What Happens When a VMC Certificate Expires?

Published On: June 23, 2026Read Time: 3 minutes
Direct Answer

When a VMC expires, logo display typically stops when mailbox providers detect the expired certificate. Email delivery is not affected — messages continue to send and receive normally. The impact is limited to brand logo visibility in supported inboxes. The BIMI DNS record and all other email authentication infrastructure remain in place; only the certificate validity is the issue.

What Stops and What Continues

Stops at Expiry
  • Logo display in Gmail and other providers that validate the certificate at display time
  • Blue verified checkmark in Gmail (VMC-specific)
  • Display in any provider that checks certificate validity before rendering the logo
Continues After Expiry
  • Email delivery — sending and receiving are unaffected
  • DMARC enforcement and email authentication
  • BIMI DNS record — remains published and queryable
  • SPF and DKIM alignment

The certificate expiry is a display event, not a delivery event. Recipients do not see an error or warning message. From their perspective, the logo simply stops appearing — or the verified badge disappears — without any indication of why.

Why Certificate Validity Is Checked at Display Time

Mailbox providers that support BIMI with certificate verification check the validity of the certificate referenced in the a= tag when evaluating a message. An expired certificate typically fails this check and the provider does not display the logo, even if the DNS record is otherwise correctly formed and the SVG is accessible. Most providers treat an expired certificate the same as an absent one — there is generally no grace period, though specific provider behavior may vary.

The Gap Risk

The critical risk is a gap between expiry and renewal completion. If a replacement certificate is not issued before the current one expires, logo display stops for the duration of that gap. The VMC renewal process — which involves revalidation by the CA — typically takes days. Starting renewal at least 30–45 days before expiry ensures the new certificate is available before the old one lapses.

For full renewal scope details, see What Is Included in a BIMI Certificate Renewal Service. For the revalidation process specifically, see Do I Need Revalidation During VMC Renewal?

A new certificate is not active the moment it is issued. The updated a= URL must be live and the DNS record (if changed) must propagate. Allow 24–48 hours after certificate deployment before logo display resumes in all environments.

Frequently Asked Questions

Does an expired VMC affect email deliverability?

No. VMC expiry has no effect on email delivery. Messages continue to arrive in recipients' inboxes. The VMC is a display credential, not an authentication mechanism. DMARC, SPF, and DKIM operate independently of VMC validity.

Can I keep the same BIMI DNS record after renewal?

If the certificate URL in the a= tag remains the same — i.e., the renewed certificate is served at the same HTTPS address — the DNS record does not need to change. If the URL changes, the BIMI record must be updated and the change must propagate before display resumes.

How long does it take for logo display to resume after renewal?

Once the renewed certificate is deployed and accessible at the URL in the a= tag, providers that read it at display time will pick it up. DNS propagation (if the record changed) takes 24–48 hours. Some providers may have their own cache or recognition delay. Expect full resumption within 1–3 days of correct deployment.