Email auth
as one project.

What actually overlaps

The DNS infrastructure. All four protocols publish records in the same zone — _dmarc, _mta-sts, _smtp._tls, default._bimi. A single DNS provisioning workflow handles all of them. Vendors that sell them separately tend to require four separate DNS update tickets, four separate verification runs, four separate failure modes when something goes wrong.

The reporting ingestion pipeline. DMARC aggregate reports (RUA) and TLS-RPT reports both arrive as XML / JSON over email or HTTPS POST. The schemas differ but the parser, deduplicator, alerting layer, and dashboard renderer are mostly the same code. We process both streams in one pipeline. Vendors that bolt TLS-RPT on as a second product typically run a second, simpler pipeline that lacks the alerting depth of the DMARC side.

The HTTPS hosting. MTA-STS requires HTTPS hosting at https://mta-sts.{domain}/.well-known/mta-sts.txt. BIMI requires HTTPS hosting for the SVG logo and the VMC/CMC certificate. Both are static file hosting with TLS termination — one hosting setup serves both, with separate paths and separate cert renewal cycles managed in one workflow.

The DMARC dependency. BIMI requires DMARC at p=quarantine or p=reject. MTA-STS recommends DMARC enforcement before enforce mode (so you have visibility into authentication failures before adding transport failures on top). Treating the four as one project means we sequence the DMARC migration first and the rest second, instead of starting four parallel projects that hit different issues at different times.

What our pricing reflects

The €299 monthly figure is set against the combined retail of the four components if you bought them from us individually:

The €37 monthly difference between standalone and suite pricing is roughly the operational saving from running one project instead of four. We do not pretend it is a deeper discount than that. The bigger value is that you do not have four vendor relationships to manage, four contract renewal dates, four failure modes when something breaks. One contract, one team, one dashboard.

What is not included: the VMC or CMC certificate cost itself. VMCs run €749-1,688 per year depending on the issuing CA (DigiCert, Entrust, Sectigo, GlobalSign, SSL.com); CMCs run €650-1,100. We pass these through at our cost — no markup. The certificate is a one-time annual purchase and we handle the procurement, the SVG conversion, the identity validation calls with the CA, and the renewal workflow each year. Most clients spend €900-1,400 per year here, on top of the €299 monthly.

Week 1 — Discovery and source mapping

We publish a DMARC record at p=none with our reporting endpoint as rua=, then wait. Within seven days every email source that touches the domain shows up in the aggregate reports — Gmail, Microsoft, Yahoo, every Mailchimp subdomain, every Salesforce instance, every transactional API, every internal MTA the client did not remember they had. The output is a complete inventory of legitimate senders and a list of unauthorised senders that need to be either authenticated or shut down. About 30% of clients discover at least one shadow IT email source they did not know existed during this week.

Weeks 2-3 — Authentication completeness

Every legitimate sender gets SPF authorisation and DKIM signing if not already in place. SPF gets cleaned up if the lookup count is at risk of breaching the RFC 7208 §4.6.4 hard cap of 10. DKIM key rotation happens here if any selectors are using 1024-bit RSA — modern receivers expect 2048-bit minimum, and Yahoo rejects 512-bit silently. The output is full SPF=pass and DKIM=pass alignment for every legitimate sender, verified against actual aggregate reports.

Weeks 4-5 — DMARC quarantine

Move from p=none to p=quarantine; pct=25, ramp the percentage to 100 across the two weeks. Aggregate reports continue flowing — any new authentication failure that surfaces gets investigated and either fixed or whitelisted. Most clients see a brief uptick in support tickets here as messages from forgotten or misconfigured senders start hitting spam folders. We pre-stage messaging to internal teams about the change.

Week 6 — DMARC reject and MTA-STS testing

Two parallel moves. DMARC graduates from p=quarantine; pct=100 to p=reject — the final step. Simultaneously we publish MTA-STS in mode: testing and the TLS-RPT companion record. Sending MTAs that support MTA-STS start reporting TLS connection results to our endpoint; we ingest and aggregate. The four-week testing window starts here.

Weeks 7-8 — BIMI deployment

The DMARC enforcement requirement is met, so BIMI work begins. SVG Tiny PS conversion from the client's existing brand assets — typically a vector logo file, sometimes a raster that needs revectorising. VMC application submitted to DigiCert or Sectigo (we recommend DigiCert for first-time applicants because their identity validation cycle is faster). VMC issuance averages 7-10 business days; while it is in flight, the BIMI DNS record gets staged with just the l= tag (which displays the logo on Yahoo Mail without certificate). Once the VMC arrives, we add the a= tag and Gmail and Apple Mail begin displaying the verified logo within 24-72 hours of the next provider cache refresh.

Week 10+ — MTA-STS enforce and ongoing

Four weeks of clean TLS-RPT data closes out the testing period. We bump MTA-STS to mode: enforce, increment the DNS id, and the deployment is complete. Ongoing operations are weekly TLS-RPT digest, monthly DMARC executive summary, monthly BIMI cert and SVG validation pass, quarterly review with the client. Cert renewal happens 30 days before expiration with full PEM file replacement and DNS update, no service disruption.

The single change that reshaped BIMI economics in 2024-2026 was the introduction of the Common Mark Certificate (CMC) as an alternative to the Verified Mark Certificate (VMC). Until October 2024, the VMC was the only path to BIMI logo display in Gmail — and the VMC requires a registered trademark, which excluded an estimated 60-70 % of mid-market senders from BIMI altogether. The CMC removes the trademark requirement and replaces it with proof that the logo has been in continuous public use on the sender's domain for at least twelve months, verified through archive screenshots and DNS history.

The four provider positions in mid-2026:

Gmail displays the BIMI logo with either a VMC or a CMC. The blue "authenticated" checkmark that produces the visible engagement uplift requires a VMC specifically; a CMC produces the logo display but not the checkmark. Gmail also requires the sending domain to maintain a quarantine-or-reject DMARC policy and adequate local sender reputation before any logo will display. The reputation requirement is the trap: a brand-new domain with a perfect VMC and a perfect DMARC posture still will not display the logo for the first weeks of operation.

Apple Mail on iOS and macOS requires a VMC. The CMC is not accepted by Apple's BIMI implementation, which means brands without a registered trademark cannot get the Apple Mail logo display through BIMI at all. Apple's separate Apple Business Connect platform offers a path to logo display in Apple-native applications (Mail, Wallet, Phone) without going through BIMI, but it is a different system with different operational mechanics and is not part of this suite.

Yahoo Mail remains the most permissive of the four. It displays self-asserted BIMI logos — those published in DNS without any certificate at all — provided the domain meets the DMARC enforcement requirement. A VMC or CMC on the same record will be used as an additional signal for inbox-eligibility decisions but is not strictly required for the logo to render.

Microsoft Outlook has limited BIMI support as of early 2026. Microsoft acknowledges the protocol but has not committed to full VMC-verified logo display in consumer Outlook surfaces. Senders targeting Outlook should not expect BIMI to produce the same brand-visibility effect there that it produces at Gmail or Yahoo. We do not include Microsoft BIMI display in suite engagement KPIs because the provider behaviour is not yet reliable enough to commit to.

The certificate economics in 2026 are straightforward. A VMC from DigiCert, Entrust, GlobalSign or Sectigo costs €1,200-1,600 per year per logo per organisational domain, with a maximum validity of 397 days (shortening to 200 days from 11 March 2026 for new SSL/TLS issuance per the CA/B Forum baseline). A CMC from the same authorities runs €400-700 per year per logo. The trademark-registration cost for senders who do not already have one and want to qualify for the VMC blue check runs an additional €800-1,500 in EUIPO or USPTO filing fees plus 6-18 months of registration latency.

When the suite includes BIMI deployment, we handle the SVG Tiny P/S logo conversion, the BIMI DNS record (correctly aligned with the organisational domain), the PEM hosting on HTTPS, and the certificate-renewal calendar. We do not handle the trademark registration itself — that requires a trademark attorney working with the relevant intellectual-property office, and we route customers to the right specialist where the registration is not already in place.

Microsoft announced bulk-sender authentication requirements for Outlook.com, Hotmail.com, Live.com and MSN.com in May 2025, with warnings beginning August 2025, gradual rejections from September 2025, and full enforcement from November 2025. Any domain sending more than 5,000 emails per day to Microsoft consumer addresses must now publish SPF and DKIM with DMARC at p=none minimum, with alignment on either SPF or DKIM (preferably both). Non-compliant mail is rejected with the bounce code 550 5.7.515. The requirement broadly mirrors what Gmail and Yahoo enforced from February 2024, with two differences worth flagging.

The first difference: Microsoft weights IP reputation more heavily than Gmail does. Gmail leans on domain reputation; Microsoft leans on IP reputation. A sender on a shared IP whose pool contains poorly-behaving tenants will see deliverability degrade at Microsoft before it degrades at Gmail. This is one of the empirical reasons we recommend dedicated IPs for any sender above 100,000 monthly volume targeting a meaningful Microsoft audience. The suite covers the authentication side of this; the IP side is handled by our separate PowerMTA hosting or SMTP relay services.

The second difference: Microsoft has not yet adopted the RFC 8058 one-click unsubscribe header standard that Gmail and Yahoo require. Microsoft asks for a "functional unsubscribe mechanism" — a footer link is sufficient — and is broadly silent on the header format. We have seen suite customers be tempted to drop the one-click implementation for Microsoft-only flows. That is a mistake; the Gmail and Yahoo audiences in those same flows will degrade if the one-click header disappears. The suite default is to maintain one-click headers across all mail and rely on Microsoft's looser requirement as a permissive subset.

The NCSC retirement on 31 March 2026 affected a different segment of the market. The UK's National Cyber Security Centre operated Mail Check and Web Check as free centralised services that gave UK organisations DMARC and TLS visibility without their own tooling. The retirement pushed roughly 2,000 UK public-sector and supplier organisations into the managed-auth procurement market within a two-quarter window. PowerDMARC's analysis of 875 UK government domains in early 2026 found that 12.2 % still lacked any DMARC record and 42.9 % had not reached p=reject — a compliance gap that produced visible procurement activity at the suite's price band during Q1 and Q2 2026.

The market dynamic this produced: managed-authentication pricing across European vendors compressed by roughly 8-12 % between March and May 2026 as new entrants chased the UK-driven volume. Our suite price held at €299/month because the underlying engineering effort did not change — the four protocols still require the same monitoring, the same record management, the same exception handling for misconfigured tenant senders. The pricing pressure was on monitoring-only DMARC plays where the marginal cost of adding a customer is near zero. Our position is that authentication-as-a-bundle stays priced at engineering cost, not at marginal-monitoring-seat cost.

The math on whether the suite pays for itself is the question every prospect actually wants answered. The honest answer is that it depends on volume, open rate, and how email traffic converts to revenue downstream — three variables that sit on the buyer side of the line. We built the calculator below to let you run the numbers against your own inputs without a sales call. The model uses the median 7 percent open rate uplift from BIMI deployment that Red Sift and others have published, our actual €299 per month suite cost, plus €1,200 one-off setup and €1,200 per year averaged VMC fee. Payback expressed in months, not as marketing copy.

Three notes on reading the output. First, the calculator assumes the BIMI logo gets displayed in the inbox, which requires DMARC at p=quarantine or stricter. Without DMARC enforcement the lift is zero — the suite still has value through the deliverability work, but the BIMI ROI is delayed until the DMARC migration completes. Second, the 7 percent uplift figure is the median across published case studies. Real lift varies between 4 and 10 percent depending on brand recognition. Finance brands and known retailers tend to see the upper end. Lesser-known senders see the lower end. Third, the model excludes the deliverability gain from MTA-STS plus DMARC enforcement in absolute terms — those are harder to monetise as a discrete number, but they are the floor under any BIMI calculation. The numbers below are conservative.