Verified Mark Certificates

Is there any plan to provide VMC (Verified Mark Certificates) for the BIMI protocol?

The current two site that provide this charge a whopping $1000 to $1500 annual.



Probably not. It can't really be automated, and TBH it seems like a money-grabbing scheme anyway.


I'm not sure what that is. It's the first time I hear about it.


The what for what now?

Relevant drafts are probably:


From the VMC draft:

4.5 Validity
(…) It MUST also define a location to check for certificate revocation using a Certificate Revocation List (CRL) Distribution Point (…)

Let's Encrypt only uses OCSP for their end-entity certificates. So using a Let's Encrypt certificate as VMC would not be possible if you'd want to adhere to the draft. Or the draft needs to change their "Validity" paragraph to include OCSP.

All in all I don't really understand the benefits of this "BIMI" protocol. Is it really just so email clients can show a "validated" company logo?


People interested in learning about BIMI should probably just look at their web site:

But agreed with those above, it seems analogous to OV/EV-type non-automatable certificates, and I don't see how Let's Encrypt could provide such a service, or why it would want to.


Thanks everyone for your input.

Here is what Google says: Add a brand logo to outgoing email with BIMI - Google Workspace Admin Help

If I understand it correctly, it is a way to show a DMARC validated and verified logo on email sent from your domain.

To help the recipient of your emails know the email is from your domain and not some spoof.

I good concept, but currently just a huge money grab.

I understand why they are so expensive. The verification steps are arduous and labor intensive. Here is just one element in a much longer chapter. I can't help chuckling while reading it. Enjoy. (items 1-3 omitted):

(4) Principal Individual: A Principal Individual associated with the Business Entity MUST be validated in a face-to-face setting. The CA MAY rely upon a face-to-face validation of the Principal Individual performed by the Registration Agency, provided that the CA has evaluated the validation procedure and concluded that it satisfies the requirements of the Requirements for face-to-face validation procedures. Where no face-to-face validation was conducted by the Registration Agency, or the Registration Agency’s face-to- face validation procedure does not satisfy the requirements of the Requirements, the CA SHALL perform face-to-face validation.
(A) Face-To-Face Validation: The face-to-face validation MUST be conducted before either an employee of the CA, a Latin Notary, a Notary (or equivalent in the Applicant’s jurisdiction), a Lawyer, or Accountant (Third-Party Validator). In all cases, the Third-Party Validator must be working on behalf of the CA. The Principal Individual(s) MUST present the following documentation (Vetting Documents) directly to the Third-Party Validator:

(i) A Personal Statement that includes the following information:

  1. Full name or names by which a person is, or has been, known (including all other names used);
  2. Residential Address at which he/she can be located;
  3. Date of birth; and
  4. An affirmation that all of the information contained in the Certificate Request is true and correct.

(ii) A current signed government-issued identification document that includes a photo of the Individual and is signed by the Individual such as:

  1. A passport;
  2. A driver’s license;

This section 4 for just Principal Individual goes on for another half page
Source (page 26-27):


That explains it.

Thanks for digging into this.

1 Like

That's just dmarc, and dmarc is free.

Bimi looks like it want to certify the email is from your company, not your domain.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.