysis, email source identification, and tools to correctly configure SPF and DKIM for all sending services, ensuring the domain is technically compliant for the VMC application.
- Once the DMARC enforcement prerequisite is met and verified within the PowerDMARC system, PowerDMARC helps you procure your VMC via GlobalSign.
- This unified approach removes the operational complexity and potential for error that arises when an organization must coordinate separately with a DMARC vendor and a CA. It streamlines the process from initial domain analysis to a fully configured BIMI deployment.
Final Thoughts
This article is provided for informational purposes only, and it’s important to note that while obtaining a VMC is an important step toward displaying your brand logo in supported inboxes for some mailbox providers, it does not guarantee automatic approval or display by them. Final acceptance is subject to each provider’s implementation policies and technical requirements.
The first step is to determine your domain’s current status. Verify your DMARC configuration to see if you are ready for a VMC. Check if your domain is protected and VMC-ready with our free Domain Analyzer tool.
Frequently Asked Questions
1. What is a VMC?
A VMC is a digital certificate. It proves to mail clients that you own the rights to the trademarked logo displayed next to your emails.
2. Is a VMC required for BIMI?
Many providers, like Gmail and Apple Mail, will not display your logo without a valid VMC; however, it is not mandatory for all.
4. What is the difference between a VMC and a CMC?
A VMC requires a registered trademark. A Common Mark Certificate is an alternative for established logos that are not formally trademarked.
5. Can I have just one VMC for all my different subdomains?
You need a new VMC for each unique logo you use. A single VMC can cover the same logo across multiple domains and subdomains.
6. What happens if a VMC expires?
Your logo will stop appearing in inboxes, so you’ll need to renew the certificate to maintain the logo display for providers who require it.
- PowerDMARC Recognized as Leader in DMARC Software for Winter 2025 - December 4, 2025
- LaunDroMARC: How a Microsoft SRS Loophole Is Laundering Spoofed Emails - December 4, 2025
- Top 7 Best Email Verification Tools for Secure Delivery - November 28, 2025