Why is Apple distrusting Entrust CA and VMCs, and what are the alternatives?
Summary
What email marketers say9Marketer opinions
Email marketer from BIMI Group explains that BIMI (Brand Indicators for Message Identification) requires a VMC to display a brand's logo in supporting email clients and enhances email security and trust.
Email marketer from Comodo explains the importance of BIMI with VMC, and how it provides an extra level of security, it allows email recipients to easily identify authenticated messages and helps provide increased brand trust.
Email marketer from Word to the Wise recommends DigiCert as an alternative to Entrust for BIMI certificates due to concerns about Entrust's practices.
Email marketer from EmailToolTester outlines the steps for implementing BIMI, including obtaining a VMC, publishing a DNS record, and ensuring email authentication protocols (SPF, DKIM, DMARC) are correctly configured.
Email marketer from StackExchange explains that certificates can be revoked due to compromise, mis-issuance, or changes in the CA's trust policy, leading to distrust by browsers and operating systems.
Marketer from Email Geeks explains Apple's policy likely relates to the Entrust "distrust" CA issue, and includes VMCs, unlike Google.
Email marketer from Reddit explains that CAs can be distrusted due to security breaches, non-compliance with industry standards, or policy changes by operating systems like Apple's iOS.
Email marketer from Sectigo highlights that VMCs help increase brand recognition, improve email engagement, and reduce the risk of phishing attacks by visually verifying the sender's identity.
Email marketer from LinkedIn recommends researching alternative VMC providers like DigiCert and Keyfactor and ensuring compatibility with BIMI requirements when switching from Entrust.
What the experts say6Expert opinions
Expert from Email Geeks states that if you’re using Entrust for _anything_ it’s long past time to have a migration plan, as they’re a cowboy outfit.
Expert from Word to the Wise explains that Apple distrusting Entrust CAs and VMCs may stem from various issues, and recommends considering alternatives like DigiCert due to their reliability and compliance.
Expert from Email Geeks shares a link to a relevant article: <https://wordtothewise.com/2024/07/if-youre-using-entrust-for-your-bimi-vmc/>
Expert from Email Geeks shares a link to a blog post about stopping the use of Entrust for BIMI certificates: <https://wordtothewise.com/2024/12/stop-using-entrust-for-your-bimi-certificates/>
Expert from Email Geeks clarifies that if an existing certificate was issued before November 15th it’ll be OK until it expires, so it’s not a crash emergency thing. Suggests switching to DigiCert as soon as is convenient.
Expert from Word to the Wise strongly suggests moving away from Entrust for VMCs and BIMI. He advises those who have already purchased certs from Entrust to get a DigiCert one.
What the documentation says6Technical articles
Documentation from GlobalSign describes the role of digital certificates in establishing trust and security in online communications and transactions, emphasizing the importance of trusted CAs.
Documentation from LearnDMARC, explains that for BIMI you have to declare the location of your SVG logo file as a DNS TXT record, and to check this DNS record with an online checker to ensure it is valid.
Documentation from Mozilla explains the process of adding and removing trusted root certificates in Firefox and other Mozilla products, highlighting the importance of CA trust for secure web browsing.
Documentation from Entrust answers the question of what a Certification Authority (CA) is. It also explains that they are trusted third parties that issue digital certificates used to verify the identity of websites and other online entities.
Documentation from Apple Support explains that Apple devices come preconfigured with trusted root certificates that are used to verify the identities of servers, but that certificates can also be distrusted.
Documentation from DigiCert defines Verified Mark Certificates (VMCs) as digital certificates that verify the authenticity of a brand's logo, allowing it to be displayed in email inboxes that support BIMI.