Technical Reference · 2026 Edition

How to Get a Verified Mark Certificate (VMC): Step-by-Step Guide

A complete step-by-step guide to obtaining a Verified Mark Certificate (VMC) for BIMI email authentication. Covers DMARC enforcement, trademark registration, SVG conversion, CA application, and DNS deployment.

Last updated July 5, 2026 6 min read

The Path to a Verified Mark Certificate

A Verified Mark Certificate (VMC) is a digital certificate issued by an approved Certificate Authority (CA) that cryptographically binds your registered trademark logo to your email-sending domain. When deployed correctly alongside a BIMI DNS record, it instructs participating mailbox providers—including Gmail, Yahoo Mail, Apple Mail, and Fastmail—to display your brand logo in the inbox next to authenticated messages.

This guide covers every prerequisite and action required to obtain and deploy a VMC, in the correct sequence.


Prerequisites at a Glance

Before you begin, confirm you can satisfy all of the following:

  • DMARC policy at p=reject or p=quarantine (enforcement required)
  • A registered trademark for your logo in at least one qualifying jurisdiction
  • An SVG logo file that conforms to the W3C SVG Tiny 1.2 Portable/Secure (P/S) profile
  • Access to your domain's DNS to publish the BIMI record
  • A budget for the VMC — certificates are issued annually and priced per domain

Step 1: Enforce DMARC at Policy Level

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a non-negotiable foundation. A VMC has no effect unless your domain passes DMARC alignment, and mailbox providers will not render BIMI logos for domains operating below enforcement level.

Requirements

  • SPF and DKIM must both be configured and aligned for your sending domain.
  • Your DMARC record must specify p=reject or p=quarantine. A policy of p=none does not qualify.
  • The DMARC record must be published at the organizational domain (e.g., _dmarc.example.com), not a subdomain.
  1. Publish an initial DMARC record at p=none with rua and ruf reporting addresses.
  2. Collect aggregate reports for a minimum of two to four weeks.
  3. Identify all legitimate mail streams and ensure each passes SPF or DKIM alignment.
  4. Advance the policy incrementally: p=nonep=quarantinep=reject.
  5. Confirm the final record reads similarly to:
text
_dmarc.example.com  TXT  "v=DMARC1; p=reject; rua=mailto:[email protected]"
Important: Do not proceed to subsequent steps until DMARC enforcement is stable. A misconfigured mail stream discovered after VMC issuance can cause legitimate email to be rejected.

Step 2: Register Your Trademark

A VMC can only be issued for a logo that is a registered trademark in a jurisdiction recognised by the issuing CA. This is the step most organisations underestimate in terms of lead time.

Qualifying jurisdictions (as of 2024)

Approved CAs currently accept trademark registrations from the following offices:

| Jurisdiction | Office | |---|---| | United States | USPTO | | European Union | EUIPO | | United Kingdom | UKIPO | | Canada | CIPO | | Australia | IP Australia | | Germany | DPMA | | France | INPI | | Japan | JPO | | Spain | OEPM | | Switzerland | IPI | | India | CGPDTM | | Brazil | INPI-BR | | South Korea | KIPO | | United Kingdom | UKIPO |

This list expands periodically. Verify the current list with your chosen CA before filing.

Key considerations

  1. The trademark must cover the exact logo you intend to use in BIMI. A word mark (text only) does not qualify; the registration must be for a figurative or device mark (a logo).
  2. Registration status must be active at the time of VMC issuance and throughout the certificate's validity period.
  3. Trademark registration timelines vary by jurisdiction. USPTO examination alone typically takes 8–12 months. Plan accordingly.
  4. If your logo is already registered, confirm the registration number and the exact image on file — the SVG you submit must match the registered mark.

Step 3: Convert Your Logo to SVG Tiny 1.2 Portable/Secure

This is the most technically demanding step for most brand and design teams. The VMC specification requires your logo to be encoded as an SVG Tiny 1.2 Portable/Secure (P/S) file. Standard SVG files exported from Adobe Illustrator, Figma, or Inkscape will not pass CA validation without modification.

What is SVG Tiny 1.2 P/S?

SVG Tiny 1.2 is a subset of the SVG specification designed for constrained environments. The Portable/Secure profile adds further restrictions to prevent executable content, external resource loading, and scripting — all of which are security risks in an email rendering context.

Common SVG elements that must be removed or replaced

| Disallowed element or feature | Reason | |---|---| |