BIMI is a standard wherein you slap in yet another TXT record to specify the avatar to use in mail clients for your domain's email accounts. There's one troublesome bit though. The "Verified Mark Certificate", which is basically a Bag on the Side saying this is definitely for sure not spoofed.

The trouble is, only HTTPS URIs are allowed, and mail clients surely won't allow self-signed certs. As such if you wanted to truly verify this came from the controlling domain, you don't need to issue a new cert of any kind. A simple modification to the spec would do the trick:

better_bimi_record.txt

default._bimi TXT "v=BIMI2 l=/path/to/image.svg"

E.G. just pass the path, and autofill the https://$domain bit. This is totally fine, because essentially every single cert issued today was issued because it passed DCV. And if that's fine for websites, it's absolutely good enough to display a silly image in mail clients. CAs truly have a talent for finding spots to extract rents via making the web work worse.