Terabyte Systems

BIMI + VMC + CMC: Boost Email Trust & Branding

By Tera 10 min read
networking security databases

Email remains a cornerstone of digital communication, but its trustworthiness is constantly under siege from phishing attacks and brand impersonation. For organizations, ensuring their emails are recognized as legitimate, and their brand is consistently represented, is a significant challenge. This is where BIMI (Brand Indicators for Message Identification), VMC (Verified Mark Certificates), and CMC (Common Mark Certificates) converge to offer a powerful solution, elevating email security and brand identity.

This in-depth guide will demystify these interconnected technologies. We’ll explore what each component is, how they work together as alternative certificate options, and provide a practical roadmap for implementation. By the end, you’ll understand how to leverage BIMI with either VMC or CMC to enhance your email’s visual trust signals and protect your brand.

The Indispensable Foundation: DMARC and Email Authentication

Before diving into BIMI, it’s crucial to understand its bedrock: DMARC (Domain-based Message Authentication, Reporting, and Conformance). BIMI doesn’t work without a robust email authentication strategy, specifically DMARC enforcement.

DMARC builds upon two older standards:

  • SPF (Sender Policy Framework): Specifies which IP addresses are authorized to send email on behalf of a domain.
  • DKIM (DomainKeys Identified Mail): Digitally signs outgoing emails, allowing recipients to verify that the message hasn’t been tampered with and truly originated from the claimed sender.

DMARC ties SPF and DKIM together, dictating what an email receiver should do if a message fails these authentication checks. For BIMI to function, your DMARC policy must be set to either p=quarantine or p=reject[1]. A p=none policy, while useful for monitoring, does not provide the necessary security assurance for BIMI to display your logo. This enforcement level signals to email clients that your domain is actively protected against impersonation.

_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected];"

A DMARC record enforcing a quarantine policy.

Understanding and implementing DMARC is the non-negotiable first step towards a verifiable brand presence in the inbox.

BIMI: Brand Indicators for Message Identification

BIMI is an email standard that enables organizations to display their brand logo next to their authenticated email messages in supporting email clients. Imagine your company’s logo appearing prominently in the inbox, right next to the sender’s name. This immediate visual recognition builds trust and enhances brand recall, making your emails stand out in a crowded inbox.

At its core, BIMI works by allowing you to publish a DNS TXT record that points to an SVG image file of your brand’s logo. When an email client receives an email from your domain and verifies its DMARC authentication, it then checks for a BIMI record. If found, it fetches the logo and displays it.

Key Benefits of BIMI:

  • Enhanced Brand Visibility: Logos immediately catch the eye, improving brand recognition.
  • Increased Trust: Visual verification helps recipients quickly identify legitimate emails.
  • Improved Email Engagement: Higher open rates and interaction due to greater trust.
  • Anti-Phishing Deterrent: Makes it harder for imposters to mimic your brand effectively.

While BIMI can theoretically display a logo without additional verification, major email providers like Gmail and Apple Mail typically require either a Verified Mark Certificate (VMC) or a Common Mark Certificate (CMC) to display the logo. This brings us to the next crucial components.

Email inbox with brand logos
Photo by Hassaan Here on Unsplash

VMC and CMC: Two Certificate Options for BIMI Trust

VMC: Verified Mark Certificates

A Verified Mark Certificate (VMC) is a specific type of digital certificate issued by a trusted Certificate Authority (CA) that cryptographically verifies the authenticity of a brand’s logo. Think of it as a digital passport for your brand’s logo, proving that your organization legitimately owns and has the right to use that logo.

Why are certificates essential for BIMI? Many leading email clients, recognizing the potential for abuse even with DMARC, require an additional layer of verification before displaying a brand logo. Certificates provide this crucial assurance. They ensure that the logo being displayed is indeed associated with the sending domain and that the organization has gone through a rigorous verification process. This prevents unauthorized entities from displaying logos and further combats phishing.

How VMC Works:

  1. Your organization obtains a VMC from a trusted CA like DigiCert or Entrust.
  2. The VMC contains information linking your domain to your registered trademark logo.
  3. You include a URL to your VMC in your BIMI DNS record.
  4. When an email client processes your BIMI record, it validates the VMC to ensure the logo is officially sanctioned.

The VMC links your registered trademark logo to your domain through a trusted third party. VMCs require a registered trademark and involve annual fees.

CMC: Common Mark Certificates – The Accessible Alternative

A Common Mark Certificate (CMC) is an alternative certificate type for BIMI that provides verification without requiring a registered trademark. CMCs were developed to make BIMI more accessible to organizations that may not have trademarked logos but still want to benefit from brand identification in email.

Key Differences of CMC:

  • No Trademark Required: CMCs don’t require a registered trademark, making them more accessible to smaller organizations, non-profits, and startups.
  • Lower Cost: Generally less expensive than VMCs due to the simpler verification process.
  • Different Verification: CMCs verify domain ownership and brand identity through alternative means rather than trademark registration.
  • Growing Support: Email client support for CMCs is evolving, with increasing adoption across major providers.

How CMC Works:

  1. Your organization obtains a CMC from a participating CA that offers this certificate type.
  2. The CA verifies your domain ownership and organizational identity through documentation.
  3. The CMC is linked to your logo and domain without requiring trademark verification.
  4. You include the CMC URL in your BIMI DNS record, similar to VMC implementation.

This adds a layer of security and trust through domain and organizational verification, making BIMI accessible to a broader range of organizations.

Digital certificate chain of trust
Photo by Alex Shute on Unsplash

Choosing Between VMC and CMC

When implementing BIMI, you’ll need to choose between VMC and CMC based on your organization’s needs:

Choose VMC if:

  • You have a registered trademark for your logo
  • You need the highest level of trust and widest email client support
  • Your budget allows for the higher certificate costs
  • You operate in highly regulated industries requiring maximum verification

Choose CMC if:

  • You don’t have a registered trademark
  • You’re a smaller organization, startup, or non-profit with budget constraints
  • You want to implement BIMI more quickly without trademark registration delays
  • You’re comfortable with evolving email client support

Both certificate types provide cryptographic verification and enhance email trust, but they serve different organizational needs and budgets.

Implementing BIMI with VMC or CMC: A Step-by-Step Guide

Implementing BIMI with either a VMC or CMC is a multi-step process that requires careful attention to detail.

Step 1: Ensure DMARC Enforcement

As discussed, this is non-negotiable. Your domain must have a DMARC policy of p=quarantine or p=reject and be operating successfully for a period, with no legitimate emails failing authentication. This typically takes several months of monitoring and adjustment.

Step 2: Decide on Certificate Type

Evaluate your organization’s needs to choose between VMC and CMC:

  • VMC Path: Requires a registered trademark but offers maximum trust and support
  • CMC Path: More accessible without trademark requirements, with growing support

Step 3a: Obtain a Verified Mark Certificate (VMC) - If Chosen

  1. Trademark Your Logo: Your logo must be a registered trademark with the relevant intellectual property office.
  2. Choose a CA: Select a reputable Certificate Authority that offers VMCs, such as DigiCert or Entrust.
  3. Submit Application: Provide your organization’s details, domain information, and proof of your registered trademark.
  4. Verification Process: The CA will perform a thorough validation of your trademark and organization.
  5. Receive VMC: Once verified, the CA will issue your VMC, typically as a .pem or .der file.

Step 3b: Obtain a Common Mark Certificate (CMC) - If Chosen

  1. Choose a CA: Select a Certificate Authority that offers CMCs (availability may vary by region and provider).
  2. Submit Application: Provide your organization’s details, domain information, and business documentation.
  3. Verification Process: The CA will verify your domain ownership and organizational identity.
  4. Receive CMC: Once verified, the CA will issue your CMC in a similar format to VMCs.
  5. Note: CMC issuance is typically faster and less expensive than VMC as it doesn’t require trademark verification.

Step 4: Prepare Your Logo File

Your logo needs to be in a specific format for BIMI: an SVG Tiny Portable/Secure (SVG Tiny P/S) format. This is a restricted version of SVG designed for security and portability. It must be square, optimized for small sizes, and hosted securely via HTTPS on your web server or a CDN.

Step 5: Publish Your BIMI DNS Record

Once you have your DMARC in enforcement, your logo file hosted, and your certificate (VMC or CMC), you can publish your BIMI record. This is a TXT record in your DNS zone.

The record will look something like this:

default._bimi.yourdomain.com. IN TXT "v=BIMI1; l=https://cdn.yourdomain.com/path/to/your/logo.svg; a=https://your-ca.com/path/to/your/certificate.pem;"

Let’s break down the components:

  • default._bimi.yourdomain.com: This is the standard selector for BIMI records.
  • v=BIMI1: Specifies the BIMI version.
  • l=https://cdn.yourdomain.com/path/to/your/logo.svg: This is the HTTPS URL where your SVG Tiny P/S logo file is hosted.
  • a=https://your-ca.com/path/to/your/certificate.pem: This is the HTTPS URL where your certificate file (VMC or CMC) is hosted by the CA.

Step 6: Monitor and Test

After publishing your BIMI record, it can take some time for DNS propagation and for email clients to begin displaying your logo. Send test emails to various accounts, especially those on supporting platforms like Gmail and Apple Mail, to verify successful implementation. Continue monitoring your DMARC reports for any issues.

Benefits and Challenges

Benefits

  • Unparalleled Brand Recognition: Your logo becomes a consistent visual identifier in the inbox.
  • Enhanced Trust & Credibility: Certificates (VMC or CMC) provide assurance that emails truly come from your brand.
  • Reduced Phishing Risk: By making it easier for users to identify legitimate emails, BIMI with certificates significantly complicates phishing attempts.
  • Improved Email Marketing Performance: Higher open rates and conversion due to increased trust and visibility[3].
  • Future-Proofing Email Security: Aligning with evolving email authentication standards.
  • Flexible Implementation: Choice between VMC and CMC allows organizations of different sizes and budgets to participate.

Challenges

  • Cost Considerations: VMCs incur higher annual fees; CMCs are more affordable but still have costs.
  • Trademark Requirement (VMC): The mandatory registered trademark for VMC can be a barrier due to cost and time.
  • Certificate Availability (CMC): Not all CAs offer CMC yet, though availability is growing.
  • DMARC Enforcement Complexity: Achieving and maintaining a p=quarantine or p=reject DMARC policy requires expertise and ongoing management.
  • SVG Tiny P/S Specificity: Creating a compliant SVG logo can require specialized graphic design skills.
  • Email Client Support: While major providers support BIMI, specific support for CMC may vary by client.
  • Ongoing Maintenance: Renewing certificates and ensuring DNS records and logo hosting remain consistent.

Conclusion

BIMI, VMC, and CMC represent a powerful framework for modern email security and brand identity. Organizations can now choose between VMC for maximum trust with trademark verification, or CMC for more accessible implementation without trademark requirements. While the path to full implementation demands investment in DMARC enforcement and certificate acquisition, the dividends in brand trust, recognition, and anti-phishing defense are significant.

For any organization serious about its digital presence and email security, understanding and adopting these technologies is no longer optional but a strategic imperative in the evolving landscape of online communication[4]. By embracing BIMI with either VMC or CMC, you empower your brand to stand out securely in every inbox, with the flexibility to choose the certificate path that best fits your organization’s needs and resources.

References

[1] Meli, A. (2020). BIMI: Adding Brand Logos to Emails. Available at: https://www.valimail.com/bimi/ (Accessed: November 2025)

[2] DigiCert. (2021). Verified Mark Certificates (VMCs) for BIMI. Available at: https://www.digicert.com/blog/verified-mark-certificates-vmcs-bimi (Accessed: November 2025)

[3] Entrust. (2022). The Business Value of BIMI and Brand Certificates. Available at: https://www.entrust.com/blog/2022/02/the-business-value-of-bimi-and-vmc/ (Accessed: November 2025)

[4] Agari. (2023). BIMI Certificates: The Future of Email Brand Identity. Available at: https://www.agari.com/email-security-blog/bimi-vmc/ (Accessed: November 2025)

Thank you for reading! If you have any feedback or comments, please send them to [email protected].