Gmail announces Common Mark Certificates (CMCs) support for BIMI adoption

Co-authored in partnership with Entrust.

Gmail has officially announced its support for Common Mark Certificates (CMCs), enabling organizations to utilize BIMI (Brand Indicators for Message Identification) in Gmail without requiring a registered trademark. This means businesses that have established use of a logo but haven’t gone through the registered trademark process can now incorporate their brand seamlessly into their email communications.

What is BIMI?

Brand Indicators for Message Identification (BIMI) is an email standard introduced in 2021 that enables businesses to show their brand logo in the avatar slot of the DMARC-authenticated emails they send. BIMI was created to help accelerate DMARC adoption and incentivize implementation, promoting email security by mandating robust authentication and logo verification before displaying avatars. Strong email authentication aids in delivering legitimate mail and identifying and preventing spoofing, while also ensuring senders can leverage their brand credibility and flexibility.

To use BIMI at the highest level of validation, organizations are required to use a Mark Certificate (MC) from an authorized Certificate Authority (CA), which works alongside an organization’s DMARC policy that is required at enforcement (either quarantine or reject). A Mark Certificate can either be a Verified Mark Certificate (VMC) with a registered trademark, Government Mark Certificate (GMC) for government agencies, or now, the newly introduced Common Mark Certificate (CMC) for established brands.

What makes a Common Mark Certificate different?

The Common Mark Certificate (CMC) opens email identification to a wider audience, particularly smaller or early stage organizations without a registered trademark, or who want to use a different logo in email than their primary choice. 

Since the introduction of the VMC & GMC, organizations and email service providers have traditionally pushed for those companies and associated email domains not officially recognized with a registered trademark to obtain authorization by the BIMI standards governing body. CMC eliminates this requirement for a registered trademark, which is both a time-consuming process and expensive to acquire. Organizations can now qualify for the CMC by demonstrating historical use of their logo for at least one year, as verified by the Certificate Authority (CA).

Why the Google announcement is a game changer

Enabling thousands of organizations to protect their customer base and enhance brand awareness is a true game changer. With the introduction of CMCs, the adoption of DMARC for improved email security is expected to accelerate significantly. By ensuring that brands achieve proper email authentication, CMCs help businesses establish credibility, build trust, and increase engagement.

From a marketing perspective, CMCs empower brands to strengthen their identity across email campaigns, building a foundation of trust with customers that directly influences buyer behavior. As more inbox providers adopt BIMI, now is the perfect time for organizations to implement the correct email authentication measures with CMCs, unlocking greater visibility and engagement with their audiences. From a security perspective, implementing BIMI through a CMC and achieving a DMARC policy of ‘p=reject’ helps reduce phishing attacks and email spoofing, ensuring better protection for both brands and customers while mitigating the risk of costly cyber incidents. 

If you’re looking to get started with CMCs, you can now order directly through Red Sift—get in touch today.

PUBLISHED BY

Jack Lilley

16 Oct. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Product Release

Stream Red Sift telemetry to Sentinel, Splunk, and more with Event Hub

Francesca Rünger-Field

Event Hub is a new capability that streams real-time, structured security events from Red Sift products into the platforms security teams already use: SIEMs, SOARs, XDRs, ticketing tools, messaging platforms, and cloud storage. It enables faster, more consistent response by pushing telemetry directly into the workflows where detection, triage, and remediation already happen. Whether…

Read more
Thought Leadership

How the EU can mandate stronger email security

Antony Seedhouse

Executive summary: The article examines how the EU can proactively close email security gaps by leveraging the NIS2 Directive to mandate robust, harmonized standards like DMARC, DKIM, and SPF across all member states. By acting now, the EU not only protects its digital ecosystem but also sets a global benchmark for cybersecurity best practices.…

Read more
News

Europe’s #1 for DMARC: Red Sift OnDMARC does it again

Francesca Rünger-Field

G2’s Summer 2025 Report has landed, and we’re proud to share that Red Sift OnDMARC remains the #1-rated DMARC solution in Europe. This marks another strong season for OnDMARC, with continued recognition across G2’s category reports. We were featured in 18 reports this quarter, taking top spots in the Mid-Market Results Index and Mid-Market…

Read more
Cybersecurity

Healthcare and cybersecurity: 73% of breaches lack DMARC enforcement

Faisal Misle

The healthcare sector has become a target for both low-level and occasionally spectacularly successful cyberattacks. Hospitals, insurers, medical supply chains, service providers and medical organizations are prime targets for threat actors, with email phishing attacks, ransomware, and data breaches on the rise. In 2024, 94% of U.S. healthcare organizations experienced a cyberattack, with the average cost…

Read more