Do DMARC and BIMI require p=reject to be present on the organizational domain?

5Marketer opinions 5Expert opinions 5Technical articles 6Resources

Summary

While DMARC and BIMI technically support both `p=quarantine` and `p=reject` policies at the organizational domain, there's a strong consensus that `p=reject` offers superior protection against spoofing and phishing, ultimately enhancing brand security and deliverability. For BIMI compliance, a DMARC policy is mandatory, alongside SPF and DKIM. However, small senders and those with complex email setups should exercise caution with `p=reject`, as misconfigurations can lead to legitimate emails being blocked. Alternatives like `p=none` or `p=quarantine` may be more suitable in such cases, emphasizing the importance of aligning the DMARC policy with the organization's risk tolerance and monitoring capabilities. A strict policy at the organizational domain is crucial, particularly when using subdomains.

Key findings

BIMI & DMARC Requirement: BIMI requires a DMARC policy with either `p=quarantine` or `p=reject`.
Stronger Security: `p=reject` offers superior protection against spoofing and phishing compared to `p=quarantine`.
Authentication Matters: SPF and DKIM authentication are critical for both DMARC and BIMI implementation.
Small Sender Exception: `p=reject` may not be ideal for small senders due to potential misconfiguration and blocked emails.
Organizational Domain Importance: A DMARC policy at the organizational domain is crucial, particularly when using subdomains and must be as strict as or stricter than subdomain policies.

Key considerations

Risk Tolerance: Assess your organization's risk tolerance and monitoring capabilities before implementing `p=reject`.
Implementation Complexity: DMARC setup, especially with `p=reject`, requires careful configuration and expertise.
Legitimate Email Impact: Understand the potential for `p=reject` to block legitimate emails if authentication isn't correctly configured.
Policy Alternatives: Consider `p=none` or `p=quarantine` as alternatives for small businesses or complex email setups.
Proactive Responsibility: Your DMARC policy demonstrates your commitment to responsible email sending practices and managing your sending reputation.

What email marketers say
5Marketer opinions

While a DMARC policy with `p=reject` is not strictly mandatory for BIMI, it is highly recommended and considered best practice for optimal effectiveness and brand protection. BIMI can function with a `p=quarantine` policy, but `p=reject` offers the strongest security posture and increases the likelihood of BIMI compliance and logo display. The choice between `p=quarantine` and `p=reject` often depends on the organization's risk tolerance, monitoring capabilities, and specific needs.

Key opinions

BIMI Compatibility: BIMI requires a DMARC policy of either `p=quarantine` or `p=reject`.
Preferred Policy: `p=reject` is generally preferred for stronger security and BIMI effectiveness.
Alternative Policy: `p=quarantine` can be a suitable starting point or alternative based on risk appetite.
Security Commitment: `p=reject` signals a stronger commitment to email security.

Key considerations

Risk Tolerance: Evaluate the organization's risk tolerance when choosing between `p=quarantine` and `p=reject`.
Monitoring Capabilities: Assess monitoring capabilities to handle potential issues with a `p=reject` policy.
Implementation Strategy: Consider a phased approach, starting with `p=quarantine` before transitioning to `p=reject`.
Brand Protection: Recognize that `p=reject` provides the strongest brand protection against email spoofing.

Marketer view

Email marketer from GlockApps suggests to implement BIMI successfully, your domain must have a DMARC policy with `p=quarantine` or `p=reject`. Having one of these two settings is mandatory. They suggest considering the risk of implementing `p=reject` before going straight to this option.

May 2022 - GlockApps

Marketer view

Email marketer from EasyDMARC shares that while a `p=reject` policy isn't strictly mandatory for BIMI, it's highly recommended. A `p=quarantine` policy can work, but `p=reject` offers the strongest protection for your brand and is seen as the best practice for ensuring BIMI is fully effective.

June 2022 - EasyDMARC

Marketer view

Email marketer from EmailAuth shares that for optimal BIMI implementation, a DMARC policy of `p=reject` is generally preferred. While `p=quarantine` can be used, `p=reject` signals a stronger commitment to email security, increasing the likelihood of BIMI compliance and logo display.

April 2024 - EmailAuth

Marketer view

Email marketer from Red Sift states that to use BIMI, you'll need DMARC set to either `p=quarantine` or `p=reject`. They recommend using a `p=reject` policy for maximum protection but acknowledge that `p=quarantine` can be a suitable starting point, depending on your specific needs and risk appetite.

December 2024 - Red Sift

Marketer view

Email marketer from Proofpoint answers that to implement BIMI, your domain must have a DMARC policy enabled with either 'quarantine' or 'reject'. SPF and DKIM are also crucial. The choice between 'quarantine' and 'reject' often depends on the organization's risk tolerance and monitoring capabilities.

August 2021 - Proofpoint

What the experts say
5Expert opinions

While opinions vary, DMARC policy implementation, specifically the `p=reject` option, is not a straightforward decision. Having a DMARC policy at the organizational domain level is crucial, especially if subdomains are used. Although BIMI might function with `p=quarantine`, the `p=reject` policy bolsters domain protection and indirectly enhances deliverability by mitigating spoofing risks. However, small senders should approach `p=reject` cautiously due to the potential for legitimate emails being blocked if authentication is misconfigured. Alternative policies like `p=none` or `p=quarantine` might be more appropriate for low-volume senders.

Key opinions

Domain Level Policy: A DMARC policy at the organizational domain level is essential, particularly with subdomains.
BIMI Flexibility: BIMI may function with `p=quarantine`, although `p=reject` is often implied for best results.
Anti-Spoofing: `p=reject` helps protect against domain spoofing, indirectly improving deliverability.
Small Sender Caution: `p=reject` may not be ideal for small senders due to potential misconfiguration issues.

Key considerations

Implementation Complexity: Setting up DMARC, especially `p=reject`, is not for beginners and requires careful configuration.
Legitimate Email Blocking: `p=reject` can block legitimate emails if authentication is not properly configured.
Alternative Policies: Small businesses using multiple ESPs should consider `p=none` or `p=quarantine` as alternatives.
Organizational Domain Importance: The DMARC policy at the organizational domain level must be as strict as, or stricter than, those at the subdomain level.

Expert view

Expert from Word to the Wise (Laura Atkins) addresses the difficulties for small senders using DMARC, in that `p=reject` is not usually the best choice for low volume senders. If you use a `p=reject` policy all emails not correctly authenticating are rejected, including legitimate emails that haven't been correctly configured. If you're a small business that uses multiple ESPs, its much better to have either p=none and or p=quarantine set up.

November 2024 - Word to the Wise

Expert view

Expert from Email Geeks explains that if you don't have a DMARC policy at the organizational domain level that's at least as strict as the one on the subdomain you're using, there's little point in doing DMARC at all.

October 2021 - Email Geeks

Expert view

Expert from Email Geeks shares that it wouldn’t be surprising if BIMI requires p=reject at the domain level.

December 2024 - Email Geeks

Expert view

Expert from Spam Resource (John Levine) explains that while DMARC itself doesn't directly improve deliverability, implementing a `p=reject` policy helps protect your domain from spoofing, which, in turn, prevents malicious actors from harming your sending reputation, indirectly improving deliverability. It notes that DMARC 'reject' does have negative impact, it only prevents others from forging messages using your domain. It also notes setting up DMARC isn't for beginners.

June 2024 - Spam Resource

Expert view

Expert from Email Geeks shares that BIMI would also be happy with a p=quarantine at the org level.

April 2024 - Email Geeks

What the documentation says
5Technical articles

BIMI requires a DMARC policy set to either `p=quarantine` or `p=reject`, along with SPF and DKIM authentication. While both policies technically satisfy BIMI's requirements, `p=reject` offers stronger protection against spoofing and phishing. The `quarantine` tag advises mail systems to treat failing messages as suspicious (e.g., placing them in spam), while `reject` instructs mail systems to reject the message outright, though they may sometimes silently drop it.

Key findings

DMARC Requirement: BIMI mandates a DMARC policy of either `p=quarantine` or `p=reject`.
Authentication: SPF and DKIM authentication are essential for BIMI compliance.
Stronger Protection: `p=reject` provides the strongest defense against spoofing and phishing.
Quarantine Action: The `quarantine` tag advises placing suspicious emails in spam/junk folders.
Reject Action: The `reject` tag advises rejecting emails outright.

Key considerations

Email Practices: Your DMARC policy should reflect a commitment to responsible email practices.
Sending Reputation: Implementing these technologies ensures you actively manage your email sending reputation.
Goal of DMARC/BIMI: The ultimate goal is to protect against email spoofing and phishing attacks.
Silent Dropping: Be aware that mail systems may silently drop rejected messages.

Technical article

Documentation from RFC 7489 (which defines DMARC) answers that the 'quarantine' tag advises mail systems to treat messages that fail the DMARC check as suspicious. Depending on the capabilities of the mail system, this can mean placing the message into spam or junk folder.

June 2021 - ietf.org

Technical article

Documentation from DMARC.org explains that while BIMI technically works with both `p=quarantine` and `p=reject`, using `p=reject` provides the strongest protection against email spoofing and phishing attacks, which is the ultimate goal of implementing DMARC and BIMI.

April 2022 - DMARC.org

Technical article

Documentation from BIMI Group specifies that to use BIMI, you must authenticate your emails with SPF and DKIM, and you must have a DMARC policy set to either 'quarantine' or 'reject'. This ensures that you're actively managing your email sending reputation.

May 2024 - BIMI Group

Technical article

Documentation from Valimail explains that BIMI (Brand Indicators for Message Identification) technically requires a DMARC policy with `p=quarantine` or `p=reject`. It does not necessarily have to be `p=reject`, but it does require a policy that is strict enough to ensure the sender is taking responsibility for their email practices.

August 2021 - Valimail

Technical article

Documentation from RFC 7489 answers that the 'reject' tag advises mail systems to reject the message outright. In practice, mail systems may silently drop the message rather than issuing a bounce message.

July 2024 - ietf.org

How DMARC works with subdomains and the sp tag - Valimail

Learn how DMARC works with your subdomains and the sp tag to bring DMARC to enforcement and protect your business from impersonation.

Valimail -

How to prepare to implement BIMI - Valimail

Learn the step-by-step process to prepare your brand for BIMI implementation by properly setting up SPF, DKIM, and DMARC in advance.

Valimail -

Implementation guidance: email domain protection (ITSP.40.065 v1 ...

Implementation guidance: email domain protection (ITSP.40.065 v1.1)

Canadian Centre for Cyber Security

BIMI training: Why and how to deploy BIMI?

BIMI relies on DMARC to display a logo in certain messaging providers. We explain everything in detail!

Badsender

What Is DMARC Policy: (None, Quarantine, Reject)

Learn about the 3 DMARC policy options: None, Quarantine, and Reject. Learn how to implement these policies to protect your domain from email attacks.

PowerDMARC

2.3 million organizations embrace DMARC compliance - Red Sift Blog

It has been one year since Google and Yahoo implemented stricter requirements for bulk email senders. Eleven months ago, Red Sift shared an update based on data from BIMI Radar, which revealed a concerning global readiness picture.

Red Sift Blog

Does BIMI require a reject policy on the top level domain if subdomains have it?

Does BIMI require DMARC at the organizational level, and can it be implemented only at the subdomain level?

How do I set up DMARC for BIMI and what are the key considerations?

Do I need a VMC for BIMI to work with Google and Gmail?

How can I implement a strict DMARC policy without blocking Google Workspace emails?

How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?

How do I implement BIMI and get my logo to show in Gmail and Yahoo Mail?