VMC Issuer Information
Some mailbox providers that support BIMI require DNS records asserting a domain’s BIMI information to reference a Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) [collectively ‘Certs’], as outlined in the BIMI protocol. These digital credentials define not only the logo to be displayed, but also confirm that the domain’s use of the logo has been independently validated by a third party. These third parties are referred to as Mark Verifying Authorities, or MVAs for short.
While the AuthIndicators Working Group (AWG) has played a role in developing the technical specifications of the BIMI protocol, including those that describe the contents of a Certs, the AWG does not certify an MVA to issue certificates for BIMI. The decision to accept the respective Certs generated by an individual MVA is left to the discretion of each mailbox provider that supports BIMI, and the following statements are true:
- Each BIMI-supporting mailbox provider can have different rigorous criteria to apply to the decision to accept an MVA’s Certs.
- An MVA may be required to go through a separate vetting process with each mailbox provider.
- Acceptance of an MVA’s Certs by one or more BIMI-supporting mailbox providers does not guarantee that the MVA’s Certs will be accepted everywhere.
Issuance of a Cert by an MVA is done pursuant to published requirements that detail not only the format of the Cert but also the process by which a claim to use a given logo is validated, as well as other artifacts to be produced by the MVA during the process. Among those artifacts are Certificate Transparency (CT) logs, which an MVA maintains to record each Cert it issues, and Certificate Revocation Lists (CRLs), which list Certs that the issuer has revoked. The CRLs are both referenced in each individual Cert and kept as a separate list. The published requirements also describe associated third-party assessments to which an MVA must periodically subject itself in order to prove its compliance with the requirements.
On this page, the AuthIndicators Working Group maintains information about MVAs that issue Certs, including their name, a link to their Certification Practice Statement (CPS), the URL(s) of the CT Log(s) to which each MVA publishes, URL(s) pointing to each MVA’s CRL(s), and the location of each MVA’s most recent audit report as conducted in accordance with the current revision of the VMC Requirements, if available.
| Name of MVA | CPS | CT Log | CRL | Root Cert | Audit Report |
|---|---|---|---|---|---|
| DigiCert | Digicert CPS | https://gorgon.ct.digicert.com/log | DigiCertVerifiedMarkIntermediateCA.crl |
Digicert (pem) | Audit Report |
| Entrust | Entrust CPS | https://gorgon.ct.digicert.com/log | vmc1ca.crl vmc2.crl |
Entrust (pem) | Audit Report |
| GlobalSign | GlobalSign CPS | https://gorgon.ct.digicert.com/log | gsgccr42verifiedmarkca2023.crl | GlobalSign (pem) | Audit Report |
Note: Inclusion on this list does not guarantee that a Mailbox Provider will honor your Cert. The AuthIndicators working group has no decision making power in which MVAs are accepted or not.
MVAs interested in issuing Certs must provide the following details to be considered for inclusion in the list of approved providers. Submit the information displayed in the chart above and the information provided will be published (typically) within 10 business days. Fill out our contact form with the required information for inclusion.
This list is provided as a courtesy to the MVA community.