What is a VMC certificate?

A VMC (Verified Mark Certificate) is a digital certificate issued by a BIMI-supported Mark Verifying Authority that links your brand logo to your domain. It requires a registered trademark and is used by providers such as Gmail and Apple Mail to display your logo. Check the BIMI Group's current issuer list before purchasing, because accepted issuers can change.

How much does a VMC cost?

Pricing varies by certificate authority and term length. Check the issuer's current list price before buying.

Do I need a VMC for Gmail?

Gmail requires either a VMC or a CMC certificate to display your brand logo. Without one of these certificates, Gmail will not show your logo even if your BIMI DNS record is correctly configured. A VMC also enables the blue verification checkmark next to your logo, while a CMC displays the logo without the checkmark.

What is the difference between VMC and CMC?

A VMC (Verified Mark Certificate) requires a registered trademark and displays your logo plus a blue verification checkmark in Gmail. A CMC (Common Mark Certificate) does not require a trademark. Instead, it requires proof of 12 or more months of documented logo use in commerce. CMCs display your logo but without the blue checkmark. Gmail supports both, while other providers set their own BIMI evidence-document requirements.

Can I get BIMI without a trademark?

Yes. The CMC (Common Mark Certificate) was introduced in 2024 specifically for organizations without a registered trademark. Instead of trademark registration, you provide evidence of 12 or more months of continuous public logo use, such as dated website screenshots or commercial materials. Yahoo Mail also supports BIMI logo display without any certificate at all, though results are less consistent.

VMC vs CMC certificates for BIMI: requirements, cost, and providers

BIMI lets your brand logo appear next to your emails in Gmail, Yahoo Mail, and Apple Mail. Most of the setup is about DNS records and email authentication. The last piece that unlocks logo display in providers that require an evidence document is a certificate. Two types exist: VMC and CMC. This guide explains what each one is, which providers require which, and how to get one.

What you will learn

The difference between VMC and CMC certificates

Which certificate Gmail, Yahoo, and Apple Mail require

Current pricing and provider support

Step-by-step setup from DMARC enforcement to DNS publication

Why BIMI needs a certificate

BIMI works by having mailbox providers fetch your logo from a URL in your DNS record and display it in the inbox. Without a certificate, any domain owner could claim any logo. A certificate solves this by having a trusted Certificate Authority (CA) verify that your organization controls the domain and owns (or has used) the mark, then embed your logo inside the certificate cryptographically.

When Gmail receives your email, it checks your BIMI DNS record, fetches the certificate from the URL in the a= field, and validates that the logo inside the certificate matches the one in the l= field. If the chain is valid, it displays your logo.

VMC: Verified Mark Certificate

A VMC is the original BIMI certificate type, defined by the BIMI Group's current VMC requirements. It requires a registered trademark in an eligible jurisdiction, such as the USPTO (United States), EUIPO (European Union), UK IPO (United Kingdom), or IP Australia.

What you get: your logo displayed in the inbox, plus the blue verification checkmark in Gmail
Trademark required: yes, registered and active
Issuers: DigiCert, GlobalSign, SSL.com
Typical cost: varies by issuer
Timeline: weeks to months, depending on how quickly the CA can verify your trademark

The blue checkmark explained

The blue verification checkmark in Gmail is only unlocked by a VMC. It signals to recipients that Google has verified your brand identity via a trusted CA. A CMC gives you the logo, but not the checkmark.

CMC: Common Mark Certificate

The CMC was introduced in 2024 by the BIMI Group to open BIMI logo display to organizations without a registered trademark. Instead of a trademark registration number, you provide evidence that your logo has been in continuous public use for at least 12 months.

What you get: your logo displayed in the inbox (no blue checkmark)
Trademark required: no. Requires 12 or more months of documented logo use instead
Issuers: DigiCert, GlobalSign, SSL.com
Typical cost: varies by issuer
Timeline: faster than VMC since there is no trademark verification step

Acceptable evidence for a CMC includes dated website screenshots, Wayback Machine captures, commercial materials (invoices, brochures, ads), or packaging featuring the logo. The CA may also run a trademark clearance search to ensure no third party has a conflicting registered mark.

VMC vs CMC: side-by-side comparison

	VMC	CMC
Trademark required?	Yes, registered	No
Blue checkmark in Gmail?	Yes	No
Logo in Gmail?	Yes	Yes
Logo in Apple Mail?	Yes	Yes
Pricing	Varies by issuer	Varies by issuer
Issuers	DigiCert, Sectigo	Sectigo
Introduced	2021	2023

Which email providers require which certificate

Provider	Certificate needed?	Notes
Gmail	VMC or CMC required	VMC adds the blue checkmark. Without a certificate, your logo will not display.
Yahoo Mail	No certificate required	Yahoo can display logos with a BIMI record alone, but a certificate gives more consistent results.
Apple Mail	VMC or CMC required	Required since iOS 16 and macOS Ventura 13. Also applies to iCloud.com webmail.
Fastmail	No certificate required	BIMI is supported. A valid BIMI DNS record is sufficient for logo display.

Requirements before applying for a certificate

Both VMC and CMC require the same technical prerequisites. The difference is in the identity verification step.

Technical prerequisites (both certificate types)

DMARC policy at p=quarantine or p=reject with pct=100
SPF and DKIM configured and passing for all sending sources
Logo in SVG Tiny P/S format, hosted at a public HTTPS URL
Logo file 32 KB or smaller (it gets embedded inside the certificate)
Square logo (1:1 aspect ratio) with no transparency

For VMC: trademark requirements

Trademark registered with USPTO, EUIPO, IPO (UK), IP Australia, or another eligible registry
The trademark must cover the exact logo you plan to use (wordmarks alone are generally not accepted)
The trademark must be active at the time of certificate issuance and renewal

For CMC: prior-use evidence

12 or more months of continuous public logo use, documented with dated evidence
Acceptable evidence: website screenshots, Wayback Machine captures, invoices, brochures, packaging, advertising
The logo must be associated with a domain you control
No third party may have a conflicting registered trademark for the same mark in your jurisdiction

Check your DMARC policy first

Many organizations apply for a certificate before their DMARC policy is enforced. The certificate will be issued, but Gmail will not display your logo until pct=100 is set and the policy is at quarantine or reject. Use our domain checker to verify your current DMARC status before starting the certificate process.

Certificate providers and pricing

DigiCert

DigiCert offers both VMC and CMC products. See DigiCert's mark certificates page for current pricing and product details.

Sectigo

Sectigo also offers BIMI certificate products. Check its current support and pricing directly, because mailbox-provider acceptance can vary and may depend on the issuer list your target provider honors. DMARCTrust is an authorized Sectigo reseller, which means you can order a Sectigo certificate through us with guided support through the full setup process.

Order your certificate through DMARCTrust

As an authorized Sectigo reseller, we handle the full process: verifying your DMARC enforcement, preparing your logo with our SVG Tiny P/S converter, running compliance checks, and managing certificate issuance. DMARCTrust subscribers can save on Sectigo certificates through the reseller program.

View pricing or visit the BIMI order page from your dashboard.

Step-by-step setup

Get DMARC to enforcement

Set your DMARC policy to p=quarantine or p=reject with pct=100. Use our DMARC generator to build a correct record, and monitor your DMARC reports to confirm all legitimate senders are passing before moving to enforcement.

Prepare your SVG logo

Your logo must be in SVG Tiny P/S format, square, 32 KB or smaller, with no external resources. A solid background is recommended. Use our SVG Tiny P/S converter to convert a standard SVG automatically. Host the file at a stable public HTTPS URL with no query strings.

Apply for your certificate

For a VMC, provide your trademark registration number and jurisdiction. For a CMC, gather your prior-use evidence. Submit your application to DigiCert, Sectigo, or through DMARCTrust. The CA will verify your domain, your mark, and your logo, then issue a PEM file containing your certificate chain with your logo embedded inside it.

Publish your BIMI DNS record

Upload the PEM file to a public HTTPS URL, then publish a TXT record at default._bimi.yourdomain.com pointing to both your logo and your certificate. Use our BIMI generator to build the record correctly.

Example BIMI DNS record with a certificate

default._bimi.example.com. 3600 IN TXT "v=BIMI1; l=https://brand.example.com/bimi/logo.svg; a=https://brand.example.com/bimi/cert.pem"

The l= field points to your SVG logo. The a= field points to your PEM certificate file. Both must be accessible from a public HTTPS URL without redirects or authentication.

What to expect after publishing

Gmail: can take up to 48 hours to fetch and cache your assets after you publish the record. Logo display is not guaranteed. Gmail may withhold it if your sender reputation is low or spam complaint rates are high.
Apple Mail: propagation times vary. The logo appears on iOS 16+, iPadOS 16+, macOS Ventura 13+, and iCloud.com.
Yahoo Mail: typically faster, and no certificate is needed for initial display.

Frequently asked questions

Do I need a separate certificate for each domain?

Yes. Each domain that sends email needs its own BIMI certificate. A certificate issued for example.com does not cover mail.example.com or subdomain.example.com.

How long does trademark verification take?

The CA checks that your trademark is registered, active, and matches your logo. This typically takes a few days to a few weeks, depending on the CA's queue and whether your logo matches the registered mark exactly.

Can I switch from CMC to VMC later?

Yes. When you register a trademark later, you can apply for a VMC, update the a= field in your BIMI DNS record to point to the new certificate, and the blue checkmark will appear in Gmail without any other changes to your setup.

What happens when my certificate expires?

Certificates are issued for one year. If you do not renew before expiration, mailbox providers will stop displaying your logo. DMARCTrust sends renewal reminders so you have time to act before the certificate lapses.

Learn more

Understand BIMI: the full BIMI setup guide, from DMARC enforcement to DNS publication
BIMI record generator: build and validate your BIMI DNS record
SVG Tiny P/S converter: convert your logo to BIMI-compatible format
DMARC generator: build a correct DMARC record before starting your certificate application
BIMI Group: announcing Common Mark Certificates : the official CMC announcement and eligibility criteria
Google: set up BIMI : Gmail's requirements for logo display, including certificate requirements

BIMI Certificates: VMC vs CMC