Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →

BIMI with VMC and CMC: How Gmail’s Verified Logos Work in 2026

PKI

Email is one of the most exploited attack surfaces for brand impersonation. Brand Indicators for Message Identification (BIMI) is an email specification that displays a verified brand logo next to authenticated messages in supported inboxes, giving recipients a visual trust signal before they open the message.

Implementing BIMI in 2026 means choosing between two certificate types, the Verified Mark Certificate (VMC) and the Common Mark Certificate (CMC). The AuthIndicators Working Group introduced CMC support in late 2024, and Google supports CMC in Gmail, extending BIMI access to organizations without a registered trademark. This blog covers how BIMI works, how VMC and CMC differ, what Gmail specifically requires, and how enterprise teams can build a rollout that holds up operationally.

Why BIMI Matters for Enterprise Security Teams

BIMI interrupts phishing by backing the displayed brand logo with a verified certificate tied to the sending domain. For VMC-authenticated senders, Gmail also displays a blue verified checkmark, an additional visual verification signal in Gmail. That checkmark is exclusive to VMC; CMC-only implementations display a brand avatar without it.

A second benefit is operational. Implementing BIMI forces teams to resolve Domain-based Message Authentication, Reporting and Conformance (DMARC) alignment gaps across all outbound sending systems, including third-party platforms for marketing, support, and HR. That cleanup improves deliverability, reduces spoofing exposure, and gives security teams a complete picture of the sender inventory.

Note that Microsoft Outlook has not adopted BIMI as of mid-2026. BIMI currently operates across Gmail, Yahoo Mail, Apple Mail, and other major mailbox providers.

How BIMI Works

BIMI is a display layer, not an independent security system. It activates only when the underlying authentication stack passes all required checks. The architecture has three layers. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) must pass; DMARC must be enforced at p=quarantine or p=reject with pct=100; and a BIMI DNS record must point to a hosted SVG logo and a valid certificate file. A policy at p=none or with pct below 100 does not qualify.

Those settings are DMARC record tags written as tag=value. The p tag sets the policy for mail that fails DMARC, where p=none only monitors, p=quarantine diverts failing mail to spam, and p=reject blocks it. The pct tag sets the share of failing mail the policy applies to, so pct=100 means all of it. The term pct is a single tag abbreviated from percent, not three separate letters.

Authentication Flow

  1. The sender’s mail server signs the message with DKIM and passes SPF for the sending IP.
  2. The mailbox provider checks DMARC alignment, which means the domain that passed SPF or DKIM must match the domain shown in the From address. At least one of SPF or DKIM must both pass and match; a message can pass one of them and still fail DMARC if the domains do not match. This binds authentication to the visible From domain.
  3. The provider confirms DMARC is at p=quarantine or p=reject with pct=100.
  4. The provider queries the BIMI DNS TXT record at default._bimi.[domain].
  5. The provider fetches and validates the SVG logo and PEM certificate over HTTPS.
  6. If all checks pass, the brand logo displays. In Gmail, messages authenticated with a VMC are also eligible to display the verified blue checkmark.

Every failure in this chain is silent. No error is sent to the domain owner. A 2025 URIports analysis found that 53.6 percent of published BIMI records contain at least one error that prevents logo display.

VMC vs CMC: Choosing the Right Certificate

Verified Mark Certificate (VMC)

A VMC requires a trademark registered with a recognized IP office. As of 2026, the BIMI Group’s VMC Requirements recognize trademark offices in more than a dozen jurisdictions, including the USPTO, EUIPO, UK IPO, and IP Australia. VMCs are issued by the Mark Verifying Authorities recognized by the BIMI Group. Entrust, an original issuer, exited the BIMI certificate business in 2025 after selling its public certificate operations.

Pricing varies by CA and reseller, running roughly USD 749 to USD 1,750 per year excluding trademark fees, with validation taking two to four weeks. A VMC enables the brand avatar and the Gmail blue checkmark on both web and mobile. Certificate validity is capped at 397 days.

Common Mark Certificate (CMC)

A CMC serves organizations without a registered trademark. To qualify, the logo must have been in continuous public use on the domain for at least 12 months, verified by the CA using evidence of prior use, which may include web archive records. The same authorities issue CMCs at approximately USD 650 to USD 1,100 annually, with issuance in one to three weeks. CMC enables Gmail brand avatar display but does not trigger the blue checkmark and is not supported by Apple Mail. The 397-day validity window and all operational requirements are identical to VMC.

Comparison Table

AreaVMCCMC
Trademark requiredYes, registered with recognized IP officeNo trademark required
Proof of logo useTrademark serves as proofLogo in public use for 12+ months
Gmail blue checkmarkYesNo, brand avatar only
Apple Mail supportYesNo (VMC only as of 2026)
Yahoo MailYesYes (no cert required by Yahoo)
Annual cost (approx., as of mid-2026)USD 749–1,750 + trademark feesUSD 650–1,100
Issuance time2–4 weeks1–3 weeks

Enterprise Architecture and Team Ownership

BIMI sits at the intersection of email security, Public Key Infrastructure (PKI), DNS, brand management, and cloud infrastructure. Clear ownership across four areas prevents the outages that follow certificate expiry or DNS changes:

  • Email security teams own DMARC policy, DKIM key rotation, and sender alignment monitoring.
  • PKI and certificate teams manage the VMC or CMC certificate, including trademark validation with the CA, HTTPS hosting, and renewal tracking.
  • Brand and marketing teams own the SVG logo asset and format compliance.
  • Cloud and DevSecOps teams own DNS automation, HTTPS infrastructure, and deployment pipelines.

When team rotates a DKIM key without notifying the email team, DMARC alignment breaks and the logo disappears. When marketing updates the SVG without resubmitting to the CA, the certificate mismatch causes logo failure. Both scenarios are common in organizations that treat BIMI as a one-time project.

What Causes Silent BIMI Failures

  • Incomplete DMARC enforcement: Setting p=quarantine without pct=100 means the policy applies to only a subset of outbound mail. Organizations ramping DMARC incrementally must reach pct=100 before BIMI activates in Gmail.
  • Third-party sender misalignment: Marketing tools, support platforms, and HR systems must all be DKIM-signed and DMARC-aligned. A single high-volume misaligned sender disrupts BIMI display for that entire mail stream.
  • Certificate and logo mismatch: The SVG and PEM must match the validated asset on record with the CA. Updating the logo without revalidating the certificate causes providers to reject the BIMI record outright.
  • Subdomain coverage gaps: BIMI records are not inherited by subdomains. Senders using a subdomain in the From header need their own BIMI record or logo display will be absent for that mail stream.

Best Practices for a Durable BIMI Program

  • Start with one domain. Confirm DMARC enforcement (p=quarantine or p=reject), ideally stable for around 30 days, before adding BIMI.
  • Build a complete sender inventory first. Every system sending mail under the domain must be DKIM-signed and aligned before enforcement is enabled.
  • Assign named owners for DNS records, certificate files, SVG assets, and DMARC reporting, and document handoff procedures for renewal and logo updates.
  • Review DMARC aggregate reports weekly. They are the most reliable early-warning signal for BIMI disruptions.
  • Set certificate renewal reminders at 90, 60, and 30 days before the 397-day expiry. Expiry causes immediate, graceless logo removal.
  • Validate the full BIMI stack after any DNS change, logo update, or hosting migration using a BIMI validator.

Certificate Management

Prevent certificate outages, streamline IT operations, and achieve agility with our certificate management solution.

How Encryption Consulting Can Help

Encryption Consulting provides the PKI expertise that a reliable BIMI program depends on. Our PKI Services cover assessment, design, and implementation of the certificate infrastructure behind DKIM signing and VMC or CMC deployment, including Hardware Security Module (HSM) integration for private key protection and certificate authority selection. Our PKI-as-a-Service builds and manages the entire CA environment while ownership of the CA and keys stays with you, running on FIPS 140-3 Level 3 HSMs with crypto-agile, post-quantum-ready certificates.

CertSecure Manager, our certificate lifecycle management platform, gives you a single, automated view of every certificate across your environment, from TLS/SSL and code signing to client and device certificates. It is vendor-neutral, connects public and private certificate authorities in a single view, automates discovery, enrollment, and renewal, and generates audit and high-risk certificate reports that prevent the expiry-driven outages most organizations discover only after the fact.

Conclusion

BIMI rewards correct email authentication with a visible mark of trust in the inbox. VMC is the right choice for trademarked brands that want the Gmail blue checkmark and Apple Mail support. CMC opens the standard to organizations that can demonstrate 12 months of logo use, with identical operational requirements after issuance.

At its core, BIMI is one more place where disciplined authentication and certificate hygiene become something customers can actually see. Done correctly, the result is not just a logo in the inbox. It is a more controlled, visible, and defensible email identity program.