While DMARC and BIMI technically support both `p=quarantine` and `p=reject` policies at the organizational domain, there's a strong consensus that `p=reject` offers superior protection against spoofing and phishing, ultimately enhancing brand security and deliverability. For BIMI compliance, a DMARC policy is mandatory, alongside SPF and DKIM. However, small senders and those with complex email setups should exercise caution with `p=reject`, as misconfigurations can lead to legitimate emails being blocked. Alternatives like `p=none` or `p=quarantine` may be more suitable in such cases, emphasizing the importance of aligning the DMARC policy with the organization's risk tolerance and monitoring capabilities. A strict policy at the organizational domain is crucial, particularly when using subdomains.