Creating and managing Verified Mark Certificates (VMC) for BIMI
Quick Answer
BIMI (Brand Indicators for Message Identification) displays a brand's verified logo next to authenticated emails in supporting clients. BIMI requires a DMARC policy of `quarantine` or `reject` - `p=none` is not sufficient. DMARC Report Creating and managing Verified Mark Certificates (VMC) for BIMI
Related: Free DMARC Checker ·How to Create an SPF Record ·SPF Record Format
Email authentication isn’t just about preventing spoofing - it’s about trust, says Vasile Diaconu, Operations Lead at DuoCircle. Every email your organization sends either builds trust or erodes it. SPF, DKIM, and DMARC are the foundation of that trust. Without them, receivers have no way to distinguish your legitimate email from an attacker’s.
BIMI (Brand Indicators for Message Identification) displays a brand’s verified logo next to authenticated emails in supporting clients. BIMI requires a DMARC policy of quarantine or reject - p=none is not sufficient.
DMARC Report
Creating and managing Verified Mark Certificates (VMC) for BIMI
<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
Play Episode
</button>
<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
Pause Episode
</button>
<audio preload="none" class="clip clip-14763">
<source src="https://media.mailhop.org/dmarcreport/images/2024/08/Creating-and-managing-Verified-Mark-Certificates-VMC-for-BIMI.mp3">
</audio>
<button class="player-btn player-btn__volume" title="Mute/Unmute">
Mute/Unmute Episode
</button>
<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
Rewind 10 Seconds
</button>
<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
Fast Forward 30 seconds
</button>
<time class="ssp-timer">00:00</time>
/
<!-- We need actual duration here from the server -->
<time class="ssp-duration" datetime="PT0H2M25S">2:25</time>
<nav class="player-panels-nav">
<button class="subscribe-btn" id="subscribe-btn-14763" title="Subscribe">Subscribe</button>
<button class="share-btn" id="share-btn-14763" title="Share">Share</button>
</nav>
RSS Feed
<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-14763" title="RSS Feed URL" readonly />
<button class="copy-rss copy-rss-14763" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
Share
<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/creating-and-managing-verified-mark-certificates-vmc-for-bimi/&t=Creating and managing Verified Mark Certificates (VMC) for BIMI" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
</a>
<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/creating-and-managing-verified-mark-certificates-vmc-for-bimi/&url=Creating and managing Verified Mark Certificates (VMC) for BIMI" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
</a>
<a href="https://media.mailhop.org/dmarcreport/images/2024/08/Creating-and-managing-Verified-Mark-Certificates-VMC-for-BIMI.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
</a>
Link
<input value="https://dmarcreport.com/blog/podcast/creating-and-managing-verified-mark-certificates-vmc-for-bimi/" class="input-link input-link-14763" title="Episode URL" readonly />
<button class="copy-link copy-link-14763" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
Embed
<input type="text" value='<blockquote class="wp-embedded-content" data-secret="jIXGtn73ym"><a href="https://dmarcreport.com/blog/podcast/creating-and-managing-verified-mark-certificates-vmc-for-bimi/">Creating and managing Verified Mark Certificates (VMC) for BIMI</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/creating-and-managing-verified-mark-certificates-vmc-for-bimi/embed/#?secret=jIXGtn73ym" width="500" height="350" title=""Creating and managing Verified Mark Certificates (VMC) for BIMI" - DMARC Report" data-secret="jIXGtn73ym" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-14763” readonly/>
<button class="copy-embed copy-embed-14763" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
The combination of BIMI and VMC strengthens the email security structure by making it harder for threat actors to spoof your brand’s logo for sending potentially fraudulent emails. Not only this, but it’s also easier for recipients to **trust emails with a logo, encouraging them to open and reply to them.
Upon reception, supporting email clients check the BIMI record and the linked VMC to verify the logo. If the logo and the VMC are valid, the email client displays the brand logo in the user’s inbox, **providing visual assurance of the email’s authenticity.
Before learning how to configure BIMI settings and how to get a VMC, let’s quickly recap what BIMI and VMC are by definition.
What are BIMI and VMC?
The BIMI standard enables the official brand logo to appear next to an email’s ‘sender’ field. VMC, which stands for Verified Mark Certificates, complements BIMI by verifying that the logo legitimately belongs to the specific sender. Both BIMI and VMC work together to **improve brand recognition and increase a domain’s email engagement rate.
In addition to this, they also act as security protocols, as they prevent phishing, spoofing, and ransomware attempts by disallowing threat actors to misuse logos they don’t own to dupe recipients.
Steps to get a VMC for your domain
Getting a VMC certificate has some prerequisites that you can’t skip. Here’s how you can go about it-
Step 1: Deploy DMARC for your domain
BIMI requires DMARC, which is an email authentication protocol that instructs recipients’ servers on how to deal with fraudulent emails sent by unauthorized people using your domain. You have to create a DMARC record and choose the policy you want to subject the **illegitimate emails to.
Here’s an example of a valid DMARC record–
v=DMARC;p=reject;rua=mailto:dmarcreports@youdomain.com
Please note that you should have at least SPF or DKIM in place to deploy DMARC. Implementing both is **encouraged for the best protection against email-based menaces attempted in your brand’s name.
Step 2: Use a trademarked logo
Ensure your logo is trademarked, as it’s harder to spoof. If it’s not trademarked, get started on the process as soon as possible, as it’s a time-consuming task. We suggest involving your legal team in this and ensuring your logo is in the correct format to be registrable.
After filing, a **trademark office examiner will review your application and contact you. Respond promptly to their requests to avoid cancellation. At the end of the process, you’ll receive either approval or denial.
The following trademark offices are approved for VMCs-
Step 3: Format your logo
The logo you will use for BIMI must be in the .**SVG format and in accordance with the SVG Portable/Secure (SVG-P/S) profile.
Please note that currently, there is no export template for this format in Adobe Illustrator. Nonetheless, it can be done in a few simple steps-
-
Save your logo as a vector file type such as .ai, .eps, .pdf, or .svg. If your logo has complex art, some tweaking may be needed to ensure proper display.
-
Open your file in Adobe Illustrator.
-
Select “Save As” and choose SVG from the “Format” dropdown menu.
-
Click “Save.”
-
In the dialog box that appears, choose “Tiny 1.2” from the “SVG Profiles” dropdown menu and click “OK.”
-
Open your SVG file using a text editor like Notepad or a code editor .
-
Ensure the header includes: xmlns=http://www.w3.org/2000/svg, version=“1.2”, baseProfile=“tiny-ps”.
-
If exported from Illustrator, change the baseProfile to “tiny-ps” and delete the x=, y=, and overflow items.
-
Add the title element with your company name after xml:space=“preserve”, but outside the graphic code.
-
Ensure you save it in SVG format.
There is an alternate method as well-
-
The BIMI working group offers an Adobe Illustrator Export Script that converts an SVG Tiny 1.2 file into SVG P/S format automatically.
-
Use a 1:1 aspect ratio.
-
Center your image.
-
Use a non-transparent background.
Step 4: Purchase your VMC
Buy a verified mark certificate from trusted sources. Most organizations need just one certificate for their domain. If you use multiple logos, you must buy VMCs for all of them.
Once done, there will be a few more steps-
-
Verify your logo is a registered trademark.
-
Submit notarized copies of ID documents for the individual from your organization who is applying for the VMC.
-
Participate in an in-person or video call with a member of the certificate authority’s validation team to verify that your identity matches the submitted ID documents.
-
After completing these steps, your VMC will be issued.
Step 5: Upload the purchased VMC to your web server
Once the certificate is issued to you, you are going to get an email with your entity certificate Privacy Enhanced Mail or the PEM file. Upload this file to your public web server. Please save the file’s URL somewhere; you will need it for the upcoming step.
Step 6: Add a BIMI TXT record to your domain
Use an online BIMI record-generating tool and add the produced BIMI TXT record to your domain’s DNS.
Add the following values to your BIMI record–
-
Type: TXT
-
Host: default.bimi.yourdomain.com
-
Value: v=BIMI1;l=https://images.yourdomain.com/brand/ bimilogo.svg;a=https://images.yourdomain.com/ brand/certificate.pem
-
TTL: 3600 seconds
Wait for **24 to 48 hours for the information to propagate across the internet.
It can be confusing to begin with the process. So, don’t refrain from **connecting to an expert on this.
Topics
General Manager
Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
LinkedIn Profile →Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.