VMC Certificate for BIMI Explained

If you're dealing with DMARC, you've likely heard the buzz around BIMI (Brand Indicators for Message Identification). It's the standard that lets your brand's logo appear next to your emails in supporting inboxes, significantly boosting trust and recognition. But BIMI isn't just about a DNS record and an SVG file. For real-world implementation and widespread adoption, especially with major email providers, you need a VMC – a Verified Mark Certificate. This article cuts through the marketing speak to explain what a VMC is, why it's critical for BIMI, and the technical hurdles you'll face.

What is BIMI, Anyway?

At its core, BIMI is a way for organizations to display their registered brand logo in the inbox alongside authenticated emails. Think of it as a verified avatar for your domain. When an email client supports BIMI, and your domain meets the requirements, your logo shows up where a generic initial or placeholder might otherwise be. This isn't just cosmetic; it's a powerful visual cue that tells recipients, "This email is legitimate and comes from the brand you expect."

The fundamental requirements for BIMI are:

  • DMARC Enforcement: Your sending domain must have a DMARC policy of p=quarantine or p=reject. This is non-negotiable. BIMI relies on strong email authentication to prevent impersonation, and DMARC enforcement is the bedrock of that. Without it, your logo could be displayed next to fraudulent emails, undermining the entire purpose.
  • SVG Logo: Your logo needs to be in a specific format: SVG Tiny PS 1.2. This isn't just any SVG; it has strict requirements to ensure security and consistent rendering across clients.
  • DNS TXT Record: A _bimi DNS TXT record points to your SVG logo file.

While the basic BIMI spec allows for "self-asserted" logos (just the SVG and DNS record), major email clients like Gmail and Apple Mail require an additional layer of verification: the VMC.

The "Why" Behind VMC

Imagine if anyone could put any logo next to their emails just by pointing to an SVG file. The system would be easily abused, leading to a new wave of phishing where bad actors display legitimate brand logos. This is where the VMC steps in.

A Verified Mark Certificate (VMC) is an X.509 digital certificate that cryptographically binds your registered trademark logo to your domain. It's issued by a trusted Certificate Authority (CA), much like an SSL/TLS certificate for your website. The CA performs rigorous validation to ensure that:

  1. You own the domain.
  2. Your organization legally owns the trademark for the logo you want to display.

This process provides a high level of assurance that the logo being displayed is genuinely associated with the sending organization, preventing spoofing and enhancing trust. Without a VMC, major email providers will not display your BIMI logo, even if your DMARC and SVG records are perfectly set up. It's the missing link for widespread BIMI adoption.

Technical Requirements for Obtaining a VMC

Before you even think about contacting a CA for a VMC, you need to have several ducks in a row. These are not trivial and often represent the biggest hurdles.

1. Trademark Registration

This is the absolute first step and often the longest lead-time item. The logo you wish to use must be a registered trademark with an intellectual property office in a supported jurisdiction. This means:

  • It needs to be a word mark or design mark (or both).
  • It must be registered in a country recognized by the CA/BIMI working group (e.g., USPTO, EUIPO, UKIPO, CIPO).

If your logo isn't trademarked, you cannot get a VMC. Full stop. The process of trademarking can take months or even over a year, so plan accordingly.

2. DMARC Enforcement

As mentioned, your DMARC policy for the organizational domain must be set to p=quarantine or p=reject. A p=none policy, while useful for monitoring, is insufficient for BIMI. The VMC CA will verify this during the issuance process. They need to see that your domain is actively protecting against unauthorized use.

3. SVG Tiny PS 1.2 Compliant Logo

This is another common sticking point. Your logo must be in the SVG Tiny PS 1.2 profile. This is a highly restrictive subset of the full SVG specification. Key constraints include:

  • No external references (e.g., fonts, images). All elements must be embedded.
  • No scripting or animation.
  • Specific elements and attributes are allowed/disallowed.
  • baseProfile="tiny-ps" and version="1.2" attributes are mandatory in the SVG root element.
  • The width and height attributes must be specified in pixels, and the viewBox attribute must match these dimensions.

Many vector graphics tools (like Adobe Illustrator or Inkscape) can export to SVG, but they rarely export directly to the strict SVG Tiny PS 1.2 profile without manual intervention or specific plugins. You'll often need to clean up the SVG code manually.

Concrete Example: Validating SVG Tiny PS Compliance

You can use command-line tools like xmllint with a schema or a custom script to validate your SVG. While xmllint doesn't natively understand SVG Tiny PS 1.2, you can use it to check for disallowed elements or attributes. More practically, you'll often rely on online BIMI SVG validators (search for "BIMI SVG validator").

For instance, to check for common issues like external references or scripts, you might grep your SVG file:

# Check for script tags
grep -i "<script" your_logo.svg

# Check for external links (hrefs not pointing to local IDs)
grep -i "xlink:href=\"http" your_logo.svg
grep -i "url(" your_logo.svg | grep -v "url(#"

A truly compliant SVG Tiny PS file will be quite minimal and self-contained.

4. Brand Authority and Legal Entity Verification

The CA will perform thorough checks to confirm that your organization is the legal entity associated with both the domain and the trademark. This often involves providing business registration documents, articles of incorporation, and direct contact