What is the Difference Between BIMI and a VMC Certificate?
BIMI is a DNS-based email standard. A VMC (Verified Mark Certificate) is a cryptographic credential issued by an audited Certificate Authority. They operate at different technical layers: BIMI defines where mailbox providers look for your logo; the VMC validates your right to display it. DMARC enforcement at p=quarantine or p=reject is a prerequisite for both.
“BIMI VMC certificate” is a phrase the industry treats as one product. It describes two. One is a DNS record your domain publishes. The other is a credential a Certificate Authority issues after verifying your identity and logo rights. That confusion leads to misconfigured deployments — teams who publish a BIMI record and wait for logos to appear, or acquire a certificate with no DNS record pointing to it.
Two Layers, Not One
- Published as a DNS TXT record at
default._bimi.<yourdomain> l=tag points to the URL of your hosted SVG Tiny PS logo filea=tag points to the URL of your VMC certificate file- Requires DMARC enforcement:
p=quarantineorp=reject - Spec is openly published; no licensing fee to configure DNS
- Cryptographic file issued by an audited CA (DigiCert, Sectigo, GlobalSign)
- Validates the organizational relationship between domain, logo, and rights holder
- Requires a trademark registered with recognized trademark offices or CA-accepted trademark records
- Referenced in the BIMI record via the
a=tag — not a logo delivery file - Issued with a defined validity period; must be renewed before expiry
Feature Comparison
| Feature | BIMI Protocol | VMC Certificate |
|---|---|---|
| Technical form | DNS TXT record | Cryptographic PEM file |
| What it does | Points mailbox providers to the SVG logo (l=) and the VMC file (a=) | Validates organizational authority over the specific logo displayed in the inbox |
| Cost to configure | No licensing fee for DNS configuration | Purchased annually from an audited CA; cost varies by provider and validation model |
| Core prerequisite | DMARC enforcement: p=quarantine or p=reject | Active BIMI DNS record; logo in SVG Tiny PS format |
| Trademark required | No | Yes — registered with recognized trademark offices or CA-accepted trademark records |
| Validity | Remains active as long as the DNS record is published | Expires on a fixed date; logo display may stop for providers that require certificate validation if the VMC is not renewed |
See also:
How to Avoid Common VMC Application Failures
Which Trademark Registrations Qualify for a VMC?
What Happens When a VMC Certificate Expires?
Frequently Asked Questions
Can I publish a BIMI record without a VMC?
l= tag and no a= tag pointing to a VMC. Some mailbox providers will display your logo based on the BIMI record alone. However, major mailbox providers that require certificate validation, including providers such as Gmail and Apple Mail, will not render the logo without a valid VMC referenced in the a= tag. A missing or invalid a= value prevents logo display in those environments regardless of how the rest of the BIMI record is configured.Is BIMI free to set up?
l= and a= tags. DMARC enforcement, if not already in place, is a prerequisite that may involve its own implementation effort.Does an expired VMC certificate work with BIMI?
a= tag in your BIMI record points to an invalid credential, and providers that require a current certificate — including providers such as Gmail and Apple Mail — stop rendering your logo. The BIMI DNS record itself remains published and active; it is the VMC that must be renewed to restore display.