Why verify a VMC?
The VMC (Verified Mark Certificate) is the key to displaying your brand logo in Gmail, Yahoo and Apple Mail inboxes. Before enabling BIMI, validate that:
- The issuer is a recognized authority (DigiCert, Entrust)
- The certified domains (SAN) include all your sending domains
- The validity period is not expired or close to expiration
- The legal information matches your organization
What is a VMC certificate?
A Verified Mark Certificate is a special X.509 certificate that:
- Attests to your organization's trademark rights
- Links your SVG logo to your email sending domains
- Is issued after verification of your registered trademark with an intellectual property office
VMC contents
| Field | Description |
|---|---|
| Subject | Legal identity of the organization |
| SAN | Authorized domains, URLs and identities |
| Issuer | Certificate Authority (DigiCert, Entrust) |
| Validity | Issuance and expiration dates |
| Trademark | Registration number and jurisdiction |
How does BIMI work with VMC?
- BIMI record: You publish a DNS record at
_bimi.yourdomain.compointing to your SVG logo and VMC - DMARC verification: The email provider verifies DMARC passes with
p=quarantineorp=reject - VMC validation: The certificate is downloaded and validated (issuer, domains, dates)
- Logo display: If everything is valid, the logo appears in the inbox
Use cases
Case 1: Initial BIMI activation
Context: You just received your VMC and want to enable BIMI.
Actions:
- Analyze the VMC to verify your domains are included
- Confirm the validity dates are correct
- Publish the BIMI record with the VMC URL
- Test with our BIMI checker
Case 2: Logo not displaying
Context: BIMI is configured but the logo doesn't appear in Gmail.
Actions:
- Analyze the VMC to verify it's not expired
- Confirm the sending domain is in the SANs
- Verify DMARC is configured with
p=quarantineorp=reject - Wait 24-48h for propagation
Case 3: VMC renewal
Context: Your VMC expires in 30 days.
Actions:
- Order a new VMC from your CA
- Analyze the new certificate to verify the information
- Update the URL in your BIMI record
- Keep the old VMC active until full propagation
Common errors
| Error code | Cause | Solution |
|---|---|---|
| ERR_CERT_INPUT_MISSING | No PEM or URL provided | Paste the certificate or enter HTTPS URL |
| ERR_CERT_URL_INVALID | Non-HTTPS or invalid URL | Verify the URL starts with https:// |
| ERR_CERT_PEM_MISSING | No certificate block in PEM | Include BEGIN/END CERTIFICATE lines |
| ERR_CERT_INVALID | Corrupted certificate or not a VMC | Check the source file |
| ERR_CERT_FETCH_FAILED | Timeout or redirect | Verify URL accessibility |
Best practices
- Renew 30 days before expiration to avoid any interruption
- Include all your sending domains in the SANs when ordering
- Host the VMC on a reliable URL with HTTPS and high availability
- Test after every change with this analyzer and the BIMI checker
- Document expiration dates in your operations calendar
Complementary tools
| Tool | Purpose |
|---|---|
| BIMI Generator | Generate a valid BIMI record with your VMC |
| BIMI Checker | Verify the BIMI record published on your domain |
| BIMI Syntax Validator | Validate syntax BEFORE DNS publication |
| DMARC Inspector | Verify DMARC policy (BIMI prerequisite) |
Privacy
The certificate is sent to the CaptainDNS API only to decode its metadata. Processing is done in memory without storage. Only generic metrics (duration, size, status) are recorded for availability monitoring.