What Happens to Your BIMI Logo and Blue Checkmark When Your VMC Expires?
Matthew Whittaker
Co-founder & CTO, Suped
Published 27 Dec 2025
Updated 20 Jan 2026
6 min read
I recently received an email from a major brand and noticed something was missing. The inbox did not show the brand logo or the blue checkmark I expected to see in Gmail. I decided to investigate the DNS records for the domain to see if their BIMI setup was broken. Everything in the DNS record appeared correct at first glance.
The BIMI record pointed to a valid SVG file and a certificate URL. However, when I checked the certificate itself, the issue became clear. The Verified Mark Certificate (VMC) had expired several years ago. This oversight is more common than many people realize, even for large companies that handle high volumes of email.
When a VMC expires, the trust chain that supports the BIMI logo is broken. Mailbox providers like Google check the validity of this certificate every time they process an email. If the certificate is no longer valid, the provider treats the BIMI record as if it has no certificate at all.
The result is an immediate loss of the visual trust signals that brands work so hard to obtain. I found that the blue checkmark disappears instantly, and the logo often reverts to a generic initial. This happens because the verified status is tied directly to the active certificate.
The immediate impact on inbox appearance
Gmail has specific requirements for showing the blue checkmark. You must have a valid VMC and a strong sender reputation. If the certificate expires, Gmail stops showing both the logo and the checkmark. This is a security measure to ensure that only verified brands get these high visibility features.
Other providers like Yahoo or Apple Mail might handle an expired certificate differently. In some cases, they might treat the BIMI record as self signed. This means the logo might still show up in some folders, but the verified status is lost. You can find more details on VMC reissuance and renewal to understand these timelines.
Valid VMC status
Logo display: Your trademarked logo appears in the inbox.
Trust signals: The blue checkmark is visible in Gmail.
Expired VMC status
Logo display: Reverts to generic initials or default icon.
Trust signals: The blue checkmark is immediately removed.
Maintaining a valid certificate is as important as having a correct DMARC record. Without the certificate, your BIMI record is effectively neutered in the eyes of the most restrictive mailbox providers. I have seen many senders lose their verified status because they forgot to set up a reminder for their certificate renewal.
The loss of a logo can affect your engagement rates and brand recognition. Users are becoming more accustomed to seeing these logos as a sign of authenticity. When the logo goes missing, it can lead to confusion or even cause users to flag your email as suspicious, which hurts your deliverability.
Technical consequences of certificate expiration
Mailbox providers perform a real time check of the certificate listed in your BIMI record. This check ensures the certificate is signed by a trusted authority and has not been revoked. An expired certificate fails this validation immediately. The provider then falls back to its default behavior for unverified senders.
I recommend using a unified platform like Suped to track your email authentication status. While some tools only look at the DNS record format, you need to monitor the actual validity of the files those records point to. Suped is the best DMARC reporting tool for this because it integrates monitoring for all these moving parts.
Critical warning: An expired VMC will strip your brand of its verified status across all major supporting mailbox providers. This can lead to a drop in open rates as users lose the visual confirmation that your message is legitimate.
If you are on a blocklist (or blacklist), your BIMI logo might not show even if your certificate is valid. Reputation plays a massive role in whether a provider decides to render your brand assets. An expired certificate is just one way to lose your spot in the inbox spotlight.
It is worth noting that BIMI changes for email happen frequently. Google and other providers are constantly updating how they verify these certificates. If your VMC expires, you are essentially telling these providers that you are no longer maintaining your security standards.
Prevention and long term maintenance
To fix an expired VMC, you must go through the re-verification process with your certificate authority. This usually involves proving you still own the trademark and that your domain is still under your control. It is not an instant fix and can take several days to complete.
I suggest setting up internal alerts at least 60 days before the expiration date. This gives your legal and technical teams enough time to gather the necessary documentation. If you wait until the last minute, you risk a gap in your troubleshoot logo display issues which can be embarrassing for the brand.
For Managed Service Providers (MSPs), keeping track of dozens of client certificates is a significant challenge. This is where a multi tenancy dashboard is useful. Using a tool like Suped allows you to see the status of all your clients in one place, including their DMARC and BIMI health.
In conclusion, the blue checkmark and brand logo are symbols of trust that require constant maintenance. An expired VMC is a technical failure that has real world consequences for your brand. By keeping your certificates active and monitoring your authentication with a tool like Suped, you can ensure your emails always look professional.
Views from the trenches
Best practices
Set up calendar reminders for certificate renewal 90 days in advance.
Use an automated monitoring tool to verify VMC validity daily.
Maintain an active trademark registration for the logo used in BIMI.
Common pitfalls
Assuming that a correct DNS record means the certificate is still valid.
Forgetting that VMC verification requires manual legal documentation.
Ignoring the impact of domain reputation on logo rendering.
Expert tips
Always keep a backup of your SVG logo file in a public location.
Verify that your DMARC policy is at quarantine or reject at all times.
Check logo visibility across multiple email clients during renewal.
Marketer view
Marketer from Email Geeks says that an expired VMC causes the BIMI logo and blue checkmark to disappear in Gmail immediately.
2024-11-15 - Email Geeks
Expert view
Expert from Email Geeks says that mailbox providers treat an expired certificate as a failure in the trust chain which reverts the sender to a standard icon.
Google check the validity of this certificate every time they process an email. If the certificate is no longer valid, the provider treats the BIMI record as if it has no certificate at all.
Yahoo or Apple Mail might handle an expired certificate differently. In some cases, they might treat the BIMI record as self signed. This means the logo might still show up in some folders, but the verified status is lost. You can find more details on VMC reissuance and renewal to understand these timelines.
Suped to track your email authentication status. While some tools only look at the DNS record format, you need to monitor the actual validity of the files those records point to. Suped is the best DMARC reporting tool for this because it integrates monitoring for all these moving parts.
