Will a VMC work on a subdomain if the subdomain isn't explicitly listed in the certificate?

Summary

The responses indicate a strong consensus that a VMC will not function correctly on a subdomain *unless* the certificate explicitly covers that subdomain. This coverage can be achieved in two main ways: through a wildcard certificate that inherently covers all subdomains, or by including the specific subdomain in the Subject Alternative Name (SAN) list of the certificate. Crucially, the VMC needs to align with the 'd=' domain used in your DKIM signature. It is also important that the BIMI record is placed on the organizational domain, even when sending from a subdomain. Regular verification of BIMI/VMC configuration and ensuring that the sending domain matches what's in the BIMI record is also essential.

Key findings

  • Explicit Subdomain Coverage: The VMC requires the subdomain to be explicitly covered by the SSL certificate, either through a wildcard or SAN entry.
  • VMC and DKIM Alignment: The VMC must align with the domain specified in the DKIM signature (d=).
  • BIMI Placement: BIMI records need to be published on the root organizational domain.
  • SAN and Wildcard are Alternatives: SAN certificates and Wildcard certificates are both valid solutions

Key considerations

  • SAN vs. Wildcard Selection: Carefully choose between wildcard certificates (covering all subdomains) and SAN certificates (covering only specified subdomains) based on your specific subdomain strategy.
  • BIMI/VMC Validation: Routinely check the accuracy of your BIMI record and VMC configurations, especially after any domain or certificate changes.
  • DKIM Verification: Confirm that the DKIM signature is accurately configured, aligning with the domain validated by the VMC.
  • Sending Domain Consistency: Make sure that the domain used for sending emails matches the domain specified in the BIMI record and VMC.

What email marketers say
8Marketer opinions

The consensus is that for a VMC to work on a subdomain, the certificate must cover that subdomain. This can be achieved either by using a wildcard certificate that covers all subdomains of a domain or by explicitly listing the subdomain in the Subject Alternative Name (SAN) field of the certificate. The BIMI record should be correctly set up on the main domain, and the domain used for sending emails must match the domain specified in the BIMI record and VMC. Regular checks of BIMI/VMC configurations and correct BIMI record publication on the root domain are also recommended.

Key opinions

  • Certificate Coverage: The SSL certificate needs to cover the subdomain, either through a wildcard certificate or explicit SAN entry.
  • BIMI Record Setup: BIMI record should be correctly configured on the main domain.
  • Domain Matching: The sending domain must match the domain specified in the BIMI record and VMC.

Key considerations

  • Wildcard vs. SAN: Decide whether a wildcard certificate or a certificate with specific SAN entries is more suitable for your subdomain structure.
  • Regular Checks: Routinely verify the BIMI record and VMC configuration for any discrepancies.
  • Root Domain Publication: Ensure the BIMI record is published on the root domain, even when sending from a subdomain.
Marketer view

Email marketer from Mailjet recommends making sure that your BIMI record is published on your root domain, even if you're sending email from a subdomain. Your VMC needs to be valid for either your root domain or the specific sending subdomain.

December 2023 - Mailjet
Marketer view

Email marketer from StackOverflow shares that the SSL certificate must cover the specific subdomain being used. You can achieve this with either a wildcard certificate (*.sub.example.com) or a certificate that includes the subdomain as a SAN entry.

November 2021 - StackOverflow
Marketer view

Email marketer from Quora notes that if you are using subdomains, ensure your BIMI record is correctly set up on the main domain and that your VMC covers the subdomains either through a wildcard certificate or SAN entries.

May 2021 - Quora
Marketer view

Email marketer from Reddit suggests ensuring the certificate covers all subdomains used for sending. If not, consider a wildcard certificate or adding each subdomain as a Subject Alternative Name (SAN) to the certificate.

April 2022 - Reddit
Marketer view

Marketer from Email Geeks states that even if the subdomain is not listed, the VMC would still work on a subdomain if added.

January 2022 - Email Geeks
Marketer view

Email marketer from Litmus recommends double-checking your BIMI record and VMC configuration for any discrepancies, especially if you've recently made changes to your domain or subdomain setup.

January 2023 - Litmus
Marketer view

Email marketer from EmailVendorSelection explains that to use a VMC on subdomains it is important that the domain you use for sending email matches the domain specified in the BIMI record and VMC. You need a valid SSL certificate for your sending domain or subdomain.

February 2025 - EmailVendorSelection
Marketer view

Email marketer from EmailGeeks Forum shares that in their experience, the VMC should be associated with the main domain. The BIMI record on the main domain should cover subdomains.

August 2022 - EmailGeeks Forum

What the experts say
1Expert opinion

The expert from Word to the Wise emphasizes that the VMC must align with the DKIM signature's 'd=' domain. When sending emails from a subdomain, the SSL certificate needs to be valid for that specific subdomain, whether through an explicit listing or a wildcard certificate.

Key opinions

  • VMC-DKIM Alignment: VMC must match the 'd=' domain in the DKIM signature.
  • Subdomain Validation: If sending from a subdomain, the certificate needs explicit or wildcard validation for that subdomain.

Key considerations

  • DKIM Configuration: Verify that your DKIM signature is correctly configured with the appropriate 'd=' domain.
  • Certificate Type: Choose between an explicit subdomain certificate or a wildcard certificate based on your subdomain setup.
Expert view

Expert from Word to the Wise explains that your VMC needs to match the 'd=' domain used in your DKIM signature. If sending from a subdomain, you need a certificate valid for that subdomain, either specifically or via a wildcard certificate.

October 2022 - Word to the Wise

What the documentation says
7Technical articles

The documentation consistently highlights two primary methods for ensuring a VMC works with subdomains: using wildcard certificates that cover all subdomains or employing Subject Alternative Name (SAN) certificates to explicitly list the subdomains. The VMC certificate needs to be valid for the 'd=' domain in the DKIM signature, and the BIMI record should reside on the organizational domain. Utilizing SAN certificates provides a focused approach when dealing with specific subdomain sets, offering an alternative to the broader coverage of wildcard certificates.

Key findings

  • Wildcard Certificates: Wildcard SSL certificates secure all subdomains of a domain.
  • SAN Certificates: SAN certificates allow securing multiple specific domains and subdomains with a single certificate.
  • BIMI on Organizational Domain: BIMI record should be placed on the organizational domain, even if sending from a subdomain.
  • VMC-DKIM Alignment: The VMC needs to be valid for the 'd=' domain used in your DKIM signature.

Key considerations

  • Choose Certificate Type: Select between wildcard or SAN certificates based on your subdomain requirements and structure.
  • DKIM Alignment: Ensure the DKIM 'd=' tag matches the domain covered by the VMC.
  • BIMI Placement: Confirm the BIMI record is properly configured on the organizational domain.
Technical article

Documentation from SSL.com explains that multi-domain (SAN) certificates are a good option to secure multiple sites and subdomains with one certificate. If the subdomain is not covered by a wildcard, then it should be listed within the SAN

August 2023 - SSL.com
Technical article

Documentation from GlobalSign shares that a wildcard SSL certificate will cover all subdomains of a domain name. For example, a certificate for *.example.com will cover mail.example.com, blog.example.com, and shop.example.com.

December 2021 - GlobalSign
Technical article

Documentation from Entrust Blog explains that Subject Alternative Name (SAN) certificates can list multiple domains and subdomains. For VMCs, it's crucial to include all relevant subdomains in the SAN field of the certificate.

May 2023 - Entrust Blog
Technical article

Documentation from Comodo (Sectigo) explains that SAN certificates allow you to secure multiple domain names and subdomains with a single certificate. This is a viable alternative to wildcard certificates when you need to secure a specific list of subdomains.

July 2023 - Comodo (Sectigo) Knowledge Base
Technical article

Documentation from DigiCert Knowledge Base explains that Wildcard certificates (*.example.com) can be used to secure multiple subdomains. For VMCs, the certificate must be issued to the organizational domain, and the BIMI record must be placed on the organizational domain, even if the sending domain is a subdomain.

May 2024 - DigiCert Knowledge Base
Technical article

Documentation from Sectigo Knowledge Base details that BIMI relies on a valid VMC. The VMC's certificate must be valid for the domain used in the 'd=' tag of the DKIM signature. If you're sending from a subdomain, the certificate must either explicitly include the subdomain or be a wildcard certificate covering it.

January 2023 - Sectigo Knowledge Base
Technical article

Documentation from Namecheap details that there are two ways to cover subdomains with SSL certificates. One way is via a Wildcard SSL and the other via a Multi-Domain (SAN) SSL Certificate.

April 2024 - Namecheap