Introduction
A few months ago Google started implementing higher email security standards for Gmail users, including the mandatory implementation of a DMARC (Domain-based Message Authentication, Reporting and Conformance) policy. Now, Google has taken another step to make email safer for users by making BIMI (Brand Indicators for Message Identification) more accessible for all with CMC (Common Mark Certificates).
By supporting CMC, Google is enabling organisations of all sizes with a DAMRC policy to implement BIMI and add their brand logo to their emails without needing to go through the expensive and time-consuming process of registering a trademark. The only requirement to obtain a CMC is that an organisation can prove that a specific logo has been in use by them for at least 12 months (on their website, for example). Previously, to enable BIMI, Google required that you obtained a VMC (Verified Mark Certificate) for your trademarked logo - a process only organisations of a certain size can afford.
The big question for organisations using Google Workspace now is whether to obtain a CMC or a VMC. In this article, we briefly review the pros and cons of each.
CMC vs. VMC: What to choose
Whether to choose a CMC or a VMC is mostly a question of size, resources, and industry. If you’re a smaller organisation with limited budget, a CMC is a wiser first choice that provides nearly all of the same benefits as a VMC except for the blue verified checkmark next to the sender name. This blue checkmark acts as an additional layer of identity verification in Gmail by indicating that a sender has adopted BIMI with VMC - the ultimate combo.
Aside from the blue checkmark, both CMC and VMC allow organisations to use their brand logo as their avatar in email communication, making it easier for recipients to verify that a message is official and actually comes from them.
The blue checkmark is a plus that organisations working within online security, handling private data, or managing key societal processes/infrastructure should still consider as it indicates the more advanced commitment to security that these organisations need.
Overall, the pros and cons of CMC vs. VMC boil down to the following:
For organisations of different sizes, these are our recommended next steps:
For Small Organisations (< 50 employees)
-
Implement DMARC policy if not already in place
-
Document 12+ months of consistent logo usage
-
Apply for a CMC to enable BIMI
-
Consider upgrading to VMC only if operating in security-sensitive sectors
For Medium Organisations (50-250 employees)
-
Assess current trademark status and security requirements
-
If no trademark exists:
-
Begin with CMC implementation
-
Consider trademark registration as a parallel process
-
-
If trademark exists:
-
Evaluate budget for VMC implementation
-
Consider industry-specific security needs
-
For Large Organisations (250+ employees)
-
Proceed directly with VMC implementation if trademark exists
-
If no trademark exists:
-
Implement CMC as an interim solution
-
Initiate trademark registration process
-
Plan for VMC upgrade within 12 months
-
Conclusion
Google's introduction of CMC represents a significant democratisation of email security and brand verification. By making BIMI more accessible to organisations of all sizes, Google has effectively lowered the barrier of entry for enhanced email security while maintaining high standards through DMARC policy requirements.
We are likely to soon see other major email providers follow in Google’s steps, turning CMC into a basic industry standard. For organisations of all sizes, whether they have a trademark or not, obtaining a CMC will be key to stand out in crowded inboxes and enhance brand trust.
Is your organisation ready for BIMI?
Find out with our free BIMI test and discover what you need to do to initiate the process of obtaining a CMC or a VMC:
