Why is Apple distrusting Entrust CA and VMCs, and what are the alternatives?

Summary

Apple's distrust of Entrust CAs and VMCs, potentially stemming from security breaches, non-compliance, or policy changes, necessitates a migration plan. Unlike Google, Apple includes VMCs in its distrust. Experts recommend DigiCert as a reliable alternative and advise immediate action, particularly for those using Entrust for anything. BIMI with VMCs is essential for brand recognition and security, requiring proper DNS configuration and adherence to SPF, DKIM, and DMARC. Implementing BIMI provides extra security, allowing email recipients to easily identify authenticated messages and providing increased brand trust.

Key findings

  • Entrust Distrust: Apple distrusts Entrust CAs and VMCs, potentially due to security issues or policy changes.
  • VMC Inclusion: Apple's policy includes VMCs, unlike Google's.
  • DigiCert as Alternative: DigiCert is the primary recommended alternative due to reliability.
  • BIMI Significance: BIMI with VMCs enhances email security, brand recognition, and trust.

Key considerations

  • Migration Planning: Develop a plan to migrate away from Entrust, especially if used for more than just BIMI.
  • BIMI Implementation: Ensure correct DNS configuration (including SVG logo file location in DNS TXT record) and compliance with SPF, DKIM, and DMARC.
  • Alternative Research: Research and select alternative VMC providers like DigiCert or Keyfactor.
  • Certificate Validation: Validate trust chains and certificate validity.

What email marketers say
9Marketer opinions

Apple's distrust of Entrust CA and VMCs stems from issues such as security breaches or non-compliance, leading to certificate revocation. Unlike Google, Apple's policy includes VMCs. As a result, those affected should consider alternatives like DigiCert or Keyfactor. Implementing BIMI with a VMC is crucial for brand recognition, email security, and trust, requiring proper DNS record configuration and adherence to email authentication protocols (SPF, DKIM, DMARC).

Key opinions

  • Distrustの原因: Apple distrusts Entrust CA and VMCs due to security breaches, non-compliance, or policy changes.
  • VMC Impact: Apple's policy, unlike Google's, includes VMCs in the distrust.
  • BIMI Importance: BIMI with VMC is essential for brand recognition and enhanced email security.
  • Alternatives: DigiCert and Keyfactor are recommended as alternatives to Entrust.

Key considerations

  • Provider Switch: Research and switch to alternative VMC providers, ensuring compatibility with BIMI.
  • BIMI Implementation: Properly configure DNS records and adhere to SPF, DKIM, and DMARC for BIMI.
  • Security Benefits: Leverage VMCs for increased brand trust and reduced phishing risks.
  • Compliance: Ensure new CAs are fully compliant with security standards.
Marketer view

Email marketer from BIMI Group explains that BIMI (Brand Indicators for Message Identification) requires a VMC to display a brand's logo in supporting email clients and enhances email security and trust.

July 2022 - BIMI Group
Marketer view

Email marketer from Comodo explains the importance of BIMI with VMC, and how it provides an extra level of security, it allows email recipients to easily identify authenticated messages and helps provide increased brand trust.

January 2023 - Comodo
Marketer view

Email marketer from Word to the Wise recommends DigiCert as an alternative to Entrust for BIMI certificates due to concerns about Entrust's practices.

June 2021 - Word to the Wise
Marketer view

Email marketer from EmailToolTester outlines the steps for implementing BIMI, including obtaining a VMC, publishing a DNS record, and ensuring email authentication protocols (SPF, DKIM, DMARC) are correctly configured.

August 2024 - EmailToolTester
Marketer view

Email marketer from StackExchange explains that certificates can be revoked due to compromise, mis-issuance, or changes in the CA's trust policy, leading to distrust by browsers and operating systems.

November 2024 - StackExchange
Marketer view

Marketer from Email Geeks explains Apple's policy likely relates to the Entrust "distrust" CA issue, and includes VMCs, unlike Google.

November 2022 - Email Geeks
Marketer view

Email marketer from Reddit explains that CAs can be distrusted due to security breaches, non-compliance with industry standards, or policy changes by operating systems like Apple's iOS.

December 2024 - Reddit
Marketer view

Email marketer from Sectigo highlights that VMCs help increase brand recognition, improve email engagement, and reduce the risk of phishing attacks by visually verifying the sender's identity.

August 2022 - Sectigo
Marketer view

Email marketer from LinkedIn recommends researching alternative VMC providers like DigiCert and Keyfactor and ensuring compatibility with BIMI requirements when switching from Entrust.

March 2023 - LinkedIn

What the experts say
6Expert opinions

Experts strongly recommend migrating away from Entrust for VMCs and BIMI due to Apple's distrust, potentially stemming from various issues with Entrust's reliability and compliance. While existing certificates issued before November 15th may be valid until expiration, switching to DigiCert is highly advised and should be done as soon as convenient.

Key opinions

  • Distrust of Entrust: Apple distrusts Entrust CAs and VMCs, prompting the need for migration.
  • Migration Urgency: Immediate migration is not critical for certificates issued before November 15th, but it's strongly recommended.
  • DigiCert Recommendation: DigiCert is a frequently recommended alternative to Entrust for VMCs and BIMI.

Key considerations

  • Migration Plan: Develop and execute a plan to migrate away from Entrust for all services, not just BIMI.
  • DigiCert Implementation: Consider switching to DigiCert as soon as convenient for BIMI and VMC needs.
  • Certificate Validity: Assess the expiration dates of existing Entrust certificates to prioritize migration efforts.
Expert view

Expert from Email Geeks states that if you’re using Entrust for _anything_ it’s long past time to have a migration plan, as they’re a cowboy outfit.

January 2022 - Email Geeks
Expert view

Expert from Word to the Wise explains that Apple distrusting Entrust CAs and VMCs may stem from various issues, and recommends considering alternatives like DigiCert due to their reliability and compliance.

March 2022 - Word to the Wise
Expert view

Expert from Email Geeks shares a link to a relevant article: <https://wordtothewise.com/2024/07/if-youre-using-entrust-for-your-bimi-vmc/>

February 2025 - Email Geeks
Expert view

Expert from Email Geeks shares a link to a blog post about stopping the use of Entrust for BIMI certificates: <https://wordtothewise.com/2024/12/stop-using-entrust-for-your-bimi-certificates/>

January 2025 - Email Geeks
Expert view

Expert from Email Geeks clarifies that if an existing certificate was issued before November 15th it’ll be OK until it expires, so it’s not a crash emergency thing. Suggests switching to DigiCert as soon as is convenient.

April 2023 - Email Geeks
Expert view

Expert from Word to the Wise strongly suggests moving away from Entrust for VMCs and BIMI. He advises those who have already purchased certs from Entrust to get a DigiCert one.

December 2022 - Word to the Wise

What the documentation says
6Technical articles

Apple devices come with pre-configured trusted root certificates for verifying server identities. Certification Authorities (CAs) are trusted third parties issuing digital certificates for online identity verification. Verified Mark Certificates (VMCs) authenticate brand logos in email inboxes supporting BIMI. Certificates can be added or removed, as demonstrated by Mozilla, emphasizing CA trust for secure browsing. GlobalSign highlights digital certificates' role in online security. LearnDMARC explains that BIMI requires a DNS TXT record to declare the location of an SVG logo file.

Key findings

  • Trusted Root Certificates: Apple devices use pre-configured trusted root certificates.
  • CA Role: CAs are trusted entities verifying online identities.
  • VMC Function: VMCs authenticate brand logos in BIMI-enabled email.
  • Certificate Management: Mozilla supports adding and removing trusted root certificates.
  • DNS TXT Record: BIMI setup requires declaring the SVG logo file location as a DNS TXT record.

Key considerations

  • Validate Trust Chains: Understand how your systems validate the trust chains related to root CAs and intermediary CAs.
  • Implement BIMI Correctly: Adhere to BIMI requirements and correctly configure the DNS TXT record for your logo.
  • Choose Trusted CAs: Select trusted Certification Authorities to ensure online security and brand authentication.
  • Follow Best Practices: Always adhere to best practices, and make sure to use a DNS checker to validate your DMARC/BIMI records.
Technical article

Documentation from GlobalSign describes the role of digital certificates in establishing trust and security in online communications and transactions, emphasizing the importance of trusted CAs.

December 2023 - GlobalSign
Technical article

Documentation from LearnDMARC, explains that for BIMI you have to declare the location of your SVG logo file as a DNS TXT record, and to check this DNS record with an online checker to ensure it is valid.

January 2023 - LearnDMARC
Technical article

Documentation from Mozilla explains the process of adding and removing trusted root certificates in Firefox and other Mozilla products, highlighting the importance of CA trust for secure web browsing.

August 2021 - Mozilla
Technical article

Documentation from Entrust answers the question of what a Certification Authority (CA) is. It also explains that they are trusted third parties that issue digital certificates used to verify the identity of websites and other online entities.

February 2025 - Entrust
Technical article

Documentation from Apple Support explains that Apple devices come preconfigured with trusted root certificates that are used to verify the identities of servers, but that certificates can also be distrusted.

July 2023 - Apple Support
Technical article

Documentation from DigiCert defines Verified Mark Certificates (VMCs) as digital certificates that verify the authenticity of a brand's logo, allowing it to be displayed in email inboxes that support BIMI.

September 2022 - DigiCert