top of page
Search

How to Upgrade from CMC to VMC Without Breaking Your BIMI Setup

A practical guide for brands ready to scale their verified identity in inboxes



As more brands adopt BIMI (Brand Indicators for Message Identification), many start with a CMC (Common Mark Certificate) — a lightweight option that doesn’t require a registered trademark.

But as BIMI matures, inbox ecosystems expand, and customer expectations change, brands often choose to upgrade to a VMC (Verified Mark Certificate) to unlock the highest level of verification, including Gmail’s blue checkmark.



The challenge?

Migrating from CMC to VMC must be done carefully — a misstep in DNS, certificate hosting, or DMARC alignment can cause your logo to disappear overnight from Gmail, Yahoo or Apple Mail.


This guide walks you through exactly how to perform a smooth, zero-downtime migration.



1️⃣ Why brands upgrade from CMC to VMC



A CMC is the perfect entry point into BIMI — accessible, fast to issue, and ideal for companies without a registered trademark.

But a VMC offers clear advantages once your brand matures:



What a VMC unlocks:



  • The Gmail “verified blue checkmark” (not available with CMCs)

  • Highest level of brand identity assurance

  • Stronger trust signals for corporate and enterprise recipients

  • Compliance with trademark-based BIMI requirements

  • Better long-term interoperability across global mailbox providers



If your brand invests heavily in communication, PR, or email marketing — the VMC is the premium trust asset you eventually want.




2️⃣ The #1 rule of BIMI migrations: never break the chain



Your BIMI setup relies on three pillars:


  1. Authentication: SPF, DKIM, DMARC (policy must remain at “quarantine” or “reject”)

  2. Logo asset: SVG Tiny P/S, valid and hosted on HTTPS

  3. DNS record: the BIMI TXT record that points to your certificate



When migrating from CMC to VMC, the golden rule is:


Change the certificate — not the structure.

Keep your domain authentication, logo file, and DNS placement consistent.

Only the certificate reference should change.




3️⃣ The step-by-step migration process (with zero downtime)



Here is the recommended sequence used by providers like Bimimi.io to ensure smooth transitions:




Step 1: Prepare your VMC certificate “in parallel”



Do not remove or alter your CMC record yet.


A VMC requires:


  • A registered trademark (EUIPO, USPTO, UKIPO…)

  • A matching SVG Tiny logo file (identical to the trademark)

  • Organisation identity validation (OV/EV-like checks)

  • A trusted CA issuer (DigiCert, Entrust, Sectigo)



Have the VMC validated and issued before modifying your DNS.




Step 2: Host your VMC certificate on HTTPS



The certificate file (PEM) must be publicly accessible via HTTPS, exactly like your CMC.


Recommended structure:


Place the file first — this ensures mailbox providers can retrieve it immediately after the DNS update.




Step 3: Keep the same SVG logo (unless trademarked version differs)



If your CMC and VMC use the same logo, keep the identical SVG to avoid unnecessary propagation delays.


If your trademarked version differs slightly, upload the trademarked version before switching the certificate.




Step 4: Update only the “a=” parameter in your BIMI DNS record



Your existing CMC BIMI record looks like:

default._bimi.yourdomain.com TXT

v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/your-cmc.pem;


To upgrade:


  1. Keep v= as is.

  2. Keep l= unchanged (logo URL).

  3. Replace only the a= link with your VMC PEM file.



Your new VMC BIMI record should become:

v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/your-vmc.pem;



Why this works:



It preserves BIMI continuity — mail providers will simply fetch the new certificate.




Step 5: Monitor propagation and logo rendering



Propagation usually takes a few hours, sometimes up to 48 hours depending on TTL settings.


During this window:


  • Gmail will fetch the new certificate

  • Yahoo and Apple Mail will validate the chain

  • Your logo should continue to display without interruptions



Use BIMI testing tools to confirm:


  • DNS resolves correctly

  • DMARC alignment remains compliant

  • The VMC file is accessible and properly formatted



If configured correctly, there will be no gap or blackout in your BIMI visibility.




4️⃣ Common migration pitfalls (avoid these at all costs)




❌ Removing the CMC record too early



This is the most common mistake. Never delete the BIMI TXT record during migration — overwrite it only once the VMC is ready.



❌ Changing the logo at the same time



Two simultaneous changes can cause mailbox providers to temporarily reject your BIMI deployment.



❌ Hosting the certificate on a new domain



Always use your primary, authenticated domain. Certificate mismatch = BIMI failure.



❌ Updating DMARC or DKIM during migration



Keep your authentication stable.

Any unrelated changes increase the risk of BIMI breakage.



❌ Incorrect MIME or SVG format



If the SVG fails validation, the certificate is ignored — even if perfectly valid.




5️⃣ When to upgrade: strategic timing for brands



A CMC → VMC upgrade makes sense when:


  • Your trademark is finally registered

  • You want Gmail’s blue checkmark for corporate trust

  • Your marketing team pushes for stronger brand credibility

  • You expand internationally or into regulated sectors

  • You’ve observed BIMI performing well and want the “premium tier”



Most brands start with a CMC and upgrade within 6–18 months once they formalise their IP strategy.




6️⃣ How Bimimi.io ensures a flawless migration



At Bimimi.io, we handle both sides of the BIMI lifecycle:



For CMC → VMC migration, we take care of:



  • Trademark verification

  • VMC request and CA coordination (DigiCert)

  • Certificate hosting

  • DNS update with zero downtime

  • Post-migration rendering checks across Gmail, Yahoo, Apple Mail

  • Automatic fallback options in case of provider caching issues



Our method ensures that your verified logo never disappears — even for a minute.


Because in email marketing, continuity = credibility.



Conclusion: Upgrading is simple — when done correctly



A CMC is a great first step.

A VMC is the future-proof version of your brand identity in inboxes.


Migrating from one to the other doesn’t need to be risky — as long as you respect the authentication chain, update the right field, and maintain continuity.


If BIMI is your trust signal, then upgrading your certificate is how you elevate that trust.


🔗 Upgrade your brand’s BIMI experience today at bimimi.io

 
 
 

Comments

bottom of page