Trust is the foundation of successful consumer-brand relationships. However, in 2022 alone Australians lost over $24,000,000 to phishing scams, with over 74,000 reports made to the ACCC’s ‘Scamwatch’.1 So, at a time where cybercriminals appear to be more opportunistic and sophisticated than ever before, how can businesses ensure that their consumer base continue to trust and remain engaged with marketing and promotional materials sent via email?
Enter – the Verified Mark Certificate.
Verified Mark Certificates
Verified Mark Certificates provide a mechanism to allow digitally authenticated trade marks to appear alongside email messages.
To understand Verified Mark Certificates, we need to briefly discuss Brand Indicators for Message Identification (BIMI) and domain name servers (DNS).
You may be aware that email applications such as Gmail, Apple and Yahoo Mail enable senders to display BIMI against authenticated email messages. See our example below:
For BIMI to appear in user inboxes, an email provider looks to a sender’s DNS. DNS include information about who is sending the email, where the email is being sent from, and whether a sender is compliant with email security standards (known as Domain-based Message Authentication, Reporting and Conformance or DMARC).
Previously, if a sender wished to utilise BIMI in their email messages, their DNS for that email address would also include a URL to the logo they wished to use and instructions to email applications to include this logo alongside outgoing email messages. Provided the sender was compliant with DMARC, the email application would then display the BIMI on incoming messages.
However, many email applications now also require the presence of a Verified Mark Certificate in DNS to install BIMI.
So, what is a Verified Mark Certificate?
As our title suggests, a Verified Mark Certificate is a digital certificate that provides an email sender with the equivalent of Twitter’s ‘blue tick’ for emails, verifying that the sender is the true owner of the logo that appears alongside their email (ie as the BIMI). This aims to increase consumer confidence in the origin and content of emails, distinguishing reputable traders from scammers or malicious actors engaging in phishing. A Verified Mark Certificate is currently the highest level of email authentication an organisation can implement in its email marketing.
Sounds great. How can I get my hands on a Verified Mark Certificate?
- Own a registered trade mark
Of course, to be able to be verified as the true owner of a logo, you need to be the true owner of that logo. At this stage, Verified Mark Certificates are offered by a limited number of certificate authorities who require a prospective purchaser to hold a registered trade mark (domestic or international) to evidence logo ownership. The trade mark must depict the precise logo that you intend to use as the BIMI. Entities wishing to utilise an unregistered brand as their BIMI will therefore need to take steps to register this with IP Australia/an equivalent international intellectual property office before applying for a Verified Mark Certificate.
- Create a .SVG version of your logo
Certificate authorities require a Scalable Vector Graphic (.SVG) version of a logo to process Verified Mark Certificate requests. As above, this version must reflect the precise logo constituting your registered trade mark (however, trade marks registered in black and white should be accepted in respect of coloured .SVG files).
- Determine the scope of your certificate
A Verified Mark Certificate can be ordered to cover multiple domain names. However, multiple logos cannot be covered by one Verified Mark Certificate. Businesses wishing to utilise different logos as BIMI will therefore need to purchase multiple Verified Mark Certificates.
- Ensure organisation / entity details are up to date
The precise process of verification may differ depending on the certificate authority used. Nonetheless, certificate authorities will not rely on self-reported information to complete the verification of your logo, instead utilising information listed with your local registering authority (for Australian businesses, this will likely be ASIC), and reputable third-party business directories. To this extent, businesses should ensure that their details are up to date on these platforms, and that their precise legal name, physical address and an accessible email is used when processing the certificate order to ensure a smooth authorisation process.
- Configure your website and domain name
Upon grant of a Verified Mark Certificate, the certificate authority will issue a ‘Privacy Enhanced Mail’ (PEM) file which corresponds with the .SVG file supplied. Both the .SVG and PEM files need to then be placed on a publicly accessible server, and a specific record added to the domain name’s DNS settings to point to those files.
Upon receipt of an email, email applications which use the BIMI standard will then check the DNS settings for the domain name of the sender, retrieve the .SVG logo, validate this against the PEM certificate, and display the logo alongside the message (potentially along with a message such as ‘Digitally Certified’).
How can we help?
HWLE has broad experience with trade mark and domain name matters and can assist your business in ordering its Verified Mark Certificate. Interested in taking your email marketing to the next level? Contact our Intellectual Property team today.
This article was written by Annabel Bramley, Solicitor, and reviewed by Luke Dale, Partner, and Daniel Kiley, Partner.