✨ Worked on VMC Today – A Simple Explanation for Everyone

Today I discovered something intresting that we encounter daily but rarely understand – how company logos appear in your Mails or Gmail inbox. 🤯

Have you noticed when you receive emails from major brands like Google, Amazon, or your bank, their official logo displays right next to the sender's name? Ever wondered how that works?

I uncovered the answer today, and it's called VMC – Verified Mark Certificate. It's actually much simpler than it sounds! I'm sharing everything I learned here in easy-to-understand language so you can implement this too. 😊

---

🔐 What You Need Before Getting VMC – Verified Mark Certificate

• Your company logo must be trademarked.
  • Official government trademark registration is required.
• Logo must be in .SVG Tiny PS format.
  • SVG: Scalable Vector Graphics
  • Tiny PS: Tiny Portable/Secure profile (lightweight & email-safe)
• Email authentication must be properly configured:
  • SPF: Sender Policy Framework
  • DKIM: DomainKeys Identified Mail
  • DMARC: Domain-based Message Authentication, Reporting & Conformance
  • DMARC policy must be: p=quarantine or p=reject with pct=100
• You will receive a .pem VMC certificate from the Certificate Authority.
  • PEM: Privacy Enhanced Mail format

---

---

📘 TABLE OF CONTENTS ▼

• 🔎 What is VMC – Verified Mark Certificate?
• 🎯 Why Organizations Implement VMC
• 🔐 Getting a VMC Certificate
• 📦 Understanding the .PEM Certificate & Hosting Options
• 🧩 Creating Your BIMI DNS Record
• 🧪 Testing Your BIMI & VMC Implementation
• 💎 Pro Tip: Use crt.sh for Certificate Search
• ❓ Frequently Asked Questions

---

Use this Link :

bimigroup.org/bimi-generator/

---

🔎 What is VMC – Verified Mark Certificate?

• Some emails display the company's logo next to the sender's name — that’s VMC in action.
• VMC (Verified Mark Certificate) allows your official company logo to appear in Gmail, Yahoo, Apple Mail, etc.
• It verifies that your email is genuinely sent by your organization and not a phishing attempt.
• Think of it as a ✔️ verification badge for your business emails.

---

🎯 Why Organizations Implement VMC

Benefit	Explanation
Display Logo in Inbox	Your brand appears professional and trustworthy in every email.
Build Customer Trust	Recipients can instantly identify legitimate emails from your organization.
Prevent Email Spoofing	Protects customers from scammers impersonating your brand.
Increase Email Engagement	Verified logos lead to higher open rates and reduced spam filtering.

---

🔐 Getting a VMC Certificate

• Choose a Certificate Authority: DigiCert, Entrust, Sectigo.
• Provide trademark proof — your logo must be officially registered. - Organisation Verification.
• Prepare your logo in SVG Tiny PS/S format.
• Complete CA organization & trademark validation.
• Upon approval, you’ll receive the vmc.pem certificate file.

---

📦 Understanding the .PEM Certificate & Hosting Options

• After approval, you get a file: vmc.pem.
• Both logo and pem must be publicly accessible:
• ✅ logo.svg
  ✅ vmc.pem

Option 1: Hosted by Certificate Authority by Digicert or Entrust (Easy)

https://vmc.digicert.com/<your-id>.svg
https://vmc.digicert.com/<your-id>.pem

Option 2: Self-Host on Your Domain (Recommended)

https://brand.yourdomain.com/bimi/logo.svg
https://brand.yourdomain.com/bimi/vmc.pem

Directory structure:

/bimi
├── logo.svg
└── vmc.pem

🧩 Creating Your BIMI DNS Record

• Once files are hosted, create a BIMI TXT record.
• Host: default._bimi
• Type: TXT

---

BIMI TXT Value:

v=BIMI1; l=https://brand.yourdomain.com/bimi/logo.svg; a=https://brand.yourdomain.com/bimi/vmc.pem; avp=digicert

Note: avp is optional. It indicates the certificate authority.

---

🧪 Testing Your BIMI & VMC Implementation

• bimigroup.org/bimi-generator/
• mxtoolbox.com/bimi.aspx
• BIMI Record Builder

---

💎 Pro Tip: Use crt.sh for Certificate Search

• crt.sh helps you search SSL/TLS & VMC certificates.
• Search by domain, CA, or organization.
• Link: crt.sh

---

❓ Frequently Asked Questions

• Do I configure VMC in DigiCert?
  🔥 NO – You only obtain the certificate from DigiCert. DNS configuration is YOUR responsibility.
• Why does my URL show vmc.digicert.com or bimi.entrust.com?
  🔥 NORMAL – DigiCert/Entrust hosts your BIMI files. This is STANDARD OPERATION and completely acceptable.
• Logo not showing?
  🔥 TROUBLESHOOT – Verify:
  • DMARC policy (p=quarantine or p=reject)
  • BIMI record syntax
  • SVG format compliance
  • DKIM authentication
• Is BIMI supported everywhere?
  🔥 MAJOR PROVIDERS – Gmail, Yahoo, and others support it. Coverage is EXPANDING but not universal.

---

✨ Final Tip: Add BIMI TXT → Validate using tools → Send a test email to Gmail/Yahoo to see your logo in inbox!

---

🌐🧱 Enterprise Network Architecture — Akamai, DNS, WAF, DMZ, SSL & Firewall Flow Explained for Middleware & DevOps Engineers🔒🔑

• 🏢 In an enterprise environment, understanding how network traffic flows from users to internal applications is essential for performance, security, and compliance.
• 🌐 This post explains the complete inbound and outbound flow — covering DNS, Akamai WAF, Firewall, DMZ, and SSL certificate management across enterprise systems.

---

📑 Table of Contents

• 🗺️ Network Flow Diagram
• 🧰 Setup Phase (One-Time Configurations)
• 🌍 Where the Public IP Is Mapped
• 🌐 How CDN & DNS Flow Works
• 🏠 Where the Private IP Is Mapped (DNAT & SNAT)
• ⚙️ Runtime Flow (When Users Access the App)
• Inbound Flow (Internet → App)
• Outbound Flow (Internal App → Internet)
• 🔠 Key Terms (Full Forms)
• ✅ Summary

---

🗺️ Network Flow Diagram

🔹 Inbound Flow (User → Application → Database):
🌐 User → 🧭 Akamai DNS → 🛡️ Akamai WAF → 🚧 Firewall → 🏰 DMZ → 📡 Load Balancer → 🖥️ Web Server → ⚙️ App Server → 💾 Database

🔹 Outbound Flow (Internal App → Internet):
🖥️ VM/App → 🧭 Internal DNS → 🛡️ Proxy Server → 🚪 Firewall (SNAT) → 🌍 Internet

---

🧰 Setup Phase (One-Time Configurations)

• 🧭 DNS (Domain Name System): Resolves domain names into IP addresses for user access.
• 📄 A Record: Maps a domain name to an IP address (e.g., app.company.com → 104.85.32.11).
• ✅ DNS Validation: Verifies domain ownership during SSL or CDN setup using a TXT record.
• 🔒 SSL Certificate Setup: Enables secure HTTPS communication between users and servers.
• 🌍 Public SSL (Internet Apps): Managed by Akamai CPS, DigiCert, or Let’s Encrypt.
• 🏢 Internal SSL (Intranet Apps): Used for applications accessed inside an organization’s private network — typically using Microsoft ADCS or HashiCorp Vault PKI for certificate management. Additionally, internal SSL certificates are often deployed directly on web servers such as:
  • 🌐 Apache HTTP Server — configured in ssl.conf or virtual host files.
  • ⚙️ NGINX — defined using ssl_certificate and ssl_certificate_key directives.
  • 🪟 Microsoft IIS — managed via IIS Manager or PowerShell scripts.
  • 🖥️ IBM IHS or F5 / Radware — for SSL termination or offloading at the load balancer level.
• 🛡️ Firewall & DMZ Setup: Protects internal systems from public exposure.

---

🌐 How CDN & DNS Flow Works

Let’s simplify what happens when someone accesses https://app.company.com and you’re using a CDN like Akamai:

1. 🧭 DNS resolution (First Step)
   app.company.com → app.company.com.edgesuite.net # The domain is not directly mapped to your firewall. Instead, it's pointed to Akamai’s CDN hostname (CNAME). This lets Akamai handle global routing, SSL, and caching before hitting your network.
2. 🌍 Akamai Edge IP resolution
   app.company.com.edgesuite.net → 104.85.32.11 # Akamai DNS picks the nearest edge server IP based on user location. This gives low latency and faster content delivery (geo-DNS routing).
3. 🛡️ User connects to Akamai Edge
   Akamai Edge performs:
   - WAF (Web Application Firewall) checks
   - SSL/TLS termination
   - Content caching for faster response
   - Origin fetch (only if needed) # The user’s browser never touches your firewall directly. Akamai acts as the “front door” — securing, filtering, and caching content. This is where DDoS protection and certificate validation happen.
4. 🏰 CDN connects to your enterprise public IP
   Akamai Edge → 203.122.10.55 # Akamai now makes a backend (origin) call to your organization’s public IP. This IP is provided by your ISP and configured on your enterprise firewall as a VIP (Virtual IP). It represents your app’s public presence on the Internet.
5. 🚧 Firewall DNAT Mapping (Public → Private)
   203.122.10.55 → 10.10.5.21 # The firewall receives the request on the public IP and uses DNAT (Destination NAT) to map it to the private IP of your internal web/app server. This keeps internal servers hidden while maintaining full access control.
6. 🖥️ Private App Server Processing
   The request reaches 10.10.5.21 → app logic executes → response generated. # This is where your actual business logic runs (Tomcat, WebSphere, NGINX, etc.). The app prepares a response that travels back the same path — but in reverse.
7. 🔁 Response Path (Reverse Flow)
   App Server → Firewall SNAT → Akamai Edge → User Browser # The firewall uses SNAT (Source NAT) to mask internal IPs with the public IP. Akamai then caches or delivers the content to the user securely.

🧑‍💻 User Browser
   ↓
🧭 DNS → 🌐 app.company.com → 🌀 app.company.com.edgesuite.net
   ↓
🌍 Akamai Edge IP (104.85.32.11)
   ↓
🛡️ Akamai Edge → 🚧 Firewall Public IP (203.122.10.55)
   ↓
🏢 Firewall DNAT → 🖥️ Internal DMZ / Web / App Server (10.10.5.21)
   ↓
🔁 Response → 🚪 Firewall SNAT → 🌍 Akamai Edge → 🧑‍💻 User

💬 In short:

• 👥 Users never connect directly to your private network.
• 🛡️ Requests first hit Akamai’s Edge IPs — acting as a secure global shield for your applications.
• 🌍 Akamai forwards clean traffic to your enterprise Public IP (assigned by ISP).
• 🚧 The Firewall performs DNAT to map the public IP to a Private App Server (10.x.x.x).
• 🔁 During the return flow, the Firewall uses SNAT to mask internal IPs before sending responses back to the user.

---

⚙️ Runtime Flow (When Users Access the App)

Inbound Flow (Internet → App)

• 🌍 User opens https://app.company.com
• 🧭 DNS resolves to Akamai Edge IP.
• 🛡️ Akamai WAF filters and forwards clean traffic.
• 🚧 Firewall performs DNAT to internal private IP.
• 🏰 DMZ hosts load balancer/web proxies.
• 📡 Load balancer distributes traffic to web/app servers.
• 🖥️ App processes request and sends response back through the same path.

---

🔠 Key Terms (Full Forms)

Term	Full Form	Simple Meaning
DNS	Domain Name System	Converts website names into IPs
WAF	Web Application Firewall	Blocks bad web traffic
CDN	Content Delivery Network	Delivers cached web content faster
DMZ	Demilitarized Zone	Buffer zone between internet & private network
NAT	Network Address Translation	Maps public ↔ private IPs
DNAT	Destination NAT	Inbound mapping (public → private)
SNAT	Source NAT	Outbound mapping (private → public)
PKI	Public Key Infrastructure	Manages SSL certificates
LB	Load Balancer	Distributes traffic across servers

---

✅ Summary

• DNS only maps names to IPs — it doesn’t store servers.
• CDNs like Akamai act as a smart middle layer for caching and security.
• Public IPs are used on firewalls or load balancers; private IPs stay hidden inside.
• DNAT and SNAT handle IP translation for inbound and outbound traffic.
• SSL ensures secure HTTPS connections both at the CDN and internal layers.

---

🔧 Authored by Pradeep Vishwakarma — Senior Middleware & DevOps Engineer | MiddlewareBox.com