Will a VMC work on a subdomain if the subdomain isn't explicitly listed in the certificate?
Summary
What email marketers say8Marketer opinions
Email marketer from Mailjet recommends making sure that your BIMI record is published on your root domain, even if you're sending email from a subdomain. Your VMC needs to be valid for either your root domain or the specific sending subdomain.
Email marketer from StackOverflow shares that the SSL certificate must cover the specific subdomain being used. You can achieve this with either a wildcard certificate (*.sub.example.com) or a certificate that includes the subdomain as a SAN entry.
Email marketer from Quora notes that if you are using subdomains, ensure your BIMI record is correctly set up on the main domain and that your VMC covers the subdomains either through a wildcard certificate or SAN entries.
Email marketer from Reddit suggests ensuring the certificate covers all subdomains used for sending. If not, consider a wildcard certificate or adding each subdomain as a Subject Alternative Name (SAN) to the certificate.
Marketer from Email Geeks states that even if the subdomain is not listed, the VMC would still work on a subdomain if added.
Email marketer from Litmus recommends double-checking your BIMI record and VMC configuration for any discrepancies, especially if you've recently made changes to your domain or subdomain setup.
Email marketer from EmailVendorSelection explains that to use a VMC on subdomains it is important that the domain you use for sending email matches the domain specified in the BIMI record and VMC. You need a valid SSL certificate for your sending domain or subdomain.
Email marketer from EmailGeeks Forum shares that in their experience, the VMC should be associated with the main domain. The BIMI record on the main domain should cover subdomains.
What the experts say1Expert opinion
Expert from Word to the Wise explains that your VMC needs to match the 'd=' domain used in your DKIM signature. If sending from a subdomain, you need a certificate valid for that subdomain, either specifically or via a wildcard certificate.
What the documentation says7Technical articles
Documentation from SSL.com explains that multi-domain (SAN) certificates are a good option to secure multiple sites and subdomains with one certificate. If the subdomain is not covered by a wildcard, then it should be listed within the SAN
Documentation from GlobalSign shares that a wildcard SSL certificate will cover all subdomains of a domain name. For example, a certificate for *.example.com will cover mail.example.com, blog.example.com, and shop.example.com.
Documentation from Entrust Blog explains that Subject Alternative Name (SAN) certificates can list multiple domains and subdomains. For VMCs, it's crucial to include all relevant subdomains in the SAN field of the certificate.
Documentation from Comodo (Sectigo) explains that SAN certificates allow you to secure multiple domain names and subdomains with a single certificate. This is a viable alternative to wildcard certificates when you need to secure a specific list of subdomains.
Documentation from DigiCert Knowledge Base explains that Wildcard certificates (*.example.com) can be used to secure multiple subdomains. For VMCs, the certificate must be issued to the organizational domain, and the BIMI record must be placed on the organizational domain, even if the sending domain is a subdomain.
Documentation from Sectigo Knowledge Base details that BIMI relies on a valid VMC. The VMC's certificate must be valid for the domain used in the 'd=' tag of the DKIM signature. If you're sending from a subdomain, the certificate must either explicitly include the subdomain or be a wildcard certificate covering it.
Documentation from Namecheap details that there are two ways to cover subdomains with SSL certificates. One way is via a Wildcard SSL and the other via a Multi-Domain (SAN) SSL Certificate.