Technical Reference · 2026 Edition

VMC vs CMC: Which BIMI Certificate Do You Need in 2026?

Last updated min read

VMC vs CMC: Which BIMI Certificate Do You Need in 2026?

The Brand Indicators for Message Identification (BIMI) protocol requires a cryptographic certificate to display a logo in supported email clients. As of 2026, Gmail and Apple Mail do not render brand logos unless a valid certificate is referenced in the domain's BIMI DNS record [1].

Two certificate types are available: the Verified Mark Certificate (VMC) and the Common Mark Certificate (CMC). This article describes the requirements, output, and use cases for each so you can select the correct certificate for your organization.

2026 Update: CMC Certificates Now Work in Gmail

What changed: Google began accepting Common Mark Certificates (CMC) for Gmail logo display in late 2024. This is a significant expansion from 2023, when CMC support was limited exclusively to Yahoo Mail.

What this means for senders

Starting in late 2024, Gmail renders your brand logo in the inbox when your BIMI DNS record references a valid CMC. Prior to this change, organizations without a registered trademark had no path to logo display in Gmail under the BIMI specification — Yahoo was the only major client that honoured CMC.

The checkmark distinction

CMC does not trigger the Gmail blue verified checkmark badge. The blue checkmark remains exclusively available to senders who hold a Verified Mark Certificate (VMC). The two outcomes are distinct:

| Certificate | Logo Displays in Gmail | Gmail Blue Checkmark | |---|---|---| | VMC | Yes | Yes | | CMC | Yes | No |

If your goal is logo visibility in Gmail without the checkmark indicator, a CMC now satisfies that requirement. If the blue checkmark is a business or brand-trust requirement, you must obtain a VMC.

Why this matters

This change lowers the barrier to entry for BIMI adoption. Organizations that cannot yet meet the trademark requirement for a VMC — including startups, SMBs, and brands with trademark applications in progress — can now achieve Gmail logo display using a CMC while pursuing a VMC in parallel.


The Verified Mark Certificate (VMC)

A VMC provides the highest level of identity assurance available under the BIMI specification. It cryptographically binds a registered trademark to the sending domain.

The trademark requirement

A VMC requires a registered trademark issued by a recognized intellectual property office, including the USPTO, EUIPO, IPO UK, JPO, or a WIPO Madrid Protocol registration [2]. The Certificate Authority (CA) validates the submitted SVG logo against the official trademark registry. The CA rejects the application if the SVG does not match the registered mark exactly, or if the trademark status is pending, opposed, or abandoned.

The blue checkmark indicator

Gmail displays a blue checkmark next to the sender name for messages authenticated with a VMC. The checkmark is not available with any other certificate type. Use a VMC if your organization requires the checkmark indicator for brand trust or deliverability metrics.

Use a VMC if: your organization holds a registered trademark for the logo and requires the Gmail blue checkmark. This typically applies to enterprise senders, regulated industries such as financial services, and high-volume B2C brands.

The Common Mark Certificate (CMC)

A CMC authenticates the sender's logo without requiring a registered trademark. It was added to the BIMI specification to allow organizations without trademark registrations to participate.

proof of use validation

A CMC requires proof that your organization has used the logo continuously in commerce for at least 12 months before the application date. Acceptable evidence includes dated screenshots of your website, archived pages from the Wayback Machine, social media profile history, and marketing collateral with verifiable dates. The CA reviews this documentation in place of a trademark registration.

Display behavior

A CMC displays your logo in Gmail and Apple Mail. A CMC does not enable the Gmail blue checkmark. If the blue checkmark is a requirement, you must obtain a VMC.

Use a CMC if: your organization uses an established logo but does not hold a registered trademark, or the trademark application is still in process. This applies to startups, small and medium-sized businesses, and organizations in trademark-pending status.

Comparison Matrix

| Feature | Verified Mark Certificate (VMC) | Common Mark Certificate (CMC) | |---|---|---| | Legal Requirement | Registered Trademark | 12-Month Proof of Use | | Logo Display in Gmail | Yes | Yes | | Logo Display in Apple Mail| Yes | Yes | | Gmail Blue Checkmark | Yes | No | | DMARC Requirement | p=quarantine or p=reject | p=quarantine or p=reject | | SVG Requirement | W3C SVG Tiny P/S | W3C SVG Tiny P/S |

How to Proceed

The technical prerequisites are identical for both certificate types. You must publish a DMARC record with a policy of p=quarantine or p=reject, and you must produce an SVG file that conforms to the W3C SVG Tiny Portable/Secure (P/S) profile. To generate a compliant SVG and audit your DMARC configuration at no cost, use makeBIMI.

After the technical prerequisites are in place, submit your certificate application to a BIMI-approved CA. The application requires either a trademark registration number (VMC) or a proof-of-use dossier (CMC). To manage the application and compliance documentation, use a certificate brokerage such as veriBIMI.


Ready to get started? Visit makeBIMI.com for a free SVG conversion tool and DMARC audit. For enterprise VMC and CMC certificate brokerage, visit veriBIMI.com.

References

[1] AuthIndicators Working Group. "BIMI Certificates." BIMI Group, https://bimigroup.org/bimi-certificates/ [2] Entrust. "Verified Mark Certificates (VMC)." Entrust, https://www.entrust.com/digital-security/certificate-solutions/products/digital-certificates/verified-mark-certificates