- Introduction to Common Mark Certificates (CMCs)
- What Is a Common Mark Certificate and How Does It Work?
- Who Can Apply for a Common Mark Certificate?
- Key Benefits of Obtaining a CMC
- The Registration Process for Common Mark Certificates
- Common Mark Certificates vs. Verified Mark Certificates
- Why Common Mark Certificates Are Important for Brand Protection
- How Encryption Consulting Can Help
- Conclusion
Introduction to Common Mark Certificates (CMCs)
Email is still one of the easiest channels for attackers to abuse through phishing, spoofing, and brand impersonation. Companies spend a lot on security and staff training, yet they often overlook one of the clearest trusts signals they have, which is the sender logo shown right next to a message in the recipient’s inbox.
Common Mark Certificates (CMCs) are what make that logo appear. They are part of the Brand Indicators for Message Identification (BIMI) standard, and they let organisations that rely on common law trademark rights, rather than registered trademarks, verify and show their brand logo in supporting email clients. Knowing what CMCs are, how they work, and why they matter is important for any organisation that cares about email trust, inbox branding, and brand protection.
What Is a Common Mark Certificate and How Does It Work?
A Common Mark Certificate is a kind of Verified Mark Certificate (VMC) that verifies a brand logo for display in email inboxes without needing a registered trademark. A standard VMC asks for proof of trademark registration. A CMC instead accepts that many genuine organisations have built a strong brand simply through long term use, not formal registration.
CMCs work inside the BIMI ecosystem. BIMI links a verified logo to an email domain so that inbox providers such as Gmail and Apple Mail can show the sender’s logo beside each message. To start, the sending domain needs a valid DMARC policy set to quarantine or reject. DMARC (Domain-based Message Authentication, Reporting and Conformance) is the base of the whole trust chain. It makes sure only approved senders can use the domain and shuts down the most common spoofing routes. Without DMARC switched on, neither a VMC nor a CMC will work.
The certificate is issued by a Certificate Authority approved under the BIMI standard. Before issuing it, the Certificate Authority checks the organisation’s rights to the logo, including evidence of common-law use. This independent check is what sets a BIMI-verified sender apart from any domain that simply claims to show a logo.
Who Can Apply for a Common Mark Certificate?
The CMC route opens up verified inbox branding to far more organisations. In the past, BIMI logo display was limited to those holding a registered trademark. That left out a large part of the business world, especially smaller companies and organisations in fields where trademark registration is rare.
CMCs are meant for organisations that can show steady, exclusive use of a logo as a brand identifier through common law rights. Applicants usually need to provide evidence such as samples of how the logo is used commercially, statements about first and continuous use, and documents showing the logo is distinctive. The exact requirements differ by Certificate Authority, but the core rule is the same: the applicant must hold enforceable rights in the logo under common law principles. A CMC does not grant trademark rights, it recognises rights that already exist.
Key Benefits of Obtaining a CMC
The value of a CMC goes well beyond a logo showing up in the inbox. It covers email security, brand trust, and deliverability. On the security side, pairing DMARC enforcement with BIMI verification builds a strong barrier against domain spoofing and phishing. An attacker pretending to be a CMC-verified sender cannot copy the verified logo, and when the logo is missing, recipients get an instant warning that something is wrong.
On the branding side, a verified logo sets your authenticated messages apart from unverified ones and helps people remember your brand. There is also an email reputation benefit, the setup a CMC requires, including correctly configured SPF, DKIM, and DMARC records, leads to real gains in deliverability and inbox placement.
The Registration Process for Common Mark Certificates
Getting a CMC is a step by step process that needs both technical and legal preparation. The basic requirement is a fully enforced DMARC policy set to quarantine or reject; a p=none monitoring policy is not enough. Organisations should make DMARC enforcement their first priority, since it is the gateway to everything that follows.
Once DMARC is in place, the logo must match BIMI’s SVG Tiny Portable/Secure profile and be hosted at a public HTTPS URL. The organisation then works with an approved Certificate Authority, such as DigiCert or Entrust, and submits documents proving its common law rights. After the check, the Certificate Authority issues the certificate, which is added to a BIMI DNS record along with the logo URL. Gmail and Apple Mail are among the main providers that support BIMI with VMC/CMC verification.
Common Mark Certificates vs. Verified Mark Certificates
People often mix up CMCs and standard VMCs. A VMC needs a logo that is registered as a trademark with a qualifying office, such as the USPTO or the EUIPO, and the registration must be active when the certificate is issued. A CMC instead accepts evidence of common law rights in place of formal registration. Both do the same technical job and are treated the same by BIMI compliant inbox providers; the verified logo looks identical to recipients either way. A Collective Mark is a different idea altogether it is a trademark used by members of a group to show membership or origin, and it should not be confused with a CMC.
Why Common Mark Certificates Are Important for Brand Protection
Brand impersonation in email is one of the most harmful and stubborn threats organisations deal with. Criminals build convincing copies of real domains and send fake messages at scale to steal credentials, plant malware, or commit fraud. The damage falls on the impersonated organisation even though it is the victim.
CMCs fight this on several fronts. They require strong domain authentication that makes spoofing much harder, they let you display a verified logo no unauthorised sender can copy, and they help build a wider habit of authenticated email. As email security standards grow more common, a missing verified logo may start to look suspicious on its own, so adopting CMCs early puts organisations ahead of that shift.
How Encryption Consulting Can Help
A Common Mark Certificate is not a one-time setup; it is a live digital certificate that sits in your DNS, carries an expiry date, and must be renewed and re-validated to keep your verified logo showing in the inbox. If it lapses unnoticed, your sender logo quietly disappears, and the trust signal you worked to earn goes with it. As certificate volumes grow and lifespans shorten across TLS, code signing, and now email authentication, tracking every certificate by hand becomes a real risk rather than a minor chore. Encryption Consulting helps organizations bring that entire estate, including BIMI-related certificates like your CMC, under proper control.
CertSecure Manager, Encryption Consulting’s certificate lifecycle management platform, keeps your CMC and every other certificate under one roof:
- Single pane of glass: Track every certificate, including your CMC, in one unified dashboard so nothing sits unmonitored.
- Prevent outages: Continuous expiration monitoring with zero-touch renewals keeps your verified logo live and avoids lapses.
- Automated alerts: Configurable advance alerts (30 days or longer) warn you well before a certificate expires.
- Works across all CAs: Discover and manage certificates across Microsoft, public, and private CAs from a single interface.
- Audit-ready reporting: On-demand audit trails and high-risk certificate reports keep your certificate estate compliant and accountable.
To see how it fits your environment, request a demo or explore CertSecure Manager.
Conclusion
Common Mark Certificates are a real, practical step forward in email security and brand authentication. By extending the BIMI verified logo standard to organisations with common law rather than registered trademark rights, CMCs make one of the strongest trust tools in modern email available to far more brands. For years, the benefits of inbox branding were effectively reserved for organisations large enough to hold registered trademarks. CMCs remove that barrier and put verified logo display within reach of smaller businesses, non profits, and any organisation that has built genuine brand recognition through consistent use.
The wider value is just as important as the logo itself. Pursuing a CMC pushes an organisation to put proper email authentication in place, since enforced DMARC, along with correctly configured SPF and DKIM, is a prerequisite rather than an optional extra. The result is a stronger overall security posture, less exposure to spoofing and phishing, better deliverability, and a clearer, more trustworthy presence in every recipient’s inbox. In other words, the work required to earn a CMC delivers benefits well beyond the certificate itself.
As verified sender indicators become more familiar to everyday email users, the organisations that adopt them early will enjoy a meaningful trust advantage, while those that wait may increasingly be viewed with suspicion. Treating CMCs as part of a long term email security and brand protection strategy, rather than a one time task, is the most effective way to stay ahead of that shift.
- Introduction to Common Mark Certificates (CMCs)
- What Is a Common Mark Certificate and How Does It Work?
- Who Can Apply for a Common Mark Certificate?
- Key Benefits of Obtaining a CMC
- The Registration Process for Common Mark Certificates
- Common Mark Certificates vs. Verified Mark Certificates
- Why Common Mark Certificates Are Important for Brand Protection
- How Encryption Consulting Can Help
- Conclusion
