Authentication

VMCVerified Mark Certificate

Definition

A VMC (Verified Mark Certificate) is a digital certificate that proves your organisation owns the logo it wants to display beside its email through BIMI. Issued only after a certificate authority verifies a registered trademark, it is what lets supporting clients like Gmail show your logo, often with a blue verified checkmark. A VMC requires an enforced DMARC policy first.

It cryptographically proves you own the logo, preventing logo impersonation
BIMI plus a VMC is what shows your brand logo beside authenticated mail
It requires an enforced DMARC policy: p=quarantine or p=reject
A CMC is a lower-cost alternative that needs prior use rather than a trademark

At a glance

What it is Certificate proving logo ownership

Required for BIMI on Gmail & Apple Mail

Logo format SVG Tiny PS, square, under 32 KB

Proof needed Registered trademark or govt mark

Prerequisite DMARC quarantine or reject

Issued by DigiCert, Sectigo, others

What a VMC is and why it exists

BIMI lets a brand publish its logo in DNS so supporting mailbox providers can show it beside authenticated mail. The obvious risk is that anyone could publish any logo. The VMC closes that hole: it is a certificate, issued by an approved authority only after the authority verifies that your organisation actually holds a registered trademark for the mark, cryptographically binding the logo to your domain.

With a valid VMC, providers like Gmail can show your logo with confidence, and Gmail adds a blue verified checkmark to signal the brand was authenticated. Gmail will not display a self-asserted logo, so for those providers a VMC (or its CMC cousin) is the price of entry. The certificate is delivered as a PEM file referenced from your BIMI record alongside the logo itself.

What you need to get one

A VMC sits at the top of a stack of prerequisites. You cannot get the logo to show without all of them:

Authentication. SPF or DKIM must pass and align, and you must publish DMARC.
Enforced DMARC. The policy has to be p=quarantine or p=reject at pct=100; p=none does not qualify.
A registered trademark. The logo must be a registered trademark (or a government mark) in a recognised jurisdiction.
A compliant logo file. SVG Tiny Portable/Secure (SVG Tiny PS), a square 1:1 aspect ratio, and under 32 KB.
A published BIMI record. A DNS TXT record points to both the logo and the certificate.

A BIMI record referencing the logo (l=) and the VMC (a=)

default._bimi.example.com.  IN  TXT  "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem"

VMC vs CMC: the cost and trademark trade-off

VMCs are not cheap. List pricing from authorities such as DigiCert runs around 1,499 USD per year, and the hardest part for many brands is the trademark requirement itself, since registering a mark takes time and money.

To widen access, Google began supporting the Common Mark Certificate (CMC) in Gmail in September 2024. A CMC verifies a logo on the basis of prior use (typically a year of demonstrable use, rather than a registered trademark), so brands without a trademark can still get their logo into the inbox. The trade-off: a CMC shows the logo but does not earn the blue verified checkmark that a full VMC does. Both still require the same enforced DMARC foundation.

The path from DMARC to a verified logo

Authenticate mail with SPF and DKIM, aligned

Enforce DMARC at p=quarantine or p=reject

A certificate authority verifies ownership and issues the VMC

Publish a BIMI record pointing to the logo and the VMC

Supporting clients show your logo, with a verified checkmark in Gmail

VMC vs CMC

	VMC	CMC
Proof of ownership	Registered trademark	Prior use (about 1 year)
Verified checkmark	Yes (Gmail)	No
Enforced DMARC needed	Yes	Yes
Relative cost	Higher	Lower
Best for	Trademarked brands	Brands without a trademark

Common mistakes

Buying a VMC before DMARC is enforced

The certificate is useless until your domain is at p=quarantine or p=reject with pct=100. Get authentication and an enforced policy working first, then pursue the VMC.

Submitting a logo that is not a registered trademark

A VMC requires a registered trademark or government mark. If you only have prior use, you need a CMC instead, which shows the logo but without the verified checkmark.

Using the wrong logo format

The file must be SVG Tiny Portable/Secure (SVG Tiny PS), square, and under 32 KB. A normal SVG, a PNG, or a non-square image will be rejected and the logo will not display.

Frequently asked questions

Do I need a VMC for BIMI?

For Gmail and Apple Mail, effectively yes: they will not display a self-asserted logo, so you need a VMC or the lower-cost CMC. Some providers such as Yahoo may show a logo without a certificate, but to reach the major inboxes a certificate is required.

How much does a VMC cost?

List pricing from authorities like DigiCert is around 1,499 USD per year. On top of that you need a registered trademark, which carries its own filing time and cost. A CMC is a cheaper route that relies on prior use instead of a trademark, but it does not earn the verified checkmark.

What is the difference between a VMC and a CMC?

A VMC verifies a registered trademark and earns the blue verified checkmark in Gmail. A CMC (Common Mark Certificate, supported by Gmail since September 2024) verifies a logo by prior use, so brands without a trademark can display a logo, but without the checkmark. Both require enforced DMARC.

Sources & further reading

BIMI Group · Verified Mark Certificates (VMC) and BIMI Google Workspace Help · Set up BIMI: VMC, CMC, and DMARC requirements BIMI Group · Announcing Common Mark Certificates (CMC)

Reviewed by Jennifer Jackson, Email Deliverability Analyst · June 2026 ← Back to glossary