Summary
- Only three certificate authorities issue VMCs in 2026 - DigiCert, GlobalSign, and SSL.com, per the BIMI Group issuer list. Entrust, which issued our first certificate in 2022, is gone from that list
- Five quote processes in May and June 2026, and the quotes we could extract ran from $780 to $1,305 per year - for the same one-year certificate; one vendor never returned a number. The cheapest was VMCcerts reselling the GlobalSign chain, quoted 2026-05-14; the priciest was GlobalSign direct
- Negotiation moved SSL Dragon from $1,049 list to $850 per year - we paid $2,550 for a 3-year DigiCert-chain term on 2026-06-15, which is $210 above the cheapest quote, traded for chain certainty and a US contracting entity
- No registered trademark means no checkmark - a common mark certificate shows the logo in Gmail without the blue tick, and our own validation has already run two-plus weeks. We answer whether the checkmark pays separately, with our own data
Ask what a verified mark certificate costs and you will mostly meet quote forms and chat widgets. Both certificate authorities we contacted directly routed us into sales threads, and so did several of their resellers. We had to email strangers to learn a price. In 2026.
So we collected the numbers ourselves. Between 2026-05-14 and 2026-06-15 we ran quote processes with GlobalSign, SSL.com, SSL Dragon, and VMCcerts, kept our incumbent renewal offer as a fifth reference point, pushed back where a thread was live, and ended up paying $2,550 for a 3-year DigiCert-chain certificate. Every number below carries the date we received it, because VMC pricing moves and an undated price is barely better than no price. The certificate is the paid half of BIMI: the DNS record and the SVG logo cost nothing to publish, and the Gmail checkmark is the part the money buys.
Why we were shopping at all, and how the incumbent relationship ended, is its own post. This one is the buyer’s guide we went looking for in April 2026 and never found.
Who can even issue a VMC?
Three certificate authorities can, as of early July 2026. The BIMI Group’s official issuer list names DigiCert, GlobalSign, and SSL.com as the mark verifying authorities. Entrust, the CA behind our first certificate in 2022, no longer appears there; that exit collided with our renewal in ways we didn’t enjoy.
The same page carries a line worth reading twice before you spend anything: “Inclusion on this list does not guarantee that a Mailbox Provider will honor your Cert.” You’re buying an entry ticket, not a guarantee.
There are also two certificate types, and the difference decides your budget before any vendor does. A verified mark certificate requires a registered trademark and earns the blue checkmark in Gmail. A common mark certificate needs no trademark and shows the logo without the checkmark. That split comes straight from Google’s September 2024 update: “With a CMC, the sender’s brand avatar will be displayed without the Gmail verified checkmark that’s displayed for VMCs.”
Google’s Workspace BIMI requirements add the prerequisite people forget. Your DMARC policy has to sit at p=quarantine or p=reject. A domain at p=none gets no logo from either certificate type, no matter what you spend.
Vendors themselves check which product you mean. On 2026-06-09, mid-negotiation, Red Sift asked us: “To clarify, are you wanting to keep your BIMI VMC or a CMC?” Our reply, typo preserved: “Its the full blue-checkbox version (official, blue checkmark in gmail)”. If you hold a registered trademark, the VMC is the product this guide prices.
The quotes we actually got, with dates
On 2026-05-14 we sent outreach to four vendors: GlobalSign direct, SSL.com direct, SSL Dragon, and VMCcerts. VMCcerts came back the same day with both chains priced. SSL Dragon replied on 2026-05-15 with DigiCert list pricing. One vendor took a month to become legible, and one number never arrived at all.
| Vendor | Chain | 1 yr | 3 yr total | Per yr on 3 yr | Quoted | Outcome |
|---|---|---|---|---|---|---|
| VMCcerts (SSL2BUY EMEA LLC) | GlobalSign | $900 | $2,340 | $780 | 2026-05-14 | Cheapest quote |
| VMCcerts (SSL2BUY EMEA LLC) | DigiCert | $1,350 | $3,600 | $1,200 | 2026-05-14 | Passed |
| SSL Dragon (GPI Holding LLC) | DigiCert | $1,249 | $3,147 | $1,049 | 2026-05-15 | List price |
SSL Dragon, coupon 3YEARVMCO | DigiCert | n/a | $2,673 | $891 | 2026-05-16 | 15% off list |
| SSL Dragon, final offer | DigiCert | n/a | $2,550 | $850 | 2026-06-05 | What we bought |
| GlobalSign direct | GlobalSign | $1,450 | $3,915 | $1,305 | extracted 2026-06-14 | Eliminated |
| SSL.com direct | SSL.com | n/a | n/a | n/a | never extracted | Self-eliminated |
| Red Sift (incumbent, 1-yr renewal) | DigiCert | $1,608 | n/a | n/a | signed 2025-06-06 | Context |
For reference, DigiCert direct ran about $1,499 to $1,550 per year, GoGetSSL (a DigiCert reseller) $1,474, and the going GlobalSign-direct figure near $1,299. Those are figures from our own May 2026 research notes, not quotes anyone mailed us. Against that backdrop, $780 to $850 per year is a different market than the one the list prices describe.
How the SSL Dragon number fell from $1,049 to $850
We told them upfront what we were optimizing for, in our 2026-05-15 email:
“I’m not chasing the cheapest number for its own sake. I’d rather pay a premium for substance if there’s real substance behind it. Help me see the difference.”
The next day, support moved: “We are able to adjust the 3-year rate slightly, from $1,049 per year down to $891 per year. The total for 3 years would be $2673 instead of $3147. That is a 15% discount from the price we have on our website.”
Three weeks later, with the $2,340 GlobalSign-chain quote still visibly on our table, they moved once more on 2026-06-05:
“the best price we can give you is $2550 for the 3-year VMC certificate. That is $123 down from our already discounted rate of $2673.”
We ordered on 2026-06-15: order 2447625402, invoice 46980, coupon 3YEARVMCO, $597 off the $3,147 list, 25-day money-back window. Two short emails and three weeks of patience. Nobody volunteered a discount before we asked.
What we asked the cheapest vendor
VMCcerts quoted $780 per year, low enough to make us a bit suspicious. We asked them straight on 2026-05-15:
“why are yours cheaper by a good margin vs competitors? Is there something you don’t include or are these even recognized as official?”
Their answer, same day: “There are no technical or functional differences between DigiCert and GlobalSign VMC certificates.” True at the level of the certificate format. Less true at the level of who trusts which root, which we get to below.
The storefront itself needed checking. vmccerts.com was a domain roughly 12 months old when we checked in May 2026, with private WHOIS and no public terms or about page. We pulled the TLS certificate chain the site serves and the operation resolved to SSL2BUY, specifically SSL2BUY EMEA LLC, a UAE-registered entity. The quote was real, and the cheapest in the market. Our hesitation came from the contract structure rather than from legitimacy. Vendor due diligence like this produces a paper trail worth keeping, the same habit compliance management software exists to enforce at scale.
SSL Dragon needed vetting too. Third-party trust scores were mediocre in our April 2026 research notes, Scamadviser at 72% and Scamdoc at 55%, for a reseller with roughly 4 employees. The counterweights: the contracting entity is GPI Holding LLC, a US company, renewals are plain re-orders with no lock-in, and it resold the exact chain we wanted.
The two vendors that eliminated themselves
SSL.com never gave us a number. Pricing sat behind three tracked marketing links we declined to click, and the account executive went on leave mid-thread. Prior vetting counted for nothing either; asked whether our existing trademark and organization validation could carry over, the answer on 2026-05-15 was one word long, spelling theirs:
“Negitive, our team will need to perform their own validation.”
We made a purchase decision without ever seeing an SSL.com dollar figure.
GlobalSign went quiet for about two weeks after our 2026-05-14 outreach, then re-engaged with six-plus near-identical check-in emails. The check-ins were polite; the silence before them was the annoying part. Turns out their 2026-05-15 reply had carried the actual quote as an attachment, which we only got around to extracting on 2026-06-14: $1,450 for 1 year, $3,915 for 3, or $1,305 per year, with the 2-year tier at $2,755. By the time we read it, it was the most expensive quote in the table, for the chain we had already decided against.
Pick the chain before you pick the seller
A reseller doesn’t issue anything. Whatever storefront you buy through, the certificate comes from DigiCert, GlobalSign, or SSL.com, and it sits under that CA’s dedicated verified mark root, which is separate from its TLS roots. Our live certificate chains to DigiCert Verified Mark RSA4096 SHA256 2021 CA1 and runs 2025-07-29 through 2026-07-28, a single year. Which mail clients trust which roots is exactly what the BIMI Group list refuses to promise, and the full anatomy of what sits inside one of these certificates is in how BIMI actually works.
Then came the moment that decided the purchase. Why would the vendor selling the cheaper GlobalSign chain steer us toward a DigiCert chain that costs $420 more per year? Yet on 2026-05-18, in writing, VMCcerts told us:
“DigiCert tends to have broader compatibility across certain Apple Mail ecosystems, while Apple is still gradually expanding support for additional VMC roots industry-wide… broader rollout improvements are anticipated around late June to early July…”
That is a dated vendor statement, not something we bench-tested ourselves. Weigh it as such. We still treated it as the strongest signal of the whole bake-off, because the seller of the cheaper option was arguing against their own cheapest offer. Sales teams rarely do that for fun. We asked ourselves what they gained by saying it: steering us onto the dearer chain would only have raised their invoice if we bought it from them, and in the end we bought from nobody in that thread.
That said, chain is only half the seller question. The other half is who you contract with, and the trade-offs came out like this:
Start with money. GlobalSign direct wanted $1,305 per year for its own chain on 2026-06-14 pricing; VMCcerts sold the identical chain for $780, a $525 per year gap for the same root.
The entity question weighed more for us. A UAE contracting entity for the certificate that carries our corporate identity was a tough sell internally, through no fault of the product. GPI Holding LLC being US-registered mattered to us; that preference is ours, and your risk table may differ.
Renewals are the sleeper issue. VMCcerts renewals stay with the reseller. SSL Dragon renewals are plain re-orders, and our order spawned a DigiCert CertCentral sub-account on 2026-06-16, so the validation relationship sits with the CA either way. SSL Dragon, a reseller itself, warned us about this exact axis on 2026-05-16:
“we have seen issues where the billing entity (reseller) or the relationship structure with DigiCert causes friction during renewals or if an immediate re-issuance is needed.”
A reseller warning us about reseller structures is selling, obviously. It also matched what we could verify in the renewal terms.
Payment terms actually favor VMCcerts. From their 2026-05-14 pitch:
“the process is completely risk-free from a payment perspective, as no upfront payment is required. The Payment is only required after the certificate has been approved and successfully delivered.”
Fair enough: pay-after-issuance removes real risk for a first-time buyer. It didn’t outweigh the entity question for us. The final math: we paid $2,550 against the $2,340 floor, and that $210 over three years bought the DigiCert chain plus a US counterparty.
Validation is the real timeline
Every issuer vets you before issuance. They check the registered trademark and the legal organization behind the order, and DigiCert’s process, as relayed to us on 2026-05-16, usually turns on a video call with a human. The trademark must sit on file with an intellectual property office the issuers recognize, a detail from the same Google requirements page linked earlier, and everything they vet ends up baked into the certificate subject itself.
The speed claims we collected varied by a factor of ten. DigiCert’s fast-track position, relayed to us verbatim by SSL Dragon on 2026-05-16:
“We can do the validation within a day. The blocker that usually delays Mark’s Certificate validation is usually a video call with the customer. Other than that, if everything is in order, there is a telephone listing published online, we can complete it even within a day.”
SSL.com claimed 3 to 5 days of vetting in its 2026-05-15 reply. GlobalSign’s quote came with roughly 10 days of vetting and a 7-day refund window.
So which timeline should you believe? For planning purposes, ours says none of them. We submitted the VMC request form in DigiCert CertCentral on 2026-06-16, and as of 2026-07-02 the validation is still running, two-plus weeks in, while our live certificate expires 2026-07-28. The within-a-day claim had conditions attached, a published telephone listing among them, and we aren’t claiming bad faith. We’re saying the fast path is conditional and the slow path is real, so order at least six weeks before your current certificate expires.
Multi-year pricing hides one more thing. From the GlobalSign account manager on 2026-05-15:
“The VMC certificate is only valid for 1 year, so the terms are for an agreed price for 2 or 3 years. You would still need to renew the certificate each year.”
A multi-year VMC deal locks the price and nothing else; the certificate re-issues annually. Our own paperwork covers 06/15/2026 through 06/14/2029, yet DigiCert will issue us three one-year certificates inside that window, and in a self-hosted setup each annual swap is a one-file deploy. As of early July 2026 our replacement is mid-validation, so we’ll be doing that swap soon enough.
What we’d tell you to do
Buying advice, compressed from four weeks of email in May and June 2026:
- Settle VMC versus CMC before anything else, because no registered trademark means no checkmark at any price
- Collect three quotes minimum and let each vendor know the others exist; our spread ran $780 to $1,305 per year, and two short emails cut SSL Dragon from $1,049 to $850
- Get the chain in writing before comparing prices, since a $780 GlobalSign quote and a $1,200 DigiCert quote from the same reseller are different products if your recipients live in Apple Mail
- Ask who the contracting entity is and where renewals happen; our cheapest storefront resolved to a UAE entity via its own TLS chain
- Start six weeks out, because quoted validation ran one to ten days while ours is still open after two-plus weeks
We paid $2,550 on 2026-06-15 and think we bought well: $758 per year under our incumbent’s 2025 price, or $2,274 across the term. Whether a blue checkmark deserves even $850 a year is a fair challenge, and we put our open-rate numbers up against it rather than a slogan.