Summary
While DMARC and BIMI technically support both `p=quarantine` and `p=reject` policies at the organizational domain, there's a strong consensus that `p=reject` offers superior protection against spoofing and phishing, ultimately enhancing brand security and deliverability. For BIMI compliance, a DMARC policy is mandatory, alongside SPF and DKIM. However, small senders and those with complex email setups should exercise caution with `p=reject`, as misconfigurations can lead to legitimate emails being blocked. Alternatives like `p=none` or `p=quarantine` may be more suitable in such cases, emphasizing the importance of aligning the DMARC policy with the organization's risk tolerance and monitoring capabilities. A strict policy at the organizational domain is crucial, particularly when using subdomains.
Key findings
- BIMI & DMARC Requirement: BIMI requires a DMARC policy with either `p=quarantine` or `p=reject`.
- Stronger Security: `p=reject` offers superior protection against spoofing and phishing compared to `p=quarantine`.
- Authentication Matters: SPF and DKIM authentication are critical for both DMARC and BIMI implementation.
- Small Sender Exception: `p=reject` may not be ideal for small senders due to potential misconfiguration and blocked emails.
- Organizational Domain Importance: A DMARC policy at the organizational domain is crucial, particularly when using subdomains and must be as strict as or stricter than subdomain policies.
Key considerations
- Risk Tolerance: Assess your organization's risk tolerance and monitoring capabilities before implementing `p=reject`.
- Implementation Complexity: DMARC setup, especially with `p=reject`, requires careful configuration and expertise.
- Legitimate Email Impact: Understand the potential for `p=reject` to block legitimate emails if authentication isn't correctly configured.
- Policy Alternatives: Consider `p=none` or `p=quarantine` as alternatives for small businesses or complex email setups.
- Proactive Responsibility: Your DMARC policy demonstrates your commitment to responsible email sending practices and managing your sending reputation.
What email marketers say
5 marketer opinions
While a DMARC policy with `p=reject` is not strictly mandatory for BIMI, it is highly recommended and considered best practice for optimal effectiveness and brand protection. BIMI can function with a `p=quarantine` policy, but `p=reject` offers the strongest security posture and increases the likelihood of BIMI compliance and logo display. The choice between `p=quarantine` and `p=reject` often depends on the organization's risk tolerance, monitoring capabilities, and specific needs.
Key opinions
- BIMI Compatibility: BIMI requires a DMARC policy of either `p=quarantine` or `p=reject`.
- Preferred Policy: `p=reject` is generally preferred for stronger security and BIMI effectiveness.
- Alternative Policy: `p=quarantine` can be a suitable starting point or alternative based on risk appetite.
- Security Commitment: `p=reject` signals a stronger commitment to email security.
Key considerations
- Risk Tolerance: Evaluate the organization's risk tolerance when choosing between `p=quarantine` and `p=reject`.
- Monitoring Capabilities: Assess monitoring capabilities to handle potential issues with a `p=reject` policy.
- Implementation Strategy: Consider a phased approach, starting with `p=quarantine` before transitioning to `p=reject`.
- Brand Protection: Recognize that `p=reject` provides the strongest brand protection against email spoofing.
Marketer view
Email marketer from GlockApps suggests to implement BIMI successfully, your domain must have a DMARC policy with `p=quarantine` or `p=reject`. Having one of these two settings is mandatory. They suggest considering the risk of implementing `p=reject` before going straight to this option.
24 Apr 2023 - GlockApps
Marketer view
Email marketer from EasyDMARC shares that while a `p=reject` policy isn't strictly mandatory for BIMI, it's highly recommended. A `p=quarantine` policy can work, but `p=reject` offers the strongest protection for your brand and is seen as the best practice for ensuring BIMI is fully effective.
28 Dec 2021 - EasyDMARC
What the experts say
5 expert opinions
While opinions vary, DMARC policy implementation, specifically the `p=reject` option, is not a straightforward decision. Having a DMARC policy at the organizational domain level is crucial, especially if subdomains are used. Although BIMI might function with `p=quarantine`, the `p=reject` policy bolsters domain protection and indirectly enhances deliverability by mitigating spoofing risks. However, small senders should approach `p=reject` cautiously due to the potential for legitimate emails being blocked if authentication is misconfigured. Alternative policies like `p=none` or `p=quarantine` might be more appropriate for low-volume senders.
Key opinions
- Domain Level Policy: A DMARC policy at the organizational domain level is essential, particularly with subdomains.
- BIMI Flexibility: BIMI may function with `p=quarantine`, although `p=reject` is often implied for best results.
- Anti-Spoofing: `p=reject` helps protect against domain spoofing, indirectly improving deliverability.
- Small Sender Caution: `p=reject` may not be ideal for small senders due to potential misconfiguration issues.
Key considerations
- Implementation Complexity: Setting up DMARC, especially `p=reject`, is not for beginners and requires careful configuration.
- Legitimate Email Blocking: `p=reject` can block legitimate emails if authentication is not properly configured.
- Alternative Policies: Small businesses using multiple ESPs should consider `p=none` or `p=quarantine` as alternatives.
- Organizational Domain Importance: The DMARC policy at the organizational domain level must be as strict as, or stricter than, those at the subdomain level.
Expert view
Expert from Word to the Wise (Laura Atkins) addresses the difficulties for small senders using DMARC, in that `p=reject` is not usually the best choice for low volume senders. If you use a `p=reject` policy all emails not correctly authenticating are rejected, including legitimate emails that haven't been correctly configured. If you're a small business that uses multiple ESPs, its much better to have either p=none and or p=quarantine set up.
28 Oct 2023 - Word to the Wise
Expert view
Expert from Email Geeks explains that if you don't have a DMARC policy at the organizational domain level that's at least as strict as the one on the subdomain you're using, there's little point in doing DMARC at all.
21 Nov 2021 - Email Geeks
What the documentation says
5 technical articles
BIMI requires a DMARC policy set to either `p=quarantine` or `p=reject`, along with SPF and DKIM authentication. While both policies technically satisfy BIMI's requirements, `p=reject` offers stronger protection against spoofing and phishing. The `quarantine` tag advises mail systems to treat failing messages as suspicious (e.g., placing them in spam), while `reject` instructs mail systems to reject the message outright, though they may sometimes silently drop it.
Key findings
- DMARC Requirement: BIMI mandates a DMARC policy of either `p=quarantine` or `p=reject`.
- Authentication: SPF and DKIM authentication are essential for BIMI compliance.
- Stronger Protection: `p=reject` provides the strongest defense against spoofing and phishing.
- Quarantine Action: The `quarantine` tag advises placing suspicious emails in spam/junk folders.
- Reject Action: The `reject` tag advises rejecting emails outright.
Key considerations
- Email Practices: Your DMARC policy should reflect a commitment to responsible email practices.
- Sending Reputation: Implementing these technologies ensures you actively manage your email sending reputation.
- Goal of DMARC/BIMI: The ultimate goal is to protect against email spoofing and phishing attacks.
- Silent Dropping: Be aware that mail systems may silently drop rejected messages.
Technical article
Documentation from RFC 7489 (which defines DMARC) answers that the 'quarantine' tag advises mail systems to treat messages that fail the DMARC check as suspicious. Depending on the capabilities of the mail system, this can mean placing the message into spam or junk folder.
23 Sep 2023 - ietf.org
Technical article
Documentation from DMARC.org explains that while BIMI technically works with both `p=quarantine` and `p=reject`, using `p=reject` provides the strongest protection against email spoofing and phishing attacks, which is the ultimate goal of implementing DMARC and BIMI.
22 Jan 2024 - DMARC.org
Do I need a VMC for BIMI to work with Google and Gmail?
Does BIMI require a reject policy on the top level domain if subdomains have it?
Does BIMI require DMARC at the organizational level, and can it be implemented only at the subdomain level?
How can I implement a strict DMARC policy without blocking Google Workspace emails?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do I implement BIMI and get my logo to show in Gmail and Yahoo Mail?
How do I set up DMARC for BIMI and what are the key considerations?
