Verified Mark Certificates 05-11-2021

How Many Verified Mark Certificates (VMCs) Will I Need? 

DigiCert
DigiCert Blog

As part of our discussion on how to get a Verified Mark Certificate (VMC), which enables companies to present their logo in the “sender” field in email clients, today we’re diving into how many VMCs your organization will need. Generally, organizations will be fine with one VMC for their domain, but if they have multiple logos, they will need a VMC for each one. 

Each organization is unique in their email and domain structure. You may have a single email domain or many, sell one product or hundreds. Perhaps you have a single domain or a complex infrastructure with a variety of email services, domains and logos.

Regardless of how you are organized, VMCs offer flexibility for a variety of situations. Below we have outlined common ways your domains may be structured to help you understand how VMCs will work for your business.

VMC versatility

In general, most organizations will need a single VMC for their domain. A good rule of thumb to follow is a single VMC is associated with one logo. If you require multiple logos, you will need to get a VMC for each one. Multi-SAN VMCs will be available to secure multiple domains.

Associating an email with a VMC: The BIMI-selector header

One versatile aspect of VMC via BIMI is the use of a “selector,” which allows you to choose which logo you will use for that email address. You can decide how many selectors you need for each domain. One selector is usually sufficient for most organizations; however, those with more complex branding needs can choose to have many selectors. There is no limit on number of selectors.

A perfect scenario where BIMI-selectors might be useful is when domain owners have multiple brands / logos that are all associated with the same email sending domain. To be displayed, every logo must have their own VMC and BIMI record. However, given that all VMCs are going to be issued for the same domain, which logo will recipients see in their inboxes?

This is where BIMI-Selectors come into play to support domain owners to display different logos for the same domain, assigning those logos to emails based on business needs like type of recipient, message source, geo x, IP addresses, or other considerations like seasonal branding.

The hypothetical example below considers a sports company named DigiCert Sports, that has seven different logos which are all associated with the same email sending domain, and is using BIMI-Selectors to display all their logos to customers based on regions:

The table above indicates that there are seven different BIMI-Selectors associated with seven different VMCs / logos and the same email sending domain. So, which logo will a recipient see in their inbox among the seven available? The answer is straightforward: the email header lets the email recipient know which BIMI-record from the sender they should be looking for.

Considering the above example, if the sender puts in the email header the BIMI-Selector “BIMI-Selector: v=BIMI1; s=Europe;”, the email recipient will get the Europe logo displayed (VMC2.pem). However, if the sender does not specify a BIMI-Selector in the email header, the default selector will be used by the recipient. The default BIMI-Selector always points to the default BIMI record, and in our example that is “default._bimi.digicertsports.com”, which displays the North America logo.

In summary, the scenarios where BIMI-Selectors might be very useful are listed below:

  1. Multiple brands / logos associated with one single sending domain.
  2. Unique brand associated with multiple logos and one or several domains.

As defining your own BIMI-Selector and BIMI records might get tricky, we prepared a template to help you on that.

Components of a BIMI-Selector header

  1. Header name (required): BIMI-Selector
  2. v = Version (required): BIMI1
  3. s = Selector name: the value is what you have chosen to be your selector name (required)

example: BIMI-Selector: v=BIMI1; s=example;

VMC rule chart

Based on how many domains and logos you have, you may need one or more VMCs. Below is a chart that summarizes a variety of organizational structures and requirements for VMC.

Examples: How many VMCs do I need?

Below are use cases that explain how you would structure your VMCs depending on your situation.

Scenario 1: Multiple domains

I have multiple email domains, but a single logo is used across all emails. Do I need a VMC for each email domain?

Example: @digicert.com; @rapidSSL.com

Answer: No. If a single logo is shared across all domains, a single VMC is sufficient. But you will need SANs option to cover other domains. In the above example, the base VMC comes with 1 domain of @digicert.com, you will only add @rapidSSL.com with 1 SANs option. If you have a unique logo per domain, you will need to purchase a VMC for each logo. Here the BIMI record for the domain will reference the same VMC record.

Scenario 2: Multiple subdomains, shared logo

I have multiple email subdomains each with a unique email address. They all share the same logo. How many VMCs are required for this scenario?

Example: @security.digicert.com; @shop.digicert.com; @dev.digicert.com

Answer: One VMC can be shared across all subdomains since all subdomains can share the same logo. Additionally, no additional SANs are required: a single SAN for "digicert.com" is all that's needed to cover all subdomains. Here the BIMI-selector header for each subdomain will reference a single VMC record.

Scenario 3: Multiple subdomains, unique logos

I have a main domain, but my company organizes local companies by sub-domains. I need one logo for each company sub-domain email.

Example: @company1.digicert.com

Answer: In this case, you will need one VMC per local company subdomain because each VMC is associated with one logo. Here the BIMI-selector header for each subdomain will reference a single VMC record.

Scenario 4: Different domain suffixes

I have multiple emails that share the same second-level domain, but each domain has a unique suffix, how many VMCs will I need?

Example: @digicert.com; @digicert.org, @digicert.ca

Answer: If they share the same logo, you can use one VMC across all emails. However, you will need to add each domain as a SAN to the VMC. If there are unique logos per domain, you will need a VMC per domain. This situation might apply to a global company that offers various website translations per country.

Scenario 5: Changing logos, single domain

I have a primary email that is used for my business but want to change my logo design throughout the year depending on the holiday season.

Example: You want to decorate your core logo with a tree for Christmas, or a pumpkin for Halloween.

Answer: You can have different logos for a single domain. Each logo needs a unique VMC and must be a registered trademark, and the VMC display will then be triggered by the BIMI-selector email header.

Scenario 6: A single domain with multiple brands and logos

I have a single domain, single email sending domain and multiple products with unique logos. How should I set up my emails so each product line has a unique logo?

Example: email@digicert.com, email@digicert.com

Answer: BIMI-selector headers can be used to select the right logo per sent email. You will need one VMC per logo.

DigiCert VMC certificates

VMC offers flexibility for all organizations regardless of your email complexity. DigiCert is one of a select few Certificate Authorities that will be offering VMCs. Currently, we are still in the initial stages with VMCs and so they are not widely available; however, soon any company will be able to request a DigiCert VMC. If you would like more information on VMC selectors, you can read the full specification here.

Purchase VMC certificates

If you’re interested in being one of the first to purchase a VMC when they are widely available, sign up here. If you have not done so already, read our other blogs on how to get a VMC covering everything from DMARC compliance to registering your trademark and preparing your logo for the inbox.

 

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

05-25-2023

The Importance of Digital Trust in The Era of
Web 3 

The Future
Role of AI in Cybersecurity

How companies can stay ahead of adversaries by applying AI solutions
09-27-2023

DigiCert Trust Summit Preview with Stacey Higginbotham: Navigating IoT's Future with Matter Protocol