Two Vendors, Two Bills, One Logo

A common email comes in to support: someone has been quoted around $1,500 a year by a Certificate Authority for BIMI, and their DMARC reporting tool has told them BIMI is included in their plan. The question is reasonable: which one am I actually paying for, and why are there two of them?

The short answer is that BIMI is not a single product. It is a workflow that crosses two distinct vendor categories, and the email industry has done a poor job of explaining the split. This post fixes that. By the end you will know exactly what a Certificate Authority sells, what a DMARC reporting tool delivers, and which line items belong in which budget.

What BIMI Actually Does for You

Brand Indicators for Message Identification is the standard that puts your verified company logo next to your sender name in supported inboxes. When a recipient opens Gmail on the web, the iOS Mail app on a recent iPhone, Yahoo Mail, Fastmail, or any of the growing list of supporting clients, your authenticated mail shows up with your logo where the generic gray avatar would normally sit.

That visual confirmation does two things. First, it tells the recipient at a glance that the message really came from you, not from a spoofer. Second, it gives your brand a daily presence inside the inbox, which is one of the highest-trust environments on the internet. The combined effect is measurable. Internal data from large senders consistently shows higher open rates and lower spam complaint rates after BIMI rolls out.

But mailbox providers will not display anybody’s logo for free. You have to earn the slot by passing strict authentication, by proving you own the trademark on the logo, and by publishing the right DNS records. That is where the two-vendor structure starts.

The Five Prerequisites Before BIMI Will Render

Before you spend a dollar, walk through this checklist. Each item is independent of the others, and skipping any one of them means BIMI will not display.

1. DMARC at p=quarantine or p=reject. Mailbox providers require that your DMARC policy is at quarantine or reject, with a percentage of 100, before BIMI will render. A monitoring policy of p=none is not enough. This is the single most common reason BIMI fails to show up after a customer thinks they have finished setup.
2. Clean SPF and DKIM authentication on every legitimate sending stream. DMARC alignment depends on at least one of SPF or DKIM passing and aligning with the From domain. If your transactional email service, your marketing platform, or your sales tool authenticates poorly, you cannot move to enforcement, and BIMI will never render for those streams.
3. A registered trademark for the logo. The Certificate Authority will check trademark registries directly. The logo on your VMC must match a live registered trademark in one of the supported jurisdictions, including the USPTO in the United States, the EUIPO, the UK IPO, the Japan Patent Office, the Canadian Intellectual Property Office, and several others. Trademark applications that are still pending do not qualify. The CA also checks that the trademark holder matches the legal entity on the certificate.
4. A Verified Mark Certificate from a CA. Today there are two approved CAs: DigiCert and Entrust. They are the only entities authorized by the BIMI ecosystem to issue VMCs. Pricing as of this writing tends to land around $1,000 to $1,500 per year per VMC, with multi-year discounts available.
5. BIMI infrastructure: the DNS record, the SVG file hosting, and the certificate served alongside it. The mailbox provider does not pull anything from the CA at message receipt time. It pulls the SVG and the VMC from URLs that you publish in your BIMI DNS record. Those URLs need to be HTTPS, fast, and available continuously. This is the piece that customers most often assume the CA provides. It does not.

What the CA Does, in Plain Language

DigiCert and Entrust do exactly one thing in the BIMI workflow, and they do it well. They verify that the company applying for the certificate is the legal owner of a registered trademark that matches the supplied logo, and they issue a cryptographically signed Verified Mark Certificate that binds the logo to the organization.

The verification process is rigorous. The CA checks corporate identity against business registries, validates the trademark certificate directly with the patent office that issued it, and runs a logo similarity check to confirm the SVG matches the registered mark. The process typically takes one to four weeks for a clean application. Edge cases, such as recent corporate name changes, parent and subsidiary structures, or trademarks held in a different legal entity than the one operating the email program, can extend that timeline considerably.

Once the CA issues the VMC, its job is essentially done. You receive a PEM file. That PEM file is the legal proof a mailbox provider trusts. The CA does not touch your DNS, does not host your logo, does not look at your DMARC reports, and does not tell you whether your mail is actually authenticating. Those concerns fall outside the CA’s scope.

What Your DMARC Reporting Tool Does

This is where DMARC Report, DuoCircle’s multi-region G2 Category Leader for DMARC software, comes into the picture. Once you have a VMC in hand, every other piece of the BIMI workflow lives in the DMARC and authentication tooling layer:

• Getting your DMARC policy to quarantine or reject. Most domains arrive at BIMI with a long monitoring policy still in place. The reporting tool ingests aggregate reports, identifies which sending services are authenticating cleanly and which need work, and gives you a clear path to enforcement. Without that visibility, the move from p=none to p=quarantine is risky guesswork.
• Hosting and serving the BIMI assets. The BIMI DNS record points at two URLs. One is the SVG Tiny Portable Secure file containing the logo. The other is the VMC PEM file. Both need to live somewhere reliable, on HTTPS, with appropriate cache headers. DMARC Report hosts both for you when you upload your VMC and your SVG. Mailbox providers fetch these URLs directly, so uptime and performance matter.
• Publishing the BIMI DNS record. The TXT record at default._bimi.yourdomain.com tells receivers where to find your logo and your certificate. The reporting tool generates the exact record string for you to publish, including the v=BIMI1, l= (logo URL), and a= (authority evidence URL) fields. Get a single character wrong and BIMI silently fails.
• Validating the SVG conforms to SVG Tiny PS. BIMI requires a very specific subset of SVG, with no scripts, no external references, no animation, and a fixed viewBox. The DMARC reporting tool validates the file before you publish it and flags any rejections.
• Monitoring the rendered result. After publication, the tool watches for delivery anomalies, alignment drops, and BIMI selector mismatches that would knock your logo offline. This is ongoing work, not a one-time setup.

This is the practical division of labor. DigiCert or Entrust sells you the legal credential. DMARC Report does everything operational that turns the credential into a working brand display in the inbox.

Why the Two-Vendor Model Exists

The model is not a quirk. It is by design. The BIMI working group, which includes Google, Yahoo, Fastmail, Apple, Verizon, and the major DMARC tooling vendors, deliberately separated trademark verification from email operations. Trademark verification is a legal function, regulated, audited, and slow by nature. Email authentication operations are fast-moving, technical, and ongoing. Asking a CA to also run a DMARC platform would be like asking a notary to also run your accounting department. Different disciplines, different audit standards, different update cadences.

That separation is also why your CA invoice and your DMARC tool subscription are line items with very different shapes. The VMC is an annual fixed cost tied to a credential. The DMARC tool is an operational subscription tied to your domain count, sending volume, or reporting needs.

A Sanity-Check Workflow for the BIMI Buyer

If you are evaluating BIMI today, the cleanest mental model is this. Pick your DMARC reporting tool first, because the path to enforcement is the gating step and the harder of the two. Once you are confident you can reach p=quarantine or p=reject within a defined window, then engage a CA for the VMC. Submitting a VMC application before your DMARC posture is in order is an expensive way to wait.

The sequence that works in practice is: deploy DMARC at p=none with reporting, get visibility into your sending streams, fix authentication on the streams that matter, move to p=quarantine, confirm clean delivery, move to p=reject, then apply for the VMC. By the time DigiCert or Entrust issues the certificate, your authentication is already passing, and BIMI lights up the moment you publish the DNS record.

Two vendors. Two bills. One logo in the inbox. Now you know which one to call when something goes wrong.