Email Security and Authentication

The Alphabet Soup of BIMI Requirements: A Guide to VMC, CMC, and Apple Business Connect

minute read

Post Image

Get your soup bowls out! We’re going to stir up the alphabet and get to the bottom of the latest BIMI requirements.   

Since 2021, BIMI (Brand Indicators for Message Identification) has upped the email marketing game by allowing brands to display their logos in email clients.   

However, there have been some changes to BIMI processes lately. So, let’s take a look at what’s new and what’s next for BIMI.   

How does BIMI work with other email authentication protocols?  

BIMI has several key components that senders must implement for the protocol to work correctly.  

First, and likely most importantly, confirm that your authentication is set up correctly. This means having SPF, DKIM, and DMARC in place with the DMARC policy set to either p=quarantine or p= reject.  This needs to be done at both the top level domain (parent) and for the subdomain to be BIMI compliant. 

Having your DMARC policy set to a stricter policy is key for BIMI to display your logo.   

Why?  

Your DMARC policy essentially tells mailbox providers how to handle your mail if SPF and DKIM fail. Based on this policy, they’ll either put the email in the spam folder (quarantine it) or reject it entirely.   

I’m often asked if having a DMARC policy of either quarantine or reject means the sender’s mail will land in the spam folder or be blocked outright. The short answer is no, not if you have SPF and DKIM set up properly, since DMARC is looking at both to ensure either SPF or DKIM passes. 

If both are not passing, it’s likely that your domain or IP has been spoofed. In that case, we would certainly want the mailbox providers to send that to spam or reject it outright.  

While both Yahoo and Google only currently require the presence of a DMARC record (it can be a policy of “none”), we predict they will soon also require the stricter policy to be in place.   

Still not sure why DMARC is such a big deal?  

Let me give you an example. An insurance company’s email lands in your inbox, offering a free air fryer just for clicking through. The branding looks legit. But something feels off since this message isn’t something the insurance company would typically send.   

This sender was likely spoofed, which no doubt led to some higher complaints and unsubscribes. If they had had a stricter DMARC policy in place, the imposter’s email would never have made it to their subscribers’ inboxes.   

Apart from having your other authentication protocols on lock, implementing BIMI also requires understanding various available certificates and processes.   

Let’s dive into some key components: Self-asserted logos, CMC, VMC, and while not BIMI specific, Apple Business Connect. 

Self-asserted logos  

Self-asserted logos are logos that are published without verification certificates and are supported by Yahoo, Fastmail, and others. BIMI works without VMC or the CMC, meaning that the entry point for BIMI is very attainable. I always recommend starting your BIMI journey with this option! Here’s what you need to know: 

  • Self-asserted logos require the same authentication and DMARC policy of either quarantine or reject.  
  • Also ensure that you have domain alignment in place. Domain alignment is when the domain used for SPF and DKIM is the same as the one used by DMARC.   
  • Your IT team will need to publish the BIMI record once you have your high quality .svg logo saved on a secure web server (HTTPS).  

Lots of moving parts, here, but if you’re an Everest customer, be sure to check out our BIMI wizard which can help you create the BIMI record that you can pass along to your team. It will also give you a preview of how it will look. So easy! 

Common Mark Certificates (CMCs)  

CMCs serve as an alternative to VMCs for BIMI implementation. Allowing CMCs is a new option that Google now accepts. Key points include:  

  • CMCs offer a similar level of verification as VMCs.  
  • They are issued by certification authorities (Entrust or DigiCert) recognized by the BIMI Working Group.  
  • The verification process includes checking your brand’s logo and DMARC policy.  
  • Like VMCs, CMCs involve an annual fee for issuance and maintenance.  
  • This is a good alternative for smaller businesses that may not have trademarked their logo or for businesses making changes to their logos that have not been processed by the trademark authority yet.   
  • At Google, a CMC is required for logo presentation, along with qualifying local reputation and volume.  

Verified Mark Certificates (VMCs)  

For the last two years, VMCs have been the brass ring of BIMI implementation, especially for Google, which initially required this level of certification.   

These certificates verify your brand’s logo and ensure its authenticity. Here’s what you need to know about VMCs:  

  • A VMC validates your legal right to use a specific logo, as obtaining a VMC requires Trademark validation.  
  • You must obtain a VMC from an authorized Certificate Authority (CA). Currently, this is available from either Entrust or DigiCert.  
  • The process involves submitting your logo and proof of trademark ownership along with updates to your DNS record to ensure your DMARC policy is compliant and the addition of a BIMI entry that provides the image and VMC URL.  
  • VMCs come with an annual cost, which varies depending on the CA.  
  • By including a VMC, your emails may receive increased logo placement perks, such as the blue check mark at Google or the purple check mark at Yahoo, which let subscribers know this sending domain has been verified for the logo presented.  

Apple Business Connect  

Apple has introduced its own system for brand verification, known as Apple Business Connect. This platform offers unique features, including:  

  • It allows businesses to manage their information across Apple’s ecosystem. Your logo would be visible for Apple apps like ApplePay, email, and incoming phone calls being received on an Apple device.  
  • You can create and customize your brand’s presence on Apple Maps, Messages, and other Apple services.  
  • Unlike VMCs and CMCs, Apple Business Connect is currently free to use.  
  • It doesn’t directly integrate with BIMI but enhances your brand’s visibility on Apple platforms.  

Keep in mind that once BIMI is functioning and accurate relative to DMARC, BIMI records, SVG files, and any certificates (if chosen), the decision to display the logo is still contingent upon the mailbox provider’s discretion. That decision is based on their specific reputation and volume requirements. To pass this check, keep a close eye on your reputation and ensure that authentication protocols are securely in place.  

By understanding how self-asserted logos, CMCs, VMCs, and Apple Business Connect work, you can make an informed decision about your BIMI implementation strategy.   

Remember, while there are costs associated with the certificates, implementing BIMI offers significant benefits in terms of brand visibility, trust, and email engagement. We recommend that you implement BIMI to maximize your email marketing potential and strengthen your brand’s digital presence.   

For more expert tips for email marketers, download our all-in-one Ultimate Email Marketing Toolkit.