Back to blog
Threat Intel
Phishing Forensics

The VMC Waiting Game: Deploy BIMI Before Your Certificate Arrives

A phased BIMI deployment is not just possible—it's the smart operational play. Here's how to publish your record while waiting for the VMC.

MailSleuth Research
Email Security Team
July 15, 20267 min read
An illustration of a nearly complete blueprint for a bridge, with a crane lowering the final, glowing piece shaped like

Your marketing team just sent you the final, pixel-perfect SVG of your company logo. Excitement is high. The goal: get that logo appearing in customer inboxes using BIMI. But then reality hits. The Verified Mark Certificate (VMC) process, with its trademark validations and Certificate Authority (CA) back-and-forth, is a marathon, not a sprint. It can take weeks, sometimes months.

This creates a classic operational dilemma. Do you hold off on touching DNS until the VMC is finally in your hands? Or is there a way to get ahead, to stage the technical components so you're ready to launch the moment the certificate is issued?

The answer is yes. You can, and should, publish a partial BIMI record while you wait. It's a safe, effective strategy that front-loads the technical work. But doing it correctly requires understanding how mailbox providers interpret an incomplete record.

The VMC Timeline Isn't Your Timeline

Before you can even apply for a VMC, you have to get your house in order. This isn't just a technical checklist; it's a bureaucratic one. First, your logo must be a registered trademark with a recognized intellectual property office. If it's not, you're stopped before you even start. This step alone can take over a year if the trademark isn't already secured.

Once the trademark is confirmed, you need to create a specific version of your logo in the SVG Tiny Portable/Secure (P/S) format. This isn't your standard web SVG; it has strict limitations. Then comes the VMC application itself, where a CA like DigiCert or Entrust verifies your trademark rights and organizational identity. This validation process is thorough and deliberate. It's designed to prevent impersonation, which means it isn't fast.

The operational stake here is significant. You cannot rush the CA. You cannot rush the trademark office. While these external dependencies churn, your engineering and security teams can either sit idle or prepare the groundwork. Staging your BIMI record is choosing the latter.

Playbook: Publishing a Phased BIMI Record

The core of the BIMI standard, as defined by the IETF's working group, is a simple TXT record in DNS. A complete record has three tags: `v` for version, `l` for the logo URL, and `a` for the authority (the VMC). The key to a phased deployment is publishing the record *without* the `a` tag.

The Initial DNS Record

While the CA validation process is underway, you can publish a TXT record at the `default._bimi` selector for your domain. This record will contain only the version and logo location tags. You'll host your compliant SVG file at a publicly accessible HTTPS endpoint, but you won't yet have the VMC to link.

default._bimi.example.com. IN TXT "v=BIMI1; l=https://media.example.com/logo.svg;"

This is a syntactically valid record. A mailbox provider parsing this will see that you've declared your intent to use BIMI and have specified a logo. It's just missing the certificate that proves you have the right to use that logo for that domain. It's an incomplete instruction, not a failed one.

Prerequisites Still Apply

Remember, publishing this record doesn't bypass any of BIMI's other requirements. Your domain must still have a DMARC (RFC 7489) policy of `p=quarantine` or `p=reject` with a `pct=100` tag. SPF (RFC 7208) and DKIM (RFC 6376) must be aligned and passing. Putting a partial BIMI record in place is useless if your underlying DMARC posture is non-compliant. This is your chance to double-check that your authentication is solid, especially for messages that might be forwarded or modified by mailing lists, which can break SPF and require ARC (RFC 8617) to repair the chain of trust.

How Receivers Read a Record Without the VMC

What happens when Google, Yahoo, or Apple's mail servers fetch your partial BIMI record? The fear is that it might cause delivery problems or generate some kind of failure. This fear is unfounded.

Mailbox providers will perform a DNS lookup for `default._bimi.yourdomain.com`. They'll parse the record and see `v=BIMI1` and a valid `l` tag pointing to your SVG. They will likely fetch the SVG to validate its format. Then, they will look for the `a` tag. When they don't find it, the process simply stops there. No logo is displayed. The email is delivered as it normally would be, and the `Authentication-Results` header will likely show a neutral result for BIMI, like `bimi=temperror (no certificate found)` or simply omit a BIMI result altogether.

This is not a hard failure. It's not a `softfail` or a `permerror` that could negatively impact reputation. It's a graceful fallback. The system is designed to be resilient. An absent `a` tag is interpreted as 'the sender has not provided a VMC,' not 'the sender has provided an invalid one.' This distinction is critical. You are signaling intent without making a verifiable claim, which is perfectly safe.

The Update: Adding the 'a' Tag After Issuance

The day has come. The CA has completed its validation, and you've received your VMC. It will typically be delivered as a PEM file, which is a Base64 encoded certificate. Now it's time to complete your BIMI deployment.

Hosting the Certificate

Just like your SVG logo, the VMC file must be hosted at a public HTTPS URL. Place the PEM file on your web server or CDN. There's no special server configuration required, but you must ensure the URL is stable and publicly accessible. Check your TLS settings and make sure there are no redirects.

Updating the DNS Record

With the VMC hosted, you can now update your BIMI TXT record. You'll add the `a` tag pointing to the URL of your PEM file. The final record will look like this:

default._bimi.example.com. IN TXT "v=BIMI1; l=https://media.example.com/logo.svg; a=https://media.example.com/vmc.pem;"

Pay attention to your DNS record's Time To Live (TTL). If you set a high TTL on the initial partial record, you'll have to wait longer for the update to propagate across the internet's recursive DNS resolvers. A lower TTL (like 300-600 seconds) is advisable when you know a change is imminent.

Verifying Each Stage of the Deployment

Don't just publish and pray. Verification is a non-negotiable step, both for the initial phased record and the final complete one. Use a public BIMI checker tool to validate your work from an external perspective.

Stage 1: Validating the Partial Record

Before the VMC arrives, you can still verify several key components. Confirm your DMARC policy is at enforcement. Check that the BIMI record itself is syntactically correct. Most importantly, validate your SVG file. Tools can confirm it adheres to the SVG P/S profile, doesn't contain scripts or external references, and meets the specific file structure requirements. A malformed SVG is a common point of failure.

Stage 2: Validating the Full Record

Once you've added the `a` tag, run the validation again. This time, the tool will perform the full check. It will fetch the DNS record, the SVG logo, and the VMC. It will then check that the VMC is valid, not expired, and correctly corresponds to the domain and the logo. If all checks pass, you're ready. The next time a supporting mailbox provider processes an email from your domain, it should successfully fetch all the components and display your logo.

It's a Process, Not an Event

Thinking of BIMI deployment as a single event—a switch you flip—is a recipe for frustration. The dependencies on legal (trademarks) and third-party CAs make it inherently a multi-stage process. Embracing a phased deployment acknowledges this reality.

By publishing a partial record early, you get ahead of the technical work. You can verify your DMARC posture, SVG format, and DNS syntax in parallel with the VMC procurement. This separates the tasks you control from the tasks you don't. When the certificate finally lands in your inbox, you aren't starting from scratch. You're executing the final, simple step of a well-planned deployment.

The takeaway

Stop waiting. The chicken-and-egg problem of the VMC is solved by realizing you can, and should, ship the chicken first. Publishing a BIMI record with just the `v` and `l` tags is a safe, forward-thinking move that transforms a long waiting period into a productive preparation phase. It allows you to confirm that your foundational email authentication, governed by DMARC, is absolutely locked in before you even attempt the final step.

This phased approach separates concerns, reduces pressure on deployment day, and ultimately gets your logo in front of customers faster. Once deployed, consistent monitoring of DMARC and BIMI results in your `Authentication-Results` headers, which platforms like MailSleuth.AI can help parse and alert on, ensures the value you worked for is actually being delivered.

#bimi#vmc#dmarc#email-authentication#dns
MailSleuth Research
Email Security Team

We dissect phishing campaigns and email infrastructure so you don't have to.