The consensus from experts, marketers, and documentation is that BIMI (Brand Indicators for Message Identification) requires DMARC (Domain-based Message Authentication, Reporting & Conformance) at the *organizational domain level*. A DMARC policy of either `p=quarantine` or `p=reject` is essential for BIMI to function correctly and ensure only authenticated emails display a brand's logo, protecting recipients from fraudulent messages. While BIMI records can be implemented on subdomains, the DMARC policy *must* exist and be enforced at the organizational level. A key point is that a specific DMARC policy on a subdomain will override the organizational DMARC policy for that subdomain. For Gmail, a Verified Mark Certificate (VMC) is also a requirement. If implementing solely on the third-level domain it is possible it may not affect corporate email.
12 marketer opinions
BIMI (Brand Indicators for Message Identification) requires DMARC (Domain-based Message Authentication, Reporting & Conformance) at the organizational domain level, specifically with a policy of either `p=quarantine` or `p=reject`. This ensures email authentication and prevents unauthorized logo usage. While BIMI can technically be implemented on subdomains, the enforcement of DMARC policies at the organizational level is crucial for proper functionality and security. A specific DMARC policy on a subdomain overrides the organizational domain’s subdomain policy, providing flexibility in managing email authentication. Some sources noted that if BIMI is implemented only at the third-level domain, it might not affect corporate email, allowing for targeted brand representation. Furthermore, Verified Mark Certificates (VMC) are required for BIMI implementation with Gmail.
Marketer view
Marketer from Email Geeks explains that DMARC can be on a subdomain, but the organizational domain must also have an enforcing policy (at least quarantine). He provides an example with different policies for the org domain and a subdomain.
29 Jan 2025 - Email Geeks
Marketer view
Marketer from Email Geeks confirms DMARC needs to be at the organizational domain level and that BIMI requires an enforcing DMARC policy of p=quarantine or p=reject. He also mentions self-asserted BIMI for Yahoo and the requirements for Gmail's BIMI implementation.
12 Feb 2025 - Email Geeks
4 expert opinions
The experts agree that BIMI fundamentally requires DMARC enforcement, with a minimum policy of `p=quarantine`. While BIMI records *can* exist at the organizational level or on subdomains (to display at Verizon), DMARC must be configured at the organizational level to ensure proper authentication and prevent unauthorized logo usage. The underlying DMARC enforcement needs to cover the entire domain, even if the BIMI record resides on a subdomain.
Expert view
Expert from Email Geeks explains BIMI records can be at the organizational level or on subdomains to display at Verizon.
21 Dec 2022 - Email Geeks
Expert view
Expert from Email Geeks clarifies that BIMI requires enforcement, so p=quarantine is the minimum level required for DMARC.
11 Apr 2025 - Email Geeks
5 technical articles
The documentation consistently states that BIMI implementation requires a DMARC policy with either `p=quarantine` or `p=reject` set on the organizational domain. This DMARC policy is essential for ensuring only authenticated emails display your logo, protecting recipients from fraudulent messages. While BIMI can be implemented on subdomains, the core DMARC policy must exist at the organizational level. Entrust documentation adds that for Gmail, a Verified Mark Certificate (VMC) is also necessary.
Technical article
Documentation from Fastmail states that you need to have a DMARC record published for your domain, set to either `p=quarantine` or `p=reject`, to implement BIMI. The DMARC policy must apply to the domain where you intend to use BIMI.
9 Jun 2022 - Fastmail
Technical article
Documentation from BIMI Group explains that BIMI requires a DMARC policy with either `p=quarantine` or `p=reject` set on the organizational domain. This ensures that only authenticated emails displaying your logo reach inboxes, protecting recipients from fraudulent messages.
9 Sep 2023 - BIMI Group
How do DMARC records on subdomains override root domain DMARC policies?
Does BIMI require a reject policy on the top level domain if subdomains have it?
Do DMARC and BIMI require p=reject to be present on the organizational domain?
How do I set up DMARC records for subdomains?
How do I implement BIMI for multiple brands with subdomains?
Does BIMI trickle down to subdomains and how to control subdomain BIMI display?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
© 2025 Suped Pty Ltd