VMC Issuer Information

Some mailbox providers that support BIMI require that the DNS records asserting a domain’s BIMI information contain reference to a Verified Mark Certificate (VMC), as described in the BIMI protocol. VMCs are digital certificates that describe not only the logo to be displayed, but also serve as proof that the logo’s use by the domain has been vetted by a third party. These third parties are referred to as Mark Verifying Authorities, or MVAs for short.

While the AuthIndicators Working Group (AWG) has played a role in developing the technical specifications of the BIMI protocol, including those that describe the contents of a VMC, the AWG does not certify an MVA to issue VMCs. The decision to accept VMCs generated by an individual MVA is left to the discretion of each mailbox provider that supports BIMI, and the following statements are true:

  • Each BIMI-supporting mailbox provider can have different rigorous criteria to apply to the decision to accept an MVA’s VMCs.
  • An MVA may be required to go through a separate vetting process with each mailbox provider.
  • Acceptance of a MVA’s VMCs by one or more BIMI-supporting mailbox providers does not guarantee that the MVA’s VMCs will be accepted everywhere.

Issuance of a VMC by an MVA is done pursuant to published requirements that detail not only the format of the VMC, but also the process by which a claim to use a given logo is validated, as well as other artifacts to be produced by the MVA during the process. Among those artifacts are Certificate Transparency (CT) logs, which an MVA maintains to record each VMC it issues, and Certificate Revocation Lists (CRLs) which list VMCs that the issuer has revoked. The CRLs are both referenced in each individual VMC and kept as a separate list. The published requirements also describe associated third party assessments to which an MVA must periodically subject itself in order to prove its compliance with the requirements.

On this page, the Authindicators Working Group maintains information about MVAs that issue VMCs, including their name, a link to their Certification Practice Statement (CPS), the URL(s) of the CT Log(s) to which each MVA publishes, URL(s) pointing to each MVA’s CRL(s), and the location of each MVA’s most recent audit report as conducted in accordance with the current revision of the VMC Requirements, if available.

Name of MVA CPS CT Log CRL Root Cert Audit Report Date of Issuance of Audit Report Date of Oldest VMC Subject to Current Audit
DigiCert Digicert CPS https://gorgon.ct.digicert.com/log
DigiCertVerifiedMarkIntermediateCA.crl
Digicert (pem) Audit Report 24 January 2022 12 July 2021
Entrust Datacard
Entrust CPS
https://gorgon.ct.digicert.com/log vmc1ca.crl

vmc2.crl
Entrust Datacard (pem) Will be published when available 31 May 2022 (estimated) 9 July 2021

MVAs interested in issuing VMCs must provide the following details to be considered for inclusion in the list of approved providers. Submit the information displayed in the chart above and the information provided will be published (typically) within 10 business days. Fill out our contact form with the required information for inclusion.

This list is provided as a courtesy to the MVA community.

Note: Inclusion on this list does not guarantee that a provider will honor your VMC. The AuthIndicators working group has no decision making power in which MVAs are accepted or not.