Does Gmail Require a VMC for BIMI? (2026 Update)
Does Gmail Require a VMC for BIMI? (2026 Update)
The most common question administrators ask when planning a BIMI deployment is whether a cryptographic certificate is required. Yes. To display your logo in Gmail or Apple Mail, you must obtain a Verified Mark Certificate (VMC) or a Common Mark Certificate (CMC).
This article documents the policy differences between mailbox providers and the reasons the largest providers enforce certificate-based verification [1].
The Two Tiers of BIMI
The Brand Indicators for Message Identification (BIMI) protocol defines two implementation tiers:
- Self-asserted BIMI: The domain owner publishes a DNS record that references a logo file. No third party verifies the owner's identity.
- Certified BIMI: The domain owner publishes a DNS record that references both a logo file and a
.pemcertificate issued by a recognized Certificate Authority (CA).
Yahoo standard (self-asserted)
Yahoo Mail and AOL accept the self-asserted tier. Your logo displays in these clients when your domain enforces DMARC with p=quarantine or p=reject and your logo conforms to the W3C SVG Tiny P/S specification. A VMC is not required.
Google and Apple standard (certified)
Gmail, Google Workspace, iOS Mail, macOS Mail, and iCloud Mail require the certified tier. These clients reject self-asserted records. If your BIMI record does not include an a= tag that references a valid certificate, these clients ignore the record and display a generic silhouette placeholder [2].
Why Gmail and Apple require certificates
The certificate requirement addresses a specific gap in DMARC's protections.
DMARC verifies that a message originated from the domain in the From header. DMARC does not verify that the domain owner has the legal right to display a given logo. Without a certificate requirement, an attacker could register secure-bank-alerts.com, enforce DMARC on it, and publish a self-asserted BIMI record that references a legitimate bank's logo.
To prevent this form of visual spoofing, Google and Apple delegate identity verification to WebTrust-audited Certificate Authorities, including Entrust and GlobalSign.
When you apply for a VMC, the CA performs a notarized identity check on your organization and validates your logo against official trademark registries. The CA issues the certificate only after this verification completes.
The blue checkmark
Gmail displays a verified blue checkmark next to the sender name for domains that deploy a VMC. The checkmark signals to the recipient that both the sending infrastructure and the brand identity have been cryptographically verified.
[!NOTE]
A Common Mark Certificate (CMC) displays your logo in Gmail without requiring a registered trademark, but it does not activate the blue checkmark.
Implementation path
To display your logo in Gmail and Apple Mail, complete the following steps:
- Meet the technical prerequisites. Enforce DMARC on your domain and produce a logo file that conforms to the W3C SVG Tiny P/S specification. To automate file preparation, use makeBIMI.
- Obtain a certificate. The CA application process requires trademark documentation and compliance review. Enterprises typically engage a brokerage such as veriBIMI to audit the infrastructure, manage trademark verification, and issue the final certificate.
A self-asserted record is suitable for testing. Production deployments in Gmail and Apple Mail require a certificate.
References
[1] AuthIndicators Working Group. "BIMI Certificates." BIMI Group, https://bimigroup.org/bimi-certificates/ [2] Google Workspace Admin Help. "Set up BIMI." Google Support, https://support.google.com/a/answer/10911320