VMC and CMC updates: 5 key takeaways

Verified Mark Certificates (VMCs) and Common Mark Certificates (CMCs) continue to evolve, and staying up to date is crucial for organizations looking to authenticate their logos and enhance brand trust in email communication, this includes adhering to version 1.7 of the Minimum Security Requirements

In this blog, we break down the 5 key changes and what they mean for your organization’s implementation of a VMC or CMC.

Why VMCs and CMCs matter

VMCs and CMCs play a critical role in email security and brand verification. With increasing adoption of BIMI (Brand Indicators for Message Identification), having a properly validated certificate ensures that your verified logo appears next to emails in supporting email clients, such as Gmail and Yahoo Mail. This not only builds trust but also enhances engagement with recipients.

What are the new requirements?

1. Expanded verification for Common Mark Certificates (CMCs)

Common Mark Certificates (CMCs) were first introduced in version 1.6, with 1.7 adopting a more structured verification process. The document outlines new provisions for proof of prior use, which include:

  • Minimum display period: Applicants must now provide evidence that their mark has been publicly displayed for at least 12 months on a website under a domain they control.
  • Historical verification: This historical presence must be verified via an approved archive source, with archive.org listed as an example.
  • Mark representation format: Mark representations submitted for verification must be in SVG format and adhere to the color restrictions of the jurisdiction where the mark is recognized​.

2. New flexibility in mark modifications for VMCs and CMCs

For both Verified Mark Certificates (VMCs) and Common Mark Certificates (CMCs), the latest update introduces expanded rules on mark modifications:

  • Rearrangement of word elements: Applicants can now rearrange text elements within a combined mark (e.g., relocating a word mark from the right side of a logo to below it).
  • Partial design removal: Up to 49% of a design mark may be removed, provided that the core design remains unaltered.
  • Stacking and splitting of word marks: Single-word marks can be split into multiple parts, or multiple-word marks may be combined into a single word.
  • Font and color customization: Registered marks can now appear in any font or color, including colored or patterned backgrounds​.

3. Stronger requirements for VMC trademark verification

For Verified Mark Certificates (VMCs), the updated document reinforces trademark verification protocols:

  • Direct verification with trademark offices: Certification Authorities (CAs) must now verify that a registered trademark is in good standing by consulting the official database of the relevant trademark office.
  • Alternative verification via WIPO: CAs are permitted to check trademarks against the WIPO Global Brand Database as an alternative to national trademark registries​.
  • License verification: If the applicant is not the direct owner of the mark, the CA must obtain an authorization letter from the mark owner before issuing the VMC.

These refinements ensure that VMCs are only issued for valid and legally recognized trademarks, reducing the risk of fraudulent or misleading mark representations.

4. New validation process for Government Marks in VMCs

A crucial addition in this version is the explicit recognition of Government Marks under VMCs. Certification Authorities (CAs) are now required to:

  • Verify the mark’s legitimacy through statute, regulation, treaty, or official government action.
  • Retain official records and references for each validated government mark.
  • Confirm that the applicant has the legal right to use the government mark, either as the original owner or via an official license​.

5. Improved CAA records for VMC issuance

The latest update introduces CAA (Certificate Authority Authorization) restrictions for VMC issuance:

  • A new “issuevmc” Property Tag must be used in CAA records to specify which CAs are permitted to issue Mark Certificates for a given domain.
  • The sub-syntax of “issuevmc” mirrors that of TLS certificates, ensuring consistency with existing web security practices​.

This addition enhances security and control over which entities can issue VMCs for a domain, preventing unauthorized or fraudulent certificates.

How Red Sift can support your business

Red Sift OnDMARC‘s BIMI feature stands out as the only solution on the market that fully integrates BIMI with VMC or CMC, taking the hassle out of understanding the new requirements. This comprehensive offering simplifies the entire process of managing your VMC/CMC application, where Red Sift can handle everything from start to finish without the need to engage directly with a Certificate Authority (CA). 

In addition, Red Sift OnDMARC provides an easy way to validate that your logo meets the required BIMI format before submitting an application. Simply navigate to the BIMI section within the Red Sift OnDMARC dashboard and click on “Start Application.” Upload your logo by either dragging and dropping it or browsing your files. 

OnDMARC will then analyze the logo and display a confirmation if it meets the necessary criteria. If there are any issues with the logo, the platform will clearly highlight the errors to help you make the required adjustments.

Check if your business is BIMI ready, with our free BIMI checker and get started today with a free 14 day OnDMARC trial

PUBLISHED BY

Jack Lilley

3 Feb. 2025

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Cybersecurity

Collaborative cybersecurity: The building blocks to a safer internet

Rahul Powar

Ciaran Martin, former CEO of the UK National Cyber Security Centre, and Rahul Powar, CEO of Red Sift The internet’s foundational promise is one of connection, opportunity, and innovation. But as technological innovation grows, so do the risks. The challenge is clear: how do we create a fundamentally safer internet while empowering organisations of…

Read more
Cybersecurity

Securing crypto with Andrei Terentiev

Sean Costigan

In a new episode of Resilience Rising, host Sean Costigan speaks to Andrei Terentiev, Chief Technology Officer (CTO) of Bitcoin.com. The discussion dives into the relationship between cryptocurrency and cybersecurity, with valuable insights into the challenges and strategies for safeguarding digital assets. Navigating the intersection of cryptocurrency and cybersecurity Andrei shares his journey from…

Read more
DMARC

2.3 million organizations embrace DMARC compliance

Jack Lilley

It has been one year since Google and Yahoo implemented stricter requirements for bulk email senders. Eleven months ago, Red Sift shared an update based on data from BIMI Radar, which revealed a concerning global readiness picture. Now, with a full year behind us, it’s time to evaluate the progress organizations have made in…

Read more
BIMI

VMC and CMC updates: 5 key takeaways

Jack Lilley

Verified Mark Certificates (VMCs) and Common Mark Certificates (CMCs) continue to evolve, and staying up to date is crucial for organizations looking to authenticate their logos and enhance brand trust in email communication, this includes adhering to version 1.7 of the Minimum Security Requirements.  In this blog, we break down the 5 key changes…

Read more