Summary
The responses indicate a strong consensus that a VMC will not function correctly on a subdomain *unless* the certificate explicitly covers that subdomain. This coverage can be achieved in two main ways: through a wildcard certificate that inherently covers all subdomains, or by including the specific subdomain in the Subject Alternative Name (SAN) list of the certificate. Crucially, the VMC needs to align with the 'd=' domain used in your DKIM signature. It is also important that the BIMI record is placed on the organizational domain, even when sending from a subdomain. Regular verification of BIMI/VMC configuration and ensuring that the sending domain matches what's in the BIMI record is also essential.
Key findings
- Explicit Subdomain Coverage: The VMC requires the subdomain to be explicitly covered by the SSL certificate, either through a wildcard or SAN entry.
- VMC and DKIM Alignment: The VMC must align with the domain specified in the DKIM signature (d=).
- BIMI Placement: BIMI records need to be published on the root organizational domain.
- SAN and Wildcard are Alternatives: SAN certificates and Wildcard certificates are both valid solutions
Key considerations
- SAN vs. Wildcard Selection: Carefully choose between wildcard certificates (covering all subdomains) and SAN certificates (covering only specified subdomains) based on your specific subdomain strategy.
- BIMI/VMC Validation: Routinely check the accuracy of your BIMI record and VMC configurations, especially after any domain or certificate changes.
- DKIM Verification: Confirm that the DKIM signature is accurately configured, aligning with the domain validated by the VMC.
- Sending Domain Consistency: Make sure that the domain used for sending emails matches the domain specified in the BIMI record and VMC.
What email marketers say
8 marketer opinions
The consensus is that for a VMC to work on a subdomain, the certificate must cover that subdomain. This can be achieved either by using a wildcard certificate that covers all subdomains of a domain or by explicitly listing the subdomain in the Subject Alternative Name (SAN) field of the certificate. The BIMI record should be correctly set up on the main domain, and the domain used for sending emails must match the domain specified in the BIMI record and VMC. Regular checks of BIMI/VMC configurations and correct BIMI record publication on the root domain are also recommended.
Key opinions
- Certificate Coverage: The SSL certificate needs to cover the subdomain, either through a wildcard certificate or explicit SAN entry.
- BIMI Record Setup: BIMI record should be correctly configured on the main domain.
- Domain Matching: The sending domain must match the domain specified in the BIMI record and VMC.
Key considerations
- Wildcard vs. SAN: Decide whether a wildcard certificate or a certificate with specific SAN entries is more suitable for your subdomain structure.
- Regular Checks: Routinely verify the BIMI record and VMC configuration for any discrepancies.
- Root Domain Publication: Ensure the BIMI record is published on the root domain, even when sending from a subdomain.
Marketer view
Email marketer from Mailjet recommends making sure that your BIMI record is published on your root domain, even if you're sending email from a subdomain. Your VMC needs to be valid for either your root domain or the specific sending subdomain.
28 Oct 2024 - Mailjet
Marketer view
Email marketer from StackOverflow shares that the SSL certificate must cover the specific subdomain being used. You can achieve this with either a wildcard certificate (*.sub.example.com) or a certificate that includes the subdomain as a SAN entry.
18 Mar 2023 - StackOverflow
What the experts say
1 expert opinions
The expert from Word to the Wise emphasizes that the VMC must align with the DKIM signature's 'd=' domain. When sending emails from a subdomain, the SSL certificate needs to be valid for that specific subdomain, whether through an explicit listing or a wildcard certificate.
Key opinions
- VMC-DKIM Alignment: VMC must match the 'd=' domain in the DKIM signature.
- Subdomain Validation: If sending from a subdomain, the certificate needs explicit or wildcard validation for that subdomain.
Key considerations
- DKIM Configuration: Verify that your DKIM signature is correctly configured with the appropriate 'd=' domain.
- Certificate Type: Choose between an explicit subdomain certificate or a wildcard certificate based on your subdomain setup.
Expert view
Expert from Word to the Wise explains that your VMC needs to match the 'd=' domain used in your DKIM signature. If sending from a subdomain, you need a certificate valid for that subdomain, either specifically or via a wildcard certificate.
21 Aug 2021 - Word to the Wise
What the documentation says
7 technical articles
The documentation consistently highlights two primary methods for ensuring a VMC works with subdomains: using wildcard certificates that cover all subdomains or employing Subject Alternative Name (SAN) certificates to explicitly list the subdomains. The VMC certificate needs to be valid for the 'd=' domain in the DKIM signature, and the BIMI record should reside on the organizational domain. Utilizing SAN certificates provides a focused approach when dealing with specific subdomain sets, offering an alternative to the broader coverage of wildcard certificates.
Key findings
- Wildcard Certificates: Wildcard SSL certificates secure all subdomains of a domain.
- SAN Certificates: SAN certificates allow securing multiple specific domains and subdomains with a single certificate.
- BIMI on Organizational Domain: BIMI record should be placed on the organizational domain, even if sending from a subdomain.
- VMC-DKIM Alignment: The VMC needs to be valid for the 'd=' domain used in your DKIM signature.
Key considerations
- Choose Certificate Type: Select between wildcard or SAN certificates based on your subdomain requirements and structure.
- DKIM Alignment: Ensure the DKIM 'd=' tag matches the domain covered by the VMC.
- BIMI Placement: Confirm the BIMI record is properly configured on the organizational domain.
Technical article
Documentation from SSL.com explains that multi-domain (SAN) certificates are a good option to secure multiple sites and subdomains with one certificate. If the subdomain is not covered by a wildcard, then it should be listed within the SAN
12 Jul 2023 - SSL.com
Technical article
Documentation from GlobalSign shares that a wildcard SSL certificate will cover all subdomains of a domain name. For example, a certificate for *.example.com will cover mail.example.com, blog.example.com, and shop.example.com.
11 Jun 2021 - GlobalSign
Do I need a VMC for BIMI to work with Google and Gmail?
Does BIMI trickle down to subdomains and how to control subdomain BIMI display?
Is VMC mandatory for BIMI implementation?
How do I implement BIMI for multiple brands with subdomains?
How do I implement DMARC with BIMI on multiple subdomains?
How do I implement BIMI and get my logo to show in Gmail and Yahoo Mail?
