How to Get a Verified Mark Certificate (VMC): Step-by-Step Guide
A complete step-by-step guide to obtaining a Verified Mark Certificate (VMC) for BIMI email authentication. Covers DMARC enforcement, trademark registration, SVG conversion, CA application, and DNS deployment.
The Path to a Verified Mark Certificate
A Verified Mark Certificate (VMC) is a digital certificate issued by an approved Certificate Authority (CA) that cryptographically binds your registered trademark logo to your email-sending domain. When deployed correctly alongside a BIMI DNS record, it instructs participating mailbox providers—including Gmail, Yahoo Mail, Apple Mail, and Fastmail—to display your brand logo in the inbox next to authenticated messages.
This guide covers every prerequisite and action required to obtain and deploy a VMC, in the correct sequence.
Prerequisites at a Glance
Before you begin, confirm you can satisfy all of the following:
- DMARC policy at
p=rejectorp=quarantine(enforcement required) - A registered trademark for your logo in at least one qualifying jurisdiction
- An SVG logo file that conforms to the W3C SVG Tiny 1.2 Portable/Secure (P/S) profile
- Access to your domain's DNS to publish the BIMI record
- A budget for the VMC — certificates are issued annually and priced per domain
Step 1: Enforce DMARC at Policy Level
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a non-negotiable foundation. A VMC has no effect unless your domain passes DMARC alignment, and mailbox providers will not render BIMI logos for domains operating below enforcement level.
Requirements
- SPF and DKIM must both be configured and aligned for your sending domain.
- Your DMARC record must specify
p=rejectorp=quarantine. A policy ofp=nonedoes not qualify. - The DMARC record must be published at the organizational domain (e.g.,
_dmarc.example.com), not a subdomain.
Recommended path to enforcement
- Publish an initial DMARC record at
p=nonewithruaandrufreporting addresses. - Collect aggregate reports for a minimum of two to four weeks.
- Identify all legitimate mail streams and ensure each passes SPF or DKIM alignment.
- Advance the policy incrementally:
p=none→p=quarantine→p=reject. - Confirm the final record reads similarly to:
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"
Important: Do not proceed to subsequent steps until DMARC enforcement is stable. A misconfigured mail stream discovered after VMC issuance can cause legitimate email to be rejected.
Step 2: Register Your Trademark
A VMC can only be issued for a logo that is a registered trademark in a jurisdiction recognised by the issuing CA. This is the step most organisations underestimate in terms of lead time.
Qualifying jurisdictions (as of 2024)
Approved CAs currently accept trademark registrations from the following offices:
| Jurisdiction | Office | |---|---| | United States | USPTO | | European Union | EUIPO | | United Kingdom | UKIPO | | Canada | CIPO | | Australia | IP Australia | | Germany | DPMA | | France | INPI | | Japan | JPO | | Spain | OEPM | | Switzerland | IPI | | India | CGPDTM | | Brazil | INPI-BR | | South Korea | KIPO | | United Kingdom | UKIPO |
This list expands periodically. Verify the current list with your chosen CA before filing.
Key considerations
- The trademark must cover the exact logo you intend to use in BIMI. A word mark (text only) does not qualify; the registration must be for a figurative or device mark (a logo).
- Registration status must be active at the time of VMC issuance and throughout the certificate's validity period.
- Trademark registration timelines vary by jurisdiction. USPTO examination alone typically takes 8–12 months. Plan accordingly.
- If your logo is already registered, confirm the registration number and the exact image on file — the SVG you submit must match the registered mark.
Step 3: Convert Your Logo to SVG Tiny 1.2 Portable/Secure
This is the most technically demanding step for most brand and design teams. The VMC specification requires your logo to be encoded as an SVG Tiny 1.2 Portable/Secure (P/S) file. Standard SVG files exported from Adobe Illustrator, Figma, or Inkscape will not pass CA validation without modification.
What is SVG Tiny 1.2 P/S?
SVG Tiny 1.2 is a subset of the SVG specification designed for constrained environments. The Portable/Secure profile adds further restrictions to prevent executable content, external resource loading, and scripting — all of which are security risks in an email rendering context.
Common SVG elements that must be removed or replaced
| Disallowed element or feature | Reason |
|---|---|
| tags | Security: executable code |
| External href references | Security: remote resource loading |
| elements with raster data | Not permitted in Tiny P/S |
| CSS animations (@keyframes) | Not in Tiny 1.2 profile |
| Filters and blend modes | Outside Tiny 1.2 scope |
| Non-SVG namespaces | Profile compliance |
| foreignObject | Not permitted |
Conversion requirements
- The file must declare the correct SVG Tiny 1.2 namespace and profile:
<svg version="1.2" baseProfile="tiny-ps"
xmlns="http:class="hl-cmt">//www.w3.org/2000/svg" ...>
- A
element must be present as the first child of the rootelement. - The file must be self-contained — no external fonts, images, or stylesheets.
- The canvas should be square (equal width and height). Most mailbox providers crop or mask logos to a circular or square format.
- File size should be kept under 32 KB after conversion.
Validation
After conversion, validate the file against the SVG Tiny P/S schema before submitting to a CA. Submitting a non-compliant file will result in rejection and delay issuance.
Free SVG conversion tool: makeBIMI.com converts your logo to a BIMI-compliant SVG Tiny 1.2 P/S file at no cost. Upload your existing logo file and download a CA-ready SVG.
Step 4: Apply to an Approved Certificate Authority
Once your DMARC policy is enforced, your trademark is registered, and your SVG is compliant, you can apply for a VMC from an approved CA.
Approved Certificate Authorities
As of 2024, two CAs are authorised to issue VMCs:
- DigiCert — digicert.com
- Entrust — entrust.com
Additional CAs may be approved over time. Check the BIMI Group's CA list for the current authorised issuers.
What the CA validates
The CA performs the following checks before issuing a VMC:
- Domain control validation (DCV): You must prove ownership of the domain for which the VMC is being issued.
- Trademark verification: The CA verifies the trademark registration against the relevant IP office database. You will need to provide your registration number and jurisdiction.
- Logo-to-trademark match: The SVG you submit is compared against the registered mark. They must be substantively identical.
- DMARC enforcement check: Some CAs verify that a DMARC