Home / Blogs

How the Verified Mark Certificate (VMC) Makes the Mailbox Safer

Nowadays, with increasing digitalization and internet usage, email is a central communication tool. This holds true even despite the high popularity of instant messaging apps and social media. Email remains the favorite means of business communication worldwide, both in B2B and B2C. In 2019, 293.6 billion emails were sent and received. By 2025, this number will grow even more. It is predicted that we will send and receive 376.4 billion emails per day. In this scenario, implementing security features for email communications has become absolutely essential.

After a pilot project in the past years, the world’s most widely used email services, such as Gmail and Hotmail, have adopted Brand Indicators for Message Identification (BIMI) and the Verified Mark Certificate (VMC) to heighten the digital presence for brands and ensure more security in the mailbox. With this pioneering method, the official logo is placed next to the email, becoming an eye-catching feature, boosting recognition and building trust while working against email spoofing threats.

Email security is more relevant than ever

With the exchange of information carried out through emails every day, cybercriminals have adapted their targets accordingly. Emails have been heavily affected by security and privacy issues, phishing attacks and malware distribution. This is why email security needs to take on a leading role. Hackers use triggers that are not strictly related to technical vulnerabilities but rather rely on human behavior. The human factor in cybersecurity is crucial.

For a cyber threat based on email campaign to be effective, three main elements are required:

  1. Instilling a sense of urgency to induce a malicious action, such as opening an attachment.
  2. An invitation to click on a link and provide data and confidential information.
  3. Presentation of the email sender as an authoritative, factual source or pretending to be the actual company behind the email.

This last point is very common and has evolved into many different forms, such as the CEO fraud, whaling and Business Email Compromise (BEC). According to Mimecast’s deductions reported in “The State of Brand Protection 2021”, brand impersonations rose to 39.2 billion in February 2021, an increase of 170% compared to 2019. Having a clear indication of who the sender has never been more important.

VMC to protect branded email communications

What if you could send a clear signal of trustworthiness with your email? The Verified Mark Certificate (VMC) helps brand your email communications with your trademarked logo. When implemented fully, the VMC allows placement of the brand logo directly next to the sender’s email address. Recipients can immediately see that the email comes from the brand owner before opening it. This instantly creates trust while simultaneously making it difficult for scammers to misuse logos in email communication.

Using Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC), companies can protect their email communication against abuse to a certain degree. SPF and DKIM provide other mail servers with instructions about which mail server may send emails from your domain. DMARC provides instructions about how an email should be handled if SPF and DKIM do not apply. Adding VMC as a third instance here, the displayed logo adds an additional step, improving the protection of your email communication.

For email users recognizing the brand at first sight seems to be a clear signal of trust. Source: Consumer Email Tracker
What are the requirements for a VMC?

In order to acquire a VMC, certain legal and technical requirements must be met. On the legal side, your logo must be registered as an active word and/or image mark at one of the eight currently authorized trademark offices. Certificate Authorities use this, as well as other verification processes (personal identification, notarized certification, video call) to verify your trademark and your company. On the technical side, SPF, DKIM and DMARC must be set up correctly for your emails.

Who can use DMARC?

DMARC is available to all domain owners on the condition that the responsible Internet Service Provider (ISP) supports it. The administrator of the receiving mailbox must also support DMARC. An SPF and DKIM record are respectively required to create a DMARC record.

How is DMARC implemented?

The implementation of DMARC mainly takes place via a TXT record in the domain zone. Let’s take a step-by-step look at the process.

  1. Decide whether DMARC should be used for the email traffic going over the main domain or over one of its subdomains. To protect your brand optimally, we recommend using the primary domain.
  2. Make sure that the essential “DMARC Identifier Alignments” or “Domain Alignments” (SPF and DKIM) have already been implemented in the target domain. If necessary, set these up first. With regard to SPF and DKIM records, take into account any additional email channels, such as email via another email service provider or via your own infrastructure. This is important to avoid DMARC unintentionally blocking these channels.
  3. Set up an email address to receive the DMARC reports.
  4. Create the TXT record in the domain zone. An example of this is:
    _dmarc TTL IN TXT
    "v=DMARC1;p=policy;pct=100;
    rua=mailto:[email protected]"
How can I get a VMC for my trademark logo?

In order to qualify for a Verified Mark Certificate, you must own a registered trademark logo. The reason for this is that the spoofing of a logo protected by a registered trademark is much more difficult. Once you have proof of your registered trademark, you can complete the stringent validation process with a provider and the certificate authority (CA). The validation process entails three stages:

  1. Verification of the trademark rights for the respective logo.
  2. Verification of the notarized identification documents of the applicant in your organization.
  3. Personal or virtual meeting with an employee of the certificate authority in order to verify the identity of the applicant.

After completing the validation, you can implement your verified logo on the mail server and in the DNS. To do this, first upload your logo to your mail server.

Important: The relevant logo must be uploaded in scalable vector graphics format as a .SVG file. The final step is to create a TXT record in the zone of the corresponding domain. An example of this is:

bimi TTL 3600 IN TXT
v=BIMI1;l=https://images.yourdomain.com/brand/bimilogo.svg;
a=https://images.yourdomain.com/ brand/certificate.pem

After this has been set up correctly, the logo should be displayed next to your emails in the inbox of systems that support VMC.

VMC for better cybersecurity

With rising cyberthreats coming from emails, it is important to implement the highest security level. VMC contributes several advantages to enhancing your digital presence in the mailbox, not only helping end users to recognize the actual brand identity, but also facilitating better classification of messages by mail servers. These are four reasons why VMC is great for mailbox security.

  • Protects against spoofing and phishing: The verified sender’s identity offered by DMARC and VMC is clear.
  • Bypasses spam filters: Your email will not be classified as spam, providing another authenticity signal to email providers.
  • Protects against fraudulent logo use: A VMC requires a trademark. This will ensure your logo is not spoofed.
  • Avoids DMARC misconfigurations: The DMARC records in the DNS record help identify unauthorized emails and misconfigurations from your domain.

VMC for a personalized and more secure web

In today’s world, in which emails can play such a critical role in the success of a business, the benefits of implementing a Verified Mark Certificate are evident. Recipients can immediately see that the email comes from the brand owner before opening it. This instantly creates trust while simultaneously making it difficult for scammers to succeed with their phishing campaigns.

By Simone Catania, Global Content & Communications Manager at InterNetX

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Todd Knarr  –  Feb 9, 2022 6:50 PM

I’d note that modern email standards already allow for this without requiring any additional work or additional DNS records.

1. Obtain an email signing certificate from your current certificate provider for the email address in your domain used to send the emails.
2. Configure your email software to sign outgoing emails using the certificate and associated private key. See the S/MIME standards for more information.

That’s it. As an additional benefit the signature not only verifies that the email came from the correct address, it confirms that the email hasn’t been altered in transit by a third party to add hostile content or redirect links. All modern email software supports S/MIME out-of-the-box.

Note: SPF, DKIM and DMARC are strongly recommended regardless of how you handle email validation, as is DNSSEC to insure DNS records can’t be tampered with or forged. As an additional matter, DANE (TLSA records) should be considered (even though it’s currently not widely implemented) and service and software providers encouraged to support it. DANE allows you to tell client software which root certificates are allowed for your domains, and can be used to operate an in-house private certificate authority on an even footing with the well-known certificate authorities. Nobody can identify who should have certificates for your domains better than you.

BIMI Brian Westnedge  –  Feb 11, 2022 11:41 AM

Todd, afaik S/MIME doesn't have anything to do with logo display in email, which is what BIMI and VMC are all about.

Todd Knarr  –  Feb 12, 2022 11:23 PM

The problem is that BIMI require downloading and rendering remote content, something that's by default disabled for modern email clients. S/MIME and the associated SSL certificates, OTOH, can be validated and the organization name displayed without requiring downloading remote content (except maybe for CRLs, and those don't require rendering their content so are generally safer). Why can't you download remote content safely even from a "trusted" site? See https://sansec.io/research/naturalfreshmall-mass-hack for the latest example: the site you're downloading the logo from may have been compromised and the logo replaced by hostile content.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign