Creating and managing Verified Mark Certificates (VMC) for BIMI
The combination of BIMI and VMC strengthens the email security structure by making it harder for threat actors to spoof your brand’s logo for sending potentially fraudulent emails. Not only this, but it’s also easier for recipients to trust emails with a logo, encouraging them to open and reply to them.
Upon reception, supporting email clients check the BIMI record and the linked VMC to verify the logo. If the logo and the VMC are valid, the email client displays the brand logo in the user’s inbox, providing visual assurance of the email’s authenticity.
Before learning how to configure BIMI settings and how to get a VMC, let’s quickly recap what BIMI and VMC are by definition.
What are BIMI and VMC?
The BIMI standard enables the official brand logo to appear next to an email’s ‘sender’ field. VMC, which stands for Verified Mark Certificates, complements BIMI by verifying that the logo legitimately belongs to the specific sender. Both BIMI and VMC work together to improve brand recognition and increase a domain’s email engagement rate.
In addition to this, they also act as security protocols, as they prevent phishing, spoofing, and ransomware attempts by disallowing threat actors to misuse logos they don’t own to dupe recipients.
Steps to get a VMC for your domain
Getting a VMC certificate has some prerequisites that you can’t skip. Here’s how you can go about it-
Step 1: Deploy DMARC for your domain
BIMI requires DMARC, which is an email authentication protocol that instructs recipients’ servers on how to deal with fraudulent emails sent by unauthorized people using your domain. You have to create a DMARC record and choose the policy you want to subject the illegitimate emails to.
Here’s an example of a valid DMARC record–
v=DMARC;p=reject;rua=mailto:dmarcreports@you_domain.com
Please note that you should have at least SPF or DKIM in place to deploy DMARC. Implementing both is encouraged for the best protection against email-based menaces attempted in your brand’s name.
Step 2: Use a trademarked logo
Ensure your logo is trademarked, as it’s harder to spoof. If it’s not trademarked, get started on the process as soon as possible, as it’s a time-consuming task. We suggest involving your legal team in this and ensuring your logo is in the correct format to be registrable.
After filing, a trademark office examiner will review your application and contact you. Respond promptly to their requests to avoid cancellation. At the end of the process, you’ll receive either approval or denial.
The following trademark offices are approved for VMCs-
- United States Patent and Trademark Office (USPTO),
- Canadian Intellectual Property Office,
- European Union Intellectual Property Office,
- UK Intellectual Property Office,
- Deutsches Patent- und Markenamt,
- Japan Trademark Office,
- Spanish Patent and Trademark Office O.A.,
- IP Australia.
- Korean Intellectual Property Office
- Instituto Nacional da Propriedade Industrial (Brazil)
- Intellectual Property India
- French Institut National de la Propriete Industrielle
- Benelux Office for Intellectual Property
- Denmark Ministry of Culture
- Swedish Intellectual Property Office
- Swiss Federal Institute of Intellectual Property
- Intellectual Property Office of New Zealand
Step 3: Format your logo
The logo you will use for BIMI must be in the .SVG format and in accordance with the SVG Portable/Secure (SVG-P/S) profile.
Please note that currently, there is no export template for this format in Adobe Illustrator. Nonetheless, it can be done in a few simple steps-
- Save your logo as a vector file type such as .ai, .eps, .pdf, or .svg. If your logo has complex art, some tweaking may be needed to ensure proper display.
- Open your file in Adobe Illustrator.
- Select “Save As” and choose SVG from the “Format” dropdown menu.
- Click “Save.”
- In the dialog box that appears, choose “Tiny 1.2” from the “SVG Profiles” dropdown menu and click “OK.”
- Open your SVG file using a text editor like Notepad or a code editor.
- Ensure the header includes: xmlns=http://www.w3.org/2000/svg, version=”1.2″, baseProfile=”tiny-ps”.
- If exported from Illustrator, change the baseProfile to “tiny-ps” and delete the x=, y=, and overflow items.
- Add the title element with your company name after xml:space=”preserve”, but outside the graphic code.
- Ensure you save it in SVG format.
There is an alternate method as well-
- The BIMI working group offers an Adobe Illustrator Export Script that converts an SVG Tiny 1.2 file into SVG P/S format automatically.
- Use a 1:1 aspect ratio.
- Center your image.
- Use a non-transparent background.
Step 4: Purchase your VMC
Buy a verified mark certificate from trusted sources. Most organizations need just one certificate for their domain. If you use multiple logos, you must buy VMCs for all of them.
Once done, there will be a few more steps-
- Verify your logo is a registered trademark.
- Submit notarized copies of ID documents for the individual from your organization who is applying for the VMC.
- Participate in an in-person or video call with a member of the certificate authority’s validation team to verify that your identity matches the submitted ID documents.
- After completing these steps, your VMC will be issued.
Step 5: Upload the purchased VMC to your web server
Once the certificate is issued to you, you are going to get an email with your entity certificate Privacy Enhanced Mail or the PEM file. Upload this file to your public web server. Please save the file’s URL somewhere; you will need it for the upcoming step.
Step 6: Add a BIMI TXT record to your domain
Use an online BIMI record-generating tool and add the produced BIMI TXT record to your domain’s DNS.
Add the following values to your BIMI record–
- Type: TXT
- Host: default._bimi.yourdomain.com
- Value: v=BIMI1;l=https://images.yourdomain.com/brand/ bimilogo.svg;a=https://images.yourdomain.com/ brand/certificate.pem
- TTL: 3600 seconds
Wait for 24 to 48 hours for the information to propagate across the internet.
It can be confusing to begin with the process. So, don’t refrain from connecting to an expert on this.