VMC & CMC Certificates
Everything you need to obtain, host, and reference a BIMI certificate — the final step between your compliant SVG and a verified logo in the inbox.
I. Why a Certificate?
A BIMI DNS record with only the l= tag (logo URI) will display your logo in some clients, but the major providers — Gmail in particular — require cryptographic proof that the logo is legitimately associated with your domain. That proof is the certificate referenced in the a= tag.
The certificate is a standard X.509 file, served as a PEM over HTTPS, that binds your SVG logo to your domain identity. Without it, Gmail will not display your logo regardless of how perfect your SVG or DMARC policy is.
II. VMC — Verified Mark Certificate
A Verified Mark Certificate (VMC) is the premium tier. It requires a registered trademark and is issued by one of two currently accredited CAs:
- Entrust — entrust.com
- DigiCert — digicert.com
The VMC issuance process requires:
- A registered trademark in a recognized jurisdiction (USPTO, EUIPO, UKIPO, CIPO, IP Australia, and others)
- The trademark must cover the exact logo being submitted
- Domain ownership verification
- The SVG Tiny P/S file to be embedded in the certificate
VMCs unlock the official Gmail blue checkmark — the verified sender indicator visible in Gmail's inbox view next to your brand name. They are also honored by Yahoo Mail and Apple Mail at the highest trust tier.
III. CMC — Common Mark Certificate
A Common Mark Certificate (CMC) does not require a registered trademark. It verifies domain ownership and logo association only. CMCs are accepted by Yahoo Mail, Apple Mail, and Fastmail. As of 2026, Gmail does not display the blue checkmark for CMC-backed records.
CMCs are the right path for startups, SMBs, and creators who want verified logo display without the cost and timeline of trademark registration. The issuance process is faster and less expensive than a VMC.
CMC issuers include Entrust and DigiCert (same CAs as VMC), with additional providers entering the market as the standard matures.
IV. Hosting Your Certificate
Once issued, your certificate is a PEM-encoded file (typically named bimi-cert.pem or similar). It must be hosted at a stable, publicly accessible HTTPS URL — the same infrastructure requirements as your SVG file.
Key hosting requirements:
- Served over HTTPS with a valid TLS certificate
- HTTP
200 OKresponse — no redirects - Content-Type:
application/x-pem-fileortext/plain - No authentication or access control
- High availability — CDN hosting recommended
https://yourdomain.com/bimi/logo.svg # l= tag
https://yourdomain.com/bimi/cert.pem # a= tag
V. The Complete BIMI DNS Record
Once your SVG is hosted and your certificate is issued and hosted, your full BIMI DNS record looks like this:
"v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/cert.pem"
The v=BIMI1 tag declares the version. The l= tag points to your SVG Tiny P/S file. The a= tag points to your PEM certificate. All three are required for full Gmail support.
Use the Domain Audit tool to verify your record is correctly published and your DMARC policy is at enforcement before expecting logo display.
VI. Timeline & Cost
- VMC (with existing trademark): 1–4 weeks for issuance. Cost: approximately $1,200–$1,500/year depending on CA and jurisdiction.
- VMC (trademark registration required): 6–18 months for trademark registration, then 1–4 weeks for VMC issuance. Trademark costs vary by jurisdiction ($250–$400 per class at USPTO).
- CMC: 1–5 business days for issuance. Cost: approximately $100–$300/year depending on CA.
Ready to generate your BIMI-compliant SVG?