What the verified checkmark next to a sender really means

Open your inbox and you will spot a small checkmark next to a few sender names. It is easy to miss. When it appears, the brand that sent the email has proved to your inbox that the message genuinely came from them, and that the logo beside it is really theirs.

So what does that checkmark actually prove, and what should you make of an email that arrives without one?

A name in the From field proves nothing

Anyone can type "Your Bank" into the From field. The sender name is just text. Nothing in an ordinary email stops a stranger from borrowing a name you trust and counting on you not to look closer.

The checkmark is one of the few things that name cannot fake. When it shows up, an outside check has already confirmed two facts: the email left the brand's own domain, and the logo beside it really belongs to that brand.

What it takes to earn one

A brand cannot just ask for the checkmark. Three things have to be true at once, and each is confirmed by someone other than the sender.

First, the brand has to prove its mail is not forged. That means turning on the standard email security checks (you may have seen them written as SPF, DKIM, and DMARC) and enforcing them, so any mail server can confirm a message really came from that domain and was not altered on the way. Skip this and nothing else counts.

Second, the brand publishes its official logo to a public record tied to its domain, using a standard called BIMI. That record is what lets your inbox swap plain initials for the real logo.

Third, and this is the part most senders never finish, the brand pays an independent certificate authority to confirm it actually owns that logo, usually by checking a registered trademark. The document it gets back is called a Verified Mark Certificate. Without one, a logo is just a picture anyone could have uploaded.

Patriot Mail waits for that last step. A logo with no paid, independent certificate behind it does not earn the mark. When all three line up and a message passes the checks, Patriot Mail shows the brand's real logo in place of initials and adds the checkmark beside the name.

What it does not promise

The checkmark answers one question: who sent this. It says nothing about whether the message is worth your time.

A verified brand has proven it owns its domain and its logo. It has not promised the email is useful, accurate, or safe to act on. Verified senders still send marketing you never asked for. They make mistakes. And an account inside a real company can be misused by someone who should not have access to it.

Read the checkmark as context, not a seal of approval. Judge each message on what it asks of you.

Why it still earns its place

Most phishing rides on lookalikes. Someone registers acme-bank-support.com and hopes you will not notice it is not acmebank.com. That copycat does not own the real domain or logo, cannot get a Verified Mark Certificate for them, and will never earn the checkmark. That is exactly what makes the mark hard to fake.

The missing case carries weight too. When an email looks like it came from a big, familiar brand but there is no logo and no checkmark, that is a fair reason to slow down before you click a link or open an attachment. It does not prove the message is fake; plenty of real senders have not set any of this up yet. But a gap where you expected a checkmark is a quiet hint to check the details first.

A quick guide for the inbox

When the checkmark is there, you can trust the message came from that brand's domain. Read it with your usual care.

When it is missing on a brand you know well, the brand may simply not have set verification up yet. Give links, attachments, and any request for money or personal details a closer look.

When the logo and checkmark are both there but the message still feels wrong, trust that feeling. The identity is real; the request may not be. Verified brands get things wrong, and real accounts get hijacked.