Certificate Guide · 2026 Edition

VMC & CMC Certificates

Everything you need to obtain, host, and reference a BIMI certificate — the final step between your compliant SVG and a verified logo in the inbox.

I. Why a Certificate?

A BIMI DNS record with only the l= tag (logo URI) will display your logo in some clients, but the major providers — Gmail in particular — require cryptographic proof that the logo is legitimately associated with your domain. That proof is the certificate referenced in the a= tag.

The certificate is a standard X.509 file, served as a PEM over HTTPS, that binds your SVG logo to your domain identity. Without it, Gmail will not display your logo regardless of how perfect your SVG or DMARC policy is.

II. VMC — Verified Mark Certificate

A Verified Mark Certificate (VMC) is the premium tier. It requires a registered trademark and is issued by one of two currently accredited CAs:

The VMC issuance process requires:

VMCs unlock the official Gmail blue checkmark — the verified sender indicator visible in Gmail's inbox view next to your brand name. They are also honored by Yahoo Mail and Apple Mail at the highest trust tier.

III. CMC — Common Mark Certificate

A Common Mark Certificate (CMC) does not require a registered trademark. It verifies domain ownership and logo association only. CMCs are accepted by Yahoo Mail, Apple Mail, and Fastmail. As of 2026, Gmail does not display the blue checkmark for CMC-backed records.

CMCs are the right path for startups, SMBs, and creators who want verified logo display without the cost and timeline of trademark registration. The issuance process is faster and less expensive than a VMC.

CMC issuers include Entrust and DigiCert (same CAs as VMC), with additional providers entering the market as the standard matures.

IV. Hosting Your Certificate

Once issued, your certificate is a PEM-encoded file (typically named bimi-cert.pem or similar). It must be hosted at a stable, publicly accessible HTTPS URL — the same infrastructure requirements as your SVG file.

Key hosting requirements:

# Example hosting structure
https://yourdomain.com/bimi/logo.svg # l= tag
https://yourdomain.com/bimi/cert.pem # a= tag

V. The Complete BIMI DNS Record

Once your SVG is hosted and your certificate is issued and hosted, your full BIMI DNS record looks like this:

default._bimi.yourdomain.com IN TXT
"v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/cert.pem"

The v=BIMI1 tag declares the version. The l= tag points to your SVG Tiny P/S file. The a= tag points to your PEM certificate. All three are required for full Gmail support.

Use the Domain Audit tool to verify your record is correctly published and your DMARC policy is at enforcement before expecting logo display.

VI. Timeline & Cost

Ready to generate your BIMI-compliant SVG?

Convert Your Logo → Audit Your Domain