Verified Mark Certificates 11-09-2023

Choosing the right number of VMCs for your business needs

Dean Coclin
VMC Hero

A lot has changed in the world of email security since 2019, when CNN became the first large-scale emailer to receive a Verified Mark Certificate (VMC) from DigiCert. Most major mailbox providers now support BIMI and VMCs, displaying a sender’s verified logo in the recipient’s inbox. And many companies have invested in VMCs and the related domain authentication steps to show customers that the sender is someone the user can trust.

Qualifying for a VMC requires a trademarked logo and a domain with a DMARC policy configured to reject or quarantine non-compliant mail. That means organizations have some hoops to jump through to get one, but early VMC adopters saw a 10% increase in engagement once their emails started going out with a logo attached.  

It's easy enough to see why you need a VMC—displaying your logo greatly increases brand impressions and helps protect your audience from phishing and spoofing scams. But how many VMCs do you need, and how can having more than one further elevate your brand?

How many VMCs do you need?

Every organization is unique in its email and domain structure. If your company has a single email domain and logo, one VMC may be all you need. If you have multiple email domains and a single logo, one VMC may still do the trick.

But if you have multiple logos, you’ll need a VMC for each no matter how many email domains you’re using.

Here’s a chart to illustrate several possible organizational structures and their VMC requirements:

Verified Mark Certificates Graph 1

Let’s break it down even further with some example scenarios and the number of VMCs each would require:

  • Multiple email domains (e.g., @digicert.com and @rapidSSL.com) with a single logo: One VMC
  • Multiple email subdomains with unique email addresses (e.g., @security.digicert.com; @shop.digicert.com; @dev.digicert.com) and a single logo: One VMC
  • A single domain with multiple local subdomains (e.g., @company1.digicert.com and @company2.digicert.com), each with its own logo: One VMC per local subdomain
  • Multiple emails sharing the same second-level domain, but each email domain has a unique suffix (e.g., @digicert.com; @digicert.org; @digicert.ca): One VMC if all domains share the same logo; separate VMCs for each domain if the logos differ
  • One primary email with a logo design that changes for seasonal holidays: Different VMCs for each unique logo, each of which must be a registered trademark

Achieving brand versatility with BIMI selectors

VMCs are part of the Brand Indicators for Message Identification (BIMI) standard, an email specification that enables mailbox providers like Gmail to authenticate messages and display the sender’s brand logo in users’ inboxes.

If you have a single email domain with multiple verified logos, you can use BIMI selectors to display different logos based on use cases—one logo for marketing emails, for instance, and another for technical support. The seasonal logo example in our last scenario above would use a BIMI selector to switch out the logo for each new holiday.

Many organizations stick to one BIMI selector. But there’s no limit to the number of selectors you can use. For companies with complex branding needs, the ability to control which image recipients see in their inboxes adds an extra layer of polish to the logo game.

To show you what we mean, we’ve invented a retailer called DigiCert Sports. This fictional sports company has seven different logos that are all associated with the same email-sending domain. DigiCert Sports uses BIMI selectors to display the appropriate logo based on the customer’s region.

In the table below, you’ll see seven different BIMI selectors with seven different VMCs and logos. The email header tells the recipient which BIMI record they should be looking for.

Verified Mark Certificates Graph 2

If the sender doesn’t specify a BIMI selector in the email header, the default selector will determine what the recipient sees. But if the sender enters ”BIMI-Selector: v=BIMI1; s=Europe” in the email header, the Europe logo (VMC2.pem) will appear beside the message in the user’s inbox.

The components of a BIMI-selector header

In the DigiCert Sports example, you’ll notice the following required components in each row of the BIMI-Selector Header column:

1. Header name: BIMI-Selector

2. Version: v=BIMI1

3. Selector name:s=north_america;

Having trouble defining your own BIMI selectors and records? Our BIMI Records Creation Template can help.

The latest developments in digital trust

Want to learn more about topics like VMCs, S/MIME and cybersecurity? Subscribe to the DigiCert blog to ensure you never miss a story.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

02-20-2024

Survey says: 1/3 of leaders are more vulnerable than they think

Making smart homes smarter: How TUO adds security to every device

A Q&A with TUO Accessories Co-Founder and CEO Sam Gabbay

Lessons from the Equifax data breach

How poor certificate visibility led to a
76-day-long leak of sensitive information