VMC and CMC: What are the new requirements?

Executive Summary: Staying updated on Verified Mark Certificates (VMCs) and Certified Mark Certificates (CMCs) is crucial for organizations aiming to authenticate their logos and enhance brand trust in email communications. Discover the key changes in the latest security requirements and compare the differences between VMCs and CMCs.​

This article:

• Provides updates on Verified Mark Certificates (VMCs) and Common Mark Certificates (CMCs).
• ​Highlights the importance of adhering to version 1.7 of the Minimum Security Requirements.​
• Breaks down five key changes affecting logo authentication and brand trust.

Introduction

Verified Mark Certificates (VMCs) and Common Mark Certificates (CMCs) continue to evolve and staying up-to-date is crucial for organizations looking to authenticate their logos and enhance brand trust in email communications. This includes adhering to version 1.7 of the Minimum Security Requirements. 

Why VMCs and CMCs matter

VMCs and CMCs play a critical role in email security and brand verification. With increasing adoption of BIMI (Brand Indicators for Message Identification), having a properly validated certificate ensures that your verified logo appears next to emails in supporting email clients, such as Gmail and Yahoo Mail. This not only builds trust but also enhances engagement with recipients.

What are the new requirements?

1. Expanded verification for Common Mark Certificates (CMCs)

Common Mark Certificates (CMCs) were first introduced in version 1.6, with 1.7 introducing a more structured verification process. The document outlines new provisions for proof of prior use, which include:

• Minimum display period: Applicants must now provide evidence that their mark has been publicly displayed for at least 12 months on a website under a domain they control.
• Historical verification: This historical presence must be verified via an approved archive source, with archive.org listed as an example.
• Mark representation format: Mark representations submitted for verification must be in SVG format and adhere to the color restrictions of the jurisdiction where the mark is recognized​.

2. New flexibility in mark modifications for CMCs

For CMCs, the latest update introduces expanded rules on mark modifications:

• Rearrangement of word elements: Applicants can now rearrange text elements within a combined mark (e.g., relocating a word mark from the right side of a logo to below it).
• Partial design removal: Up to 49% of a design mark may be removed, provided that the core design remains unaltered.
• Stacking and splitting of word marks: Single-word marks can be split into multiple parts, or multiple-word marks may be combined into a single word.
• Font and color customization: Registered marks can now appear in any font or color, including colored or patterned backgrounds​.

3. Stronger requirements for VMC trademark verification

For Verified Mark Certificates (VMCs), the updated document reinforces trademark verification protocols:

• Direct verification with trademark offices: Certification Authorities (CAs) must verify that a registered trademark is in good standing by consulting the official database of the relevant trademark office.
• Alternative verification via WIPO: CAs are permitted to check trademarks against the WIPO Global Brand Database as an alternative to national trademark registries​.
• License verification: If the applicant is not the direct owner of the mark, the CA must obtain an authorization letter from the mark owner before issuing the VMC.

These refinements ensure that VMCs are only issued for valid and legally recognized trademarks, reducing the risk of fraudulent or misleading mark representations.

4. New validation process for Government Marks in VMCs

A crucial addition in this version is the explicit recognition of Government Marks under VMCs. Certification Authorities (CAs) are now required to:

• Verify the mark’s legitimacy through statute, regulation, treaty, or official government action.
• Retain official records and references for each validated government mark.
• Confirm that the applicant has the legal right to use the government mark, either as the original owner or via an official license​.

5. Improved CAA records for VMC issuance

The latest update introduces CAA (Certificate Authority Authorization) restrictions for VMC issuance:

• A new “issuevmc” Property Tag must be used in CAA records to specify which CAs are permitted to issue Mark Certificates for a given domain.
• The sub-syntax of “issuevmc” mirrors that of TLS certificates, ensuring consistency with existing web security practices​.

This addition enhances security and control over which entities can issue VMCs for a domain, preventing unauthorized or fraudulent certificates.

How Red Sift can support your business

Red Sift OnDMARC‘s BIMI feature stands out as the only solution on the market that fully integrates BIMI with VMC or CMC, taking the hassle out of understanding the new requirements. This comprehensive offering simplifies the entire process of managing your VMC/CMC application, where Red Sift can handle everything from start to finish without the need to engage directly with a Certificate Authority (CA). 

In addition, Red Sift OnDMARC provides an easy way to validate that your logo meets the required BIMI format before submitting an application. Simply navigate to the BIMI section within the Red Sift OnDMARC dashboard and click on “Start Application.” Upload your logo by either dragging and dropping it or browsing your files. 

OnDMARC will then analyze the logo and display a confirmation if it meets the necessary criteria. If there are any issues with the logo, the platform will clearly highlight the errors to help you make the required adjustments.

Check if your business is BIMI-ready, with our free BIMI checker and get started today with a free 14 day OnDMARC trial.