Technical Reference · 2026 Edition

Why Let's Encrypt Doesn't Issue BIMI Certificates (VMC/CMC)

Let's Encrypt cannot issue Verified Mark Certificates (VMC) or Common Mark Certificates (CMC) because BIMI certificate issuance requires manual trademark verification that the ACME protocol cannot automate. Learn why VMCs cost $1,000+ and how the process works.

Last updated min read

The automation gap.

Let's Encrypt is one of the most successful certificate authorities in internet history. It has issued billions of TLS certificates, driven HTTPS adoption across the web, and done so entirely for free. So when organisations begin implementing BIMI and discover that Mark Certificates cost upward of $1,000 per year, the natural question appears in forums and support threads almost immediately:

"Why can't Let's Encrypt just issue VMCs?"

The short answer: the ACME protocol automates domain control validation. BIMI certificates require something fundamentally different — human judgment about trademark ownership and brand identity. Those two things are not reconcilable with the same toolchain.

This article explains the structural reasons why, what the verification process for VMCs and CMCs actually involves, and why the cost gap between a free TLS certificate and a $1,000+ Mark Certificate is not arbitrary pricing — it reflects genuine manual labour performed by accredited examiners.


Background: What Let's Encrypt actually does

Let's Encrypt operates on the ACME protocol (Automated Certificate Management Environment, RFC 8555). The entire model is built around one question:

Does the entity requesting this certificate control the domain name in question?

To answer that question automatically, Let's Encrypt uses one of three challenge types:

  1. HTTP-01 — Place a specific token at a known URL on the domain.
  2. DNS-01 — Publish a specific TXT record in the domain's DNS zone.
  3. TLS-ALPN-01 — Respond to a TLS handshake on port 443 with a specific certificate.

If the challenge succeeds, domain control is proven. The certificate is issued in seconds. No human reviews the request. No human could review the request — Let's Encrypt issues millions of certificates per day.

This model works precisely because domain control is a binary, machine-verifiable fact. Either the token is present or it is not.


What a BIMI Mark Certificate actually certifies

A Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) does not certify domain control. It certifies something categorically different:

That a specific SVG logo is legitimately associated with a specific organisation, and that the organisation has the right to display that logo in email clients.

To make that assertion, a certificate authority must answer questions that have no machine-verifiable answer:

  1. Does this organisation own or license the trademark depicted in the logo?
  2. Is the SVG file a faithful representation of that registered trademark?
  3. Has the logo been in continuous, public use long enough to qualify under CMC historical-use rules?
  4. Is the organisation the same legal entity named on the trademark registration?

None of these questions can be resolved by placing a file on a web server.


The VMC verification process: what examiners actually do

Accredited Mark Verifiers (AMVs) — the small number of CAs authorised to issue VMCs, currently including DigiCert and Entrust — follow a defined examination workflow for each application. The steps below reflect the published requirements from the BIMI Working Group and CA/Browser Forum Mark Certificate guidelines.

1. Trademark registration verification

The examiner retrieves the trademark registration record from the relevant national or international registry (USPTO, EUIPO, WIPO, IPO, etc.) and confirms:

  • The mark is registered (not merely applied for).
  • The registration is active and not expired, cancelled, or abandoned.
  • The goods and services classes are consistent with the applicant's business.
  • The owner of record matches the legal entity submitting the certificate request.

This step requires access to multiple trademark databases, knowledge of international IP law, and judgment about edge cases — for example, whether a pending renewal constitutes a lapsed registration.

2. Logo-to-trademark correspondence review

The examiner compares the submitted SVG file against the trademark specimen on record and determines whether they are substantially the same mark. This is not a pixel-diff operation. It requires human assessment of:

  • Stylistic equivalence across different file formats.
  • Whether colour variations are within acceptable tolerance.
  • Whether simplified or adapted versions still represent the registered mark.

3. SVG technical compliance check

The SVG must conform to the BIMI SVG Tiny P/S profile — a restricted subset of SVG 1.2 Tiny. Examiners verify that the file:

  • Contains no raster image embeds.
  • Uses no JavaScript or external references.
  • Includes the correct </code> element.</li> <li class="md-li">Renders correctly within a square viewport.</li> </ul> <p class="md-p"> This is the one step that is partially automatable, and several CAs do run automated pre-checks. However, automated checks do not replace examiner sign-off. </p> <h3 id="4-organisational-identity-verification" class="md-h3">4. Organisational identity verification</h3> <p class="md-p"> The examiner confirms that the certificate applicant is the same legal entity named on the trademark registration. This typically involves: </p> <ul class="md-ul"> <li class="md-li">Reviewing incorporation documents or equivalent business registration records.</li> <li class="md-li">Confirming the applicant's authorised representative has signing authority.</li> <li class="md-li">Cross-referencing against existing identity records if the organisation has prior certificates.</li> </ul> <h3 id="5-cmc-historical-use-verification-where-applicable" class="md-h3">5. CMC historical-use verification (where applicable)</h3> <p class="md-p"> Common Mark Certificates — introduced to support logos that are widely recognised but not formally registered as trademarks — require a different evidentiary standard. Instead of a registration number, the applicant must demonstrate <strong>continuous, public use</strong> of the logo over a qualifying period. </p> <p class="md-p"> This is where the <strong>Wayback Machine</strong> (Internet Archive) and similar historical web records become relevant. Examiners: </p> <ol class="md-ol"> <li class="md-li">Search the Internet Archive for dated captures of the organisation's web presence showing the logo.</li> <li class="md-li">Verify that the logo visible in historical captures is <strong>substantially the same</strong> as the submitted SVG.</li> <li class="md-li">Confirm the captures span the required duration without significant gaps.</li> <li class="md-li">Assess whether the historical use was genuinely public-facing, not internal or incidental.</li> </ol> <p class="md-p"> This process is inherently manual. The Wayback Machine does not expose an API that returns a structured "logo continuity score." An examiner must retrieve captures, visually inspect them, and make a judgment call. Edge cases — a site redesign mid-period, a logo refresh, a domain change — require correspondence with the applicant and additional documentation. </p> <hr class="md-hr" /> <h2 id="why-the-acme-protocol-cannot-bridge-this-gap" class="md-h2">Why the ACME protocol cannot bridge this gap</h2> <p class="md-p"> The ACME protocol is designed to automate <strong>cryptographic proof of control</strong>. The challenges it defines produce outputs that are either valid or invalid with no ambiguity. </p> <p class="md-p"> Mark Certificate verification produces outputs that are <strong>judgments, not proofs</strong>. Consider: </p> <p class="md-p"> | Verification step | Machine-verifiable? | Reason | |---|---|---| | Domain control (TLS cert) | <strong>Yes</strong> | Token presence is binary | | Trademark registration status | Partially | Registry APIs exist, but interpretation requires legal context | | Logo-to-trademark correspondence | <strong>No</strong> | Requires visual and legal judgment | | SVG technical compliance | Partially | Automated pre-checks possible, not sufficient alone | | Organisational identity | <strong>No</strong> | Requires document review | | CMC historical logo use | <strong>No</strong> | Requires archival research and visual comparison | </p> <p class="md-p"> Even if a future version of ACME were extended with new challenge types, there is no challenge response that can prove "this SVG is a faithful representation of trademark registration number 5,678,901." That determination requires a qualified human examiner. </p> <hr class="md-hr" /> <h2 id="why-vmcs-cost-1-000-or-more" class="md-h2">Why VMCs cost $1,000 or more</h2> <p class="md-p"> The price of a VMC reflects the cost of the examination process described above, not the cost of the cryptographic operations involved in issuing a certificate. Those operations are trivially cheap. </p> <p class="md-p"> The cost components are: </p> <ol class="md-ol"> <li class="md-li"><strong>Examiner time</strong> — A qualified trademark examiner reviewing documentation, corresponding with applicants, and making determination decisions. Depending on complexity, a single application may require several hours of examiner time.</li> <li class="md-li"><strong>Access to trademark databases</strong> — Commercial access to USPTO, EUIPO, WIPO, and other registries is not free for high-volume users.</li> <li class="md-li"><strong>Liability and insurance</strong> — AMVs carry professional liability for their determinations. If a VMC is issued incorrectly and enables brand impersonation, the CA faces legal exposure.</li> <li class="md-li"><strong>Audit and compliance overhead</strong> — AMVs are</li> </ol> </div> <div class="doc-footer"> <a href="/" class="btn btn-primary">Convert Your Logo →</a> <a href="/check" class="btn btn-secondary">Audit Your Domain</a> </div> </main> </div> <footer> <div class="container footer-inner"> <div class="footer-left"> <span class="footer-copyright">© 2026 makeBIMI™</span> </div> <div class="footer-links"> <a href="/global" class="footer-link">Global</a> <a href="/knowledge">Learn</a> <a href="/certificates">VMC</a> <a href="https://veribimi.com" class="seo-link" rel="noopener">veriBIMI<sup style="font-size:0.45em; font-weight:400; color:rgba(247,248,248,0.28); position:relative; top:-0.5em; margin-left:1px; vertical-align:baseline;">℠</sup></a> <a href="https://veribimi.com/founder" rel="noopener">Founder</a> <a href="https://veribimi.com/privacy" rel="noopener">Privacy</a> </div> </div> </footer> <div class="cmd-overlay" id="cmd-overlay" role="dialog" aria-modal="true" aria-label="Command palette"> <div class="cmd-modal"> <div class="cmd-search-row"> <svg class="cmd-search-icon" width="15" height="15" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><circle cx="11" cy="11" r="8"/><path d="m21 21-4.35-4.35"/></svg> <input type="text" class="cmd-input" id="cmd-input" placeholder="Search documentation, navigate pages…" autocomplete="off" /> <span class="cmd-esc">ESC</span> </div> <div class="cmd-results" id="cmd-results"></div> <div class="cmd-footer"> <span><kbd>↑↓</kbd> Navigate</span> <span><kbd>↵</kbd> Select</span> <span><kbd>ESC</kbd> Close</span> </div> </div> </div> <div class="toast-container" id="toast-container"></div> <!-- Inject sections data for Cmd+K --> <script> window.DOC_SECTIONS = ; </script> <script src="/public/js/app.js?v4"></script> <script src="/public/js/toc.js?v4"></script> <script src="/public/js/interactions.js?v4"></script> <!-- ── COOKIE CONSENT BANNER (EU/EEA only, based on CF-IPCountry) ── --> <div id="cookie-consent-banner" style="display:none;" role="dialog" aria-label="Cookie consent"> <div class="cookie-consent-inner"> <p class="cookie-consent-text"> We use Google Analytics to understand how visitors use this tool. No advertising cookies are set. <a href="https://veribimi.com/privacy" rel="noopener" class="cookie-consent-link">Privacy Policy</a> </p> <div class="cookie-consent-actions"> <button class="cookie-consent-btn cookie-consent-accept" onclick="acceptCookies()">Accept</button> <button class="cookie-consent-btn cookie-consent-decline" onclick="declineCookies()">Decline</button> </div> </div> </div> <script> (function() { // Only show for EU/EEA countries (Cloudflare sets CF-IPCountry via meta tag injected server-side) var country = document.documentElement.getAttribute('data-country') || ''; var EU_COUNTRIES = ['AT','BE','BG','CY','CZ','DE','DK','EE','ES','FI','FR','GR','HR', 'HU','IE','IT','LT','LU','LV','MT','NL','PL','PT','RO','SE','SI','SK', 'IS','LI','NO','GB','CH']; // EEA + UK + Switzerland (nFADP) var consent = localStorage.getItem('makebimi_cookie_consent'); if (!consent && EU_COUNTRIES.indexOf(country) !== -1) { document.getElementById('cookie-consent-banner').style.display = 'block'; } if (consent === 'declined') { // Remove GA4 script if previously declined var scripts = document.querySelectorAll('script[src*="googletagmanager"]'); scripts.forEach(function(s) { s.parentNode && s.parentNode.removeChild(s); }); } })(); function acceptCookies() { localStorage.setItem('makebimi_cookie_consent', 'accepted'); document.getElementById('cookie-consent-banner').style.display = 'none'; } function declineCookies() { localStorage.setItem('makebimi_cookie_consent', 'declined'); document.getElementById('cookie-consent-banner').style.display = 'none'; // Disable GA4 for this session window['ga-disable-G-S1HG2ZB83B'] = true; } </script> </body> </html>