Mark Verifying Authority FAQs

 

Expanding MVA Participation: AuthIndicators Working Group Vision

The adoption of Verified Mark Certificates (VMCs) and Common Mark Certificates (CMCs) has grown steadily, with an inaugural number of Certification Authorities (CAs) currently serving as Mark Verifying Authorities (MVAs). While these providers have played a crucial role in establishing the foundation for BIMI adoption, broader participation from additional CAs is essential to scaling the ecosystem and increasing BIMI adoption for brands.

The AuthIndicators Working Group aims to facilitate the expansion of MVAs by guiding and encouraging more CAs to participate. Through efforts to streamline requirements, enhance transparency, and provide clear, supportive guidelines, the group seeks to create an environment that fosters greater adoption of VMCs and strengthens the trust and security of email authentication.

Frequently Asked Questions (FAQ) on the AuthIndicators Working Group’s Efforts to Expand MVA Participation

What is the AuthIndicators Working Group?

The AuthIndicators Working Group (“BIMIGroup”) is a voluntary organization dedicated to standardizing Brand Indicators for Message Identification (BIMI). BIMI enables brands to display verified logos next to authenticated emails, improving recognition and trust in email communications.

What are Verified Mark Certificates (VMCs)?

Verified Mark Certificates (VMCs) authenticate brand logo ownership and domain verification. They ensure that only verified logos appear in authenticated emails, preventing misuse and enhancing email integrity.

What are Common Mark Certificates (CMCs)?

Common Mark Certificates (CMCs) are a new type of digital certificate introduced by the BIMI Group to simplify and standardize the process of verifying brand logos for use in email authentication, particularly with BIMI (Brand Indicators for Message Identification). CMCs are designed to provide a more accessible and streamlined alternative to Verified Mark Certificates (VMCs) by reducing complexity and cost for brands. They ensure the authenticity of a brand’s logo in emails, enhancing trust and security while making BIMI adoption easier for organizations of all sizes.

Who issues the various Mark Certificates??

VMC and CMCs are issued by Mark Verifying Authorities (MVAs), typically Certification Authorities (CAs) that have undergone rigorous validation. The BIMIGroup maintains a list of approved MVAs along with their compliance documentation.

What are the key differences between a VMC and a CMC?

  • VMC (Verified Mark Certificate) is a more rigorous and established digital certificate issued by Certification Authorities (CAs) to verify brand logos for BIMI. It requires detailed validation, including trademark verification, and is typically more complex and costly.
  • CMC (Common Mark Certificate), introduced by the BIMI Group, is a newer, simplified alternative designed to reduce complexity and cost. It streamlines the validation process while still ensuring logo authenticity, making BIMI adoption more accessible for smaller brands or those seeking a less resource-intensive option.

How does the BIMIGroup plan to expand MVA participation?

The BIMIGroup is focused on providing resources and guidance to increase VMC issuance and encourage broader CA participation. By offering clear guidelines, promoting transparency through Certificate Transparency (CT) logs, and advocating for regular audits, the BIMIGroup aims to support the growth of trusted MC providers and help them navigate the process effectively.

How can a Certification Authority become an MVA?

Certification Authorities interested in issuing VMCs/CMCs should:

  1. Review Requirements: Understand the BIMIGroup’s VMC guidelines and technical specifications.
  2. Develop a Certification Practice Statement (CPS): Document policies and procedures for issuing VMCs.
  3. Certificate Transparency (CT) Logs: Coordinate with BIMI Group to Publish to an approved CT log (per the VMC Guidelines – Appendix F).
  4. Establish Certificate Revocation Lists (CRLs): Provide mechanisms for revoking VMCs when necessary.
  5. Undergo Regular WebTrust VMC Audits: Ensure compliance through independent third-party assessments.
  6. Register in the Common CA Database (CCADB) – Ensure inclusion in the CCADB (https://www.ccadb.org/cas) to promote transparency and interoperability across trust stores. Contact certdb@mozilla.org to begin the process.
  7. Submit Information to the BIMIGroup: Provide CPS, Proof of CT logging, CRL URLs, root certificates, and audit reports for review. Use the form at https://bimigroup.org/contact-us

Following these steps allows CAs to be considered for inclusion as MVAs, contributing to BIMI adoption and strengthening email security. NOTE: There are multiple Mailbox providers implementing BIMI that can help with testing before becoming an official MVA. Both Apple and Fastmail have helped with this in the past. Contact the BIMIGroup at https://bimigroup.org/contact-us for assistance.

What is the BIMIGroup’s role in certifying MVAs?

The BIMIGroup does not certify MVAs but provides technical specifications and requirements for Mark Certificate issuance. Each mailbox provider determines whether to accept VMCs from a given MVA based on their own criteria and vetting processes.

How does the BIMIGroup support BIMI and VMC adoption?

The BIMIGroup promotes BIMI and VMC adoption by:

  • Providing Resources: Offering implementation guides, tools, and best practices.
  • Maintaining MVA Information: Keeping an updated list of compliant MVAs.
  • Engaging with Stakeholders: Collaborating with brands, CAs, MVAs, and mailbox providers to advance BIMI adoption.

These efforts aim to improve email authentication and promote a more secure and trusted email ecosystem.

Version 1.0 – Last Updated July 2025