Technical Reference · 2026 Edition

Which Certificate Authorities Issue VMCs in 2026?

Critical 2026 update: Entrust exited public certificate issuance. Learn which CAs now issue VMCs and CMCs, what happened to Entrust VMCs, and how to renew correctly.

Last updated min read

Which Certificate Authorities Issue VMCs in 2026?

Critical update: The CA landscape for BIMI certificates changed significantly in late 2024. If you purchased a Verified Mark Certificate (VMC) from Entrust, your renewal path has changed. Read this article before your certificate expires.

Overview

Verified Mark Certificates (VMCs) and Common Mark Certificates (CMCs) are the cryptographic credentials that enable brand logos to appear in supporting email clients via BIMI. Not every Certificate Authority (CA) is qualified to issue them.

In November 2024, Entrust exited the public certificate business entirely, selling its public CA division to Sectigo. This single event reshaped the VMC issuance landscape and created a direct action requirement for any organisation holding an Entrust-issued VMC.

This article documents:

  • Which CAs are qualified to issue VMCs and CMCs in 2026
  • What happened to Entrust's public CA business
  • What Entrust VMC holders must do at renewal
  • Why Apple Mail imposes stricter CA requirements

What Changed: The Entrust Exit

November 2024: Entrust Stops Issuing Public Certificates

In November 2024, Entrust announced it would cease issuing publicly trusted TLS and mark certificates, including VMCs. This decision followed Google's earlier announcement that Chrome would no longer trust new Entrust TLS certificates — a move that signalled a broader loss of ecosystem confidence in Entrust's public CA operations.

Key facts:

  • Entrust stopped issuing new VMCs as part of its public certificate wind-down.
  • Entrust sold its public CA division — including its certificate issuance infrastructure and customer base — to Sectigo.
  • Existing Entrust-issued VMCs remain cryptographically valid until their stated expiry date. No immediate action is required for in-date certificates.
  • Renewal must be completed through a different qualified CA. Entrust will not renew VMCs.

What Sectigo Acquired

Sectigo did not simply rebrand Entrust certificates. Sectigo acquired the operational infrastructure and customer relationships of Entrust's public CA division, positioning itself as the continuity path for former Entrust customers. Sectigo is now independently qualified as a VMC-issuing CA in its own right.


Qualified CAs for VMC Issuance in 2026

A CA must meet the requirements of the BIMI Working Group's Verified Mark Certificate Guidelines and maintain a root certificate trusted by major email providers. The following CAs are qualified to issue VMCs as of 2026:

| CA | VMC Issuance | Notes | |---|---|---| | DigiCert | ✅ Yes | Longest-standing VMC issuer; widely supported | | Sectigo | ✅ Yes | Acquired Entrust's public CA division; new entrant for VMC | | GlobalSign | ✅ Yes | Qualified for both VMC and CMC |

Entrust: ❌ No longer issuing VMCs. Entrust-issued VMCs already in circulation remain valid until expiry but cannot be renewed through Entrust.

Qualified CAs for CMC Issuance in 2026

Common Mark Certificates (CMCs) are a newer certificate type that enables BIMI logo display without requiring a registered trademark — making them accessible to a broader range of organisations. The qualified CMC issuers as of 2026 are:

| CA | CMC Issuance | Notes | |---|---|---| | GlobalSign | ✅ Yes | Early CMC adopter | | SSL.com | ✅ Yes | Competitive pricing; growing adoption | | DigiCert | ✅ Yes | Consistent with its VMC offering |

Note: CMC support across email clients is still maturing. Verify current client support before choosing CMC over VMC for your deployment.

Apple Mail and CA Requirements

Apple Mail enforces stricter requirements than other BIMI-supporting clients. Specifically:

  • Apple Mail requires that your VMC be issued by a CA it explicitly recognises as qualified.
  • A VMC from an unrecognised or delisted CA will not trigger logo display in Apple Mail, even if the certificate is otherwise technically valid.
  • This makes CA selection a deliverability and brand visibility decision, not just a compliance checkbox.

Practical implication: If your audience uses Apple Mail — which holds a significant share of mobile email opens — you must ensure your VMC is issued by DigiCert, Sectigo, or GlobalSign. An expired or improperly renewed certificate from a non-qualified CA will silently fail.


Action Required: Entrust VMC Holders

If your organisation purchased a VMC from Entrust before November 2024, follow these steps:

  1. Locate your certificate expiry date. Check your certificate management portal or inspect the certificate directly. Entrust VMCs are valid until their stated expiry — there is no forced revocation.
  1. Do not attempt to renew through Entrust. Entrust is no longer issuing public certificates. Any renewal workflow initiated through Entrust will not result in a valid new VMC.
  1. Select a qualified replacement CA. Choose from DigiCert, Sectigo, or GlobalSign based on your requirements, budget, and existing vendor relationships.
  1. Prepare your SVG logo file. VMC issuance requires a BIMI-compliant SVG Tiny 1.2 file. If your existing SVG was prepared for your Entrust VMC, verify it still meets current specification requirements before submitting to a new CA.
  1. Confirm your DMARC policy. A valid VMC requires an enforced DMARC policy (p=quarantine or p=reject). Confirm your DMARC record is correctly configured before initiating the new certificate application.
  1. Submit your VMC application to the chosen CA. Allow for trademark verification processing time, which typically ranges from several days to several weeks depending on the CA and trademark jurisdiction.
  1. Update your BIMI DNS record with the new certificate URL once issued. The bimi TXT record's a= tag must point to the new VMC location.

Choosing Between VMC and CMC in 2026

| Factor | VMC | CMC | |---|---|---| | Trademark required | Yes — registered trademark | No | | Email client support | Broad, including Apple Mail | Growing; verify per client | | Issuing CAs | DigiCert, Sectigo, GlobalSign | GlobalSign, SSL.com, DigiCert | | Cost | Higher | Lower | | Best for | Established brands with registered marks | Brands without registered trademarks |

If your organisation holds a registered trademark and targets Apple Mail users, a VMC remains the recommended choice in 2026.


Summary

  • Entrust exited public certificate issuance in November 2024 and sold its public CA division to Sectigo.
  • Qualified VMC issuers in 2026: DigiCert, Sectigo, GlobalSign.
  • Qualified CMC issuers in 2026: GlobalSign, SSL.com, DigiCert.
  • Entrust VMCs remain valid until expiry but must be renewed through a different qualified CA.
  • Apple Mail requires a VMC from a recognised qualified CA for logo display.
  • Entrust VMC holders must act before their certificate expires to avoid logo display interruption.

Next Steps

Prepare your BIMI assets and verify your configuration: