Technical Reference · 2026 Edition

What Is a Mark Verifying Authority (MVA)? How VMCs Are Issued

Learn how the MVA ecosystem works, which Certificate Authorities are approved to issue Verified Mark Certificates, and why buying from an unapproved CA can break your BIMI deployment.

Last updated min read

The Certificate Chain: What Is a Mark Verifying Authority (MVA)?

A Verified Mark Certificate (VMC) is not issued by just any Certificate Authority. To issue VMCs, a CA must first earn the designation of Mark Verifying Authority (MVA) — a status granted only after meeting a rigorous set of technical, operational, and audit requirements defined by the AuthIndicators Working Group (commonly known as the BIMI Group).

Understanding the MVA ecosystem is essential before purchasing a VMC. Buying from an unapproved source means your certificate will not be recognised by Gmail, Apple Mail, or any other BIMI-capable mail client — and your brand logo will not appear in the inbox.


What Is a Mark Verifying Authority?

A Mark Verifying Authority (MVA) is a Certificate Authority that has been formally approved by the AuthIndicators Working Group to issue VMCs. The MVA performs two critical functions:

  1. Trademark verification — Confirms that the organisation requesting the VMC is the legitimate owner of the trademark associated with the logo.
  2. Certificate issuance — Issues a cryptographically signed VMC that binds the verified trademark to an SVG logo file and a domain.

Mail receivers such as Google and Apple trust only VMCs issued by approved MVAs. If a certificate is issued by a CA outside this approved list, the entire BIMI assertion fails silently — no logo is displayed, and no error is surfaced to the sender.


Approved MVAs as of 2025

The AuthIndicators Working Group maintains the authoritative list of approved MVAs. As of 2025, three Certificate Authorities hold MVA status:

| MVA | Notes | |---|---| | DigiCert | First approved MVA; issues VMCs under the DigiCert brand | | Sectigo | Issues VMCs; historically strong in S/MIME and code signing | | GlobalSign | Issues VMCs; strong presence in enterprise PKI |

Important: This list changes as new CAs complete the approval process. Always verify current MVA status at the AuthIndicators Working Group before purchasing.

How a CA Becomes an MVA

The approval process is deliberately demanding. A CA must satisfy every requirement below before the BIMI Group grants MVA status.

1. Publish a Certification Practice Statement (CPS)

The CA must publish a Certification Practice Statement — a detailed public document describing exactly how it issues, manages, revokes, and renews VMCs. The CPS must specifically address VMC issuance procedures and trademark verification workflows.

2. Log to Certificate Transparency (CT) Logs

Every VMC issued must be submitted to Certificate Transparency logs — publicly auditable, append-only records of all certificates issued. This allows mail receivers, researchers, and domain owners to detect misissued or fraudulent certificates.

3. Establish Certificate Revocation Infrastructure

The CA must operate and maintain Certificate Revocation Lists (CRLs) — or equivalent OCSP responders — so that compromised or incorrectly issued VMCs can be revoked promptly. Mail receivers check revocation status before displaying a logo.

4. Undergo WebTrust VMC Audits

The CA must commission and pass a WebTrust for VMC audit conducted by an accredited third-party auditor. WebTrust audits assess whether the CA's actual practices match its published CPS. These audits are repeated annually, creating an ongoing compliance burden.

5. Register in the CCADB

The CA must be registered in the Common CA Database (CCADB) — the shared repository used by Mozilla, Microsoft, Apple, and Google to track trusted Certificate Authorities. CCADB registration is a prerequisite for any CA seeking trust from major platform vendors.


Why VMCs Cost $1,000 or More

The compliance infrastructure described above is expensive to build and maintain. Each approved MVA must:

  • Fund annual WebTrust audits (typically tens of thousands of dollars per audit cycle)
  • Operate high-availability CT log submission pipelines
  • Maintain 24/7 CRL and OCSP infrastructure
  • Staff trademark verification teams capable of validating IP ownership across global trademark registries
  • Sustain CCADB registration and respond to policy changes from browser and mail platform vendors

These costs are passed on to buyers. A VMC priced below the market rate of $1,000–$1,500 per year should be treated as a red flag — it may indicate the issuing CA has not completed the full MVA approval process.


Why This Matters When You Buy a VMC

Only approved MVAs produce accepted certificates

Gmail and Apple Mail validate the entire certificate chain before displaying a BIMI logo. If the issuing CA is not on the approved MVA list, the chain validation fails and no logo is shown. There is no fallback, no warning, and no partial display.

MVAs are required to confirm trademark ownership through official trademark registries (USPTO, EUIPO, WIPO, and others). This step protects both the mail ecosystem and your brand. A VMC issued without proper trademark verification is non-compliant and revocable.

Revocation can happen at any time

If an MVA discovers a certificate was issued incorrectly — or if your trademark registration lapses — the VMC can be revoked. Because mail receivers check revocation status in near-real-time, a revoked VMC causes immediate logo disappearance across all inboxes.


Key Takeaways

  • MVA status is granted by the AuthIndicators Working Group, not self-declared by a CA.
  • Three MVAs are currently approved: DigiCert, Sectigo, and GlobalSign.
  • The approval process requires a published CPS, CT logging, CRL infrastructure, WebTrust audits, and CCADB registration.
  • High VMC pricing reflects genuine compliance costs — not arbitrary margin.
  • Always verify MVA status before purchasing. A certificate from an unapproved CA will not work with Gmail or Apple Mail.

Next Steps

Before purchasing a VMC, ensure your BIMI foundation is in place:

  1. DMARC enforcement — Your domain must have a DMARC policy of p=quarantine or p=reject.
  2. SVG logo compliance — Your logo must conform to the BIMI SVG Tiny P/S profile.
  3. Trademark registration — Your logo must be registered as a trademark in a jurisdiction recognised by your chosen MVA.

Get Started with makeBIMI.com and veriBIMI.com

  • makeBIMI.com — Convert your logo to a BIMI-compliant SVG Tiny PS file for free, and run a full DMARC audit on your domain before you apply for a VMC.
  • veriBIMI.com — CA-agnostic VMC brokerage for enterprise teams. Compare pricing and issuance timelines across all approved MVAs — DigiCert, Sectigo, and GlobalSign — from a single platform, without vendor lock-in.