Email communication is a critical channel for any business-consumer relationship, but it’s also a prime target for phishing and spoofing attacks. That’s where Common Mark Certificates (CMCs) come in. CMCs allow businesses to display their digitally authenticated brand logo in the sender field of outgoing emails, reassuring their email recipients that the message is legitimate and coming from a trusted source. It’s a simple, effective way to boost both security and brand recognition without the requirement for a registered trade mark.
Combatting email fraud
Phishing and spoofing attacks remain a major threat to Australian’s, whereby cybercriminals deceive victims into divulging personal information through fraudulent emails or text messages. The National Anti-Scam Centre identified in its April 2024 report that Australians made over 601,000 scam reports compared to the 507,000 in 2022 (an 18.5% increase).¹ Based on data from Scamwatch and the Australian Securities and Investments Commission, the combined losses from online scams reported in 2023 was $2.74 billion.²
To combat such attacks, email service providers (Gmail, Outlook, Apple and Yahoo Mail) support Brand Indicators for Message Identification (BIMI). BIMI is a standard that associates a business’ brand logo with an email authenticated by Domain-based Message Authentication (DMARC) to prevent brand impersonation.
How do common mark certificates work?
CMCs are a newly introduced mark certificate allowing businesses to access the benefits of BIMI. This allows for the display of your brand logo in the sender field of outbound emails, confirming their DMARC status and authenticated identity. This not only enhances brand visibility but also helps protect against phishing and spoofing attacks by assuring recipients of the email’s legitimacy.
Common mark certificates vs. Verified mark certificates: The key differences
Both CMCs and VMCs allow your logo to appear in the recipient’s inbox, but there’s one major distinction: VMCs require a registered trade mark. This adds an extra layer of verification, including a blue checkmark in Gmail inboxes. See here for further information on obtaining a VMC.
For businesses that don’t have a trade mark or have an adapted brand logo based on a registered trade mark, CMCs are a more accessible option, offering nearly the same benefits—minus the Gmail checkmark.
Key benefits of CMCs include:
- Increased email trust – Your logo acts as a visual marker of legitimacy, reassuring recipients that the email is from a verified source.
- Enhanced security – By confirming your DMARC status, CMCs help prevent phishing and spoofing attacks.
- Improved brand visibility – Your brand logo becomes more recognisable when it consistently appears alongside your emails, making your communications stand out in crowded inboxes full of generic initials.
What you need to qualify for a common mark certificate
Securing a CMC is straightforward; however, requires a few conditions to be met:
- DMARC compliance – Your domain must be configured to enforce DMARC. This ensures that emails are properly authenticated, reducing the risk of spoofing and phishing attacks.
- Logo usage – Your brand’s logo is required to have been in public use for at least one year on a domain controlled by your business, or it must be an acceptable modification of an existing registered trade mark.
- SVG-P/S file format – The logo file you use must be in SVG (Scalable Vector Graphics) format and adhere to the SVG-P/S profile. This profile ensures the logo displays correctly in the email recipient inbox.
- Validation process – Your business will have to obtain an Extended Validation certificate. This is a type of TLS/SSL certificate verifying the certificate holder has undergone an extensive vetting and identification background check. These checks may include:
- providing notarised copies of personal identity documents;
- providing evidence that the logo has been in use for at least one year on a domain controlled by your business or is similar to your registered trade mark; and
- completing an in-person or video call interview.
Configure your DNS records
After obtaining the CMC, you’ll receive a Privacy Enhanced Mail (PEM) file corresponding to your SVG logo. Both the SVG and PEM files must be hosted on a publicly accessible server. Then, add a specific DNS record pointing to these files.
When an email is received, supporting email providers will:
- check your DNS records;
- retrieve the SVG logo;
- validate it against the PEM certificate; and
- display the logo alongside your email in the recipient’s inbox.
Getting started with common mark certificates
If you’re a DigiCert user, Common Mark Certificates are now available for purchase through your CertCentral account. Simply navigate to the Mark Certificates category and request a certificate. If the option isn’t available, it may be because your account type doesn’t yet support the product, or it needs to be enabled by an account administrator.
Why choose common mark certificates?
Building trust with your customers, is more important than ever in an increasingly competitive digital landscape. CMCs not only protect your emails from cybercriminals but also reinforce your brand’s presence in customer inboxes. It’s a cost-effective solution for businesses that want to improve their email security and visibility without needing to go through the trade mark registration process.
How can we help?
HWLE has broad commercial experience assisting brands in obtaining verification certificates for trade marks and domain names. If your business is seeking to obtain a common mark certificate, please contact our Intellectual Property team.
This article was written by Luke Dale, Partner and Christopher Power, Law Graduate.
¹ Targeting scams: report of the ACCC on scams activity 2023 (scamwatch.gov.au)
² Ibid.
