Suped

Does BIMI require DMARC at the organizational level, and can it be implemented only at the subdomain level?

Summary

The consensus from experts, marketers, and documentation is that BIMI (Brand Indicators for Message Identification) requires DMARC (Domain-based Message Authentication, Reporting & Conformance) at the *organizational domain level*. A DMARC policy of either `p=quarantine` or `p=reject` is essential for BIMI to function correctly and ensure only authenticated emails display a brand's logo, protecting recipients from fraudulent messages. While BIMI records can be implemented on subdomains, the DMARC policy *must* exist and be enforced at the organizational level. A key point is that a specific DMARC policy on a subdomain will override the organizational DMARC policy for that subdomain. For Gmail, a Verified Mark Certificate (VMC) is also a requirement. If implementing solely on the third-level domain it is possible it may not affect corporate email.

Key findings

  • DMARC Mandatory: BIMI requires DMARC for proper functionality.
  • Enforcement Policy: DMARC policy must be set to either `p=quarantine` or `p=reject`.
  • Organizational Level: DMARC must be configured at the organizational domain level.
  • Subdomain Implementation Possible: BIMI can be implemented on subdomains but is dependent on the DMARC record on the root domain.
  • Gmail Specific Requirement: For Gmail, a VMC is required in addition to DMARC and BIMI.
  • Subdomain Specific DMARC Records: Any subdomain specific DMARC records override top level domain DMARC policies for that subdomain.

Key considerations

  • DMARC Implementation: Prioritize setting up a robust DMARC policy at the organizational level before implementing BIMI.
  • Policy Choice: Carefully consider the implications of choosing `p=quarantine` versus `p=reject` for your DMARC policy.
  • Subdomain Strategy: Understand that while BIMI can be set up on subdomains, it's the *organizational* DMARC policy that provides the foundation and security.
  • Gmail Readiness: If targeting Gmail users, factor in the additional step and cost of obtaining a Verified Mark Certificate (VMC).
  • Security and Authentication: Recognize that BIMI and DMARC are essential for brand protection and preventing email fraud.
  • Subdomain DMARC awareness: Be aware that any DMARC subdomain records will override top level domain policies.

What email marketers say

12 marketer opinions

BIMI (Brand Indicators for Message Identification) requires DMARC (Domain-based Message Authentication, Reporting & Conformance) at the organizational domain level, specifically with a policy of either `p=quarantine` or `p=reject`. This ensures email authentication and prevents unauthorized logo usage. While BIMI can technically be implemented on subdomains, the enforcement of DMARC policies at the organizational level is crucial for proper functionality and security. A specific DMARC policy on a subdomain overrides the organizational domain’s subdomain policy, providing flexibility in managing email authentication. Some sources noted that if BIMI is implemented only at the third-level domain, it might not affect corporate email, allowing for targeted brand representation. Furthermore, Verified Mark Certificates (VMC) are required for BIMI implementation with Gmail.

Key opinions

  • DMARC Requirement: BIMI mandates DMARC with a policy of `p=quarantine` or `p=reject` at the organizational level.
  • Subdomain Implementation: BIMI can be implemented on subdomains, but DMARC enforcement at the organizational level remains essential.
  • Subdomain Override: Specific DMARC policies on subdomains override organizational policies.
  • Third-Level Domains: BIMI on third-level domains may not affect corporate email.
  • VMC Requirement: Gmail requires Verified Mark Certificates (VMC) for BIMI implementation.

Key considerations

  • Organizational DMARC Policy: Ensure a robust DMARC policy is in place at the organizational level before implementing BIMI.
  • Subdomain DMARC Management: Carefully manage DMARC policies on subdomains to avoid unintended consequences.
  • Gmail Requirements: Understand Gmail's specific requirements, including the need for VMCs, when implementing BIMI.
  • Impact on Corporate Email: Assess the impact of BIMI implementation on corporate email, especially if using third-level domains.
  • DMARC Override Policies: Be aware that any DMARC subdomain records will override top level domain policies.

Marketer view

Marketer from Email Geeks explains that DMARC can be on a subdomain, but the organizational domain must also have an enforcing policy (at least quarantine). He provides an example with different policies for the org domain and a subdomain.

29 Jan 2025 - Email Geeks

Marketer view

Marketer from Email Geeks confirms DMARC needs to be at the organizational domain level and that BIMI requires an enforcing DMARC policy of p=quarantine or p=reject. He also mentions self-asserted BIMI for Yahoo and the requirements for Gmail's BIMI implementation.

12 Feb 2025 - Email Geeks

What the experts say

4 expert opinions

The experts agree that BIMI fundamentally requires DMARC enforcement, with a minimum policy of `p=quarantine`. While BIMI records *can* exist at the organizational level or on subdomains (to display at Verizon), DMARC must be configured at the organizational level to ensure proper authentication and prevent unauthorized logo usage. The underlying DMARC enforcement needs to cover the entire domain, even if the BIMI record resides on a subdomain.

Key opinions

  • DMARC is Mandatory: BIMI requires DMARC to be implemented.
  • Enforcement Level: A DMARC policy of at least `p=quarantine` is necessary for BIMI.
  • Organizational vs. Subdomain: While BIMI records can exist on subdomains, DMARC needs to be configured at the organizational level.
  • Verizon Support: BIMI records on subdomains may be relevant for display at Verizon.

Key considerations

  • Prioritize DMARC Setup: Ensure DMARC is correctly configured at the organizational level *before* attempting to implement BIMI.
  • Understand DMARC Policy: Implement a DMARC policy of at least `p=quarantine`; consider the implications of `p=reject`.
  • Verizon Display: If targeting Verizon users, consider placing BIMI records on relevant subdomains in addition to the organizational level.
  • Testing and Validation: Thoroughly test and validate both DMARC and BIMI configurations to ensure they are working as expected.

Expert view

Expert from Email Geeks explains BIMI records can be at the organizational level or on subdomains to display at Verizon.

21 Dec 2022 - Email Geeks

Expert view

Expert from Email Geeks clarifies that BIMI requires enforcement, so p=quarantine is the minimum level required for DMARC.

11 Apr 2025 - Email Geeks

What the documentation says

5 technical articles

The documentation consistently states that BIMI implementation requires a DMARC policy with either `p=quarantine` or `p=reject` set on the organizational domain. This DMARC policy is essential for ensuring only authenticated emails display your logo, protecting recipients from fraudulent messages. While BIMI can be implemented on subdomains, the core DMARC policy must exist at the organizational level. Entrust documentation adds that for Gmail, a Verified Mark Certificate (VMC) is also necessary.

Key findings

  • DMARC Requirement: BIMI necessitates a DMARC policy of `p=quarantine` or `p=reject`.
  • Organizational Domain: The DMARC policy must be set on the organizational domain.
  • Subdomain Implementation: While BIMI can be implemented on subdomains, it doesn't negate the need for organizational DMARC.
  • Authentication: DMARC ensures only authenticated emails display the logo, protecting against fraud.
  • Gmail VMC: For Gmail, a Verified Mark Certificate (VMC) is also a requirement.

Key considerations

  • DMARC Setup: Prioritize setting up a robust DMARC policy at the organizational level before implementing BIMI.
  • Policy Selection: Carefully consider whether to use `p=quarantine` or `p=reject` based on your organization's needs.
  • Subdomain Usage: Understand that while you can set up BIMI on subdomains, the organizational DMARC policy is the foundation.
  • Gmail Compliance: If targeting Gmail users, obtain a Verified Mark Certificate (VMC) in addition to DMARC and BIMI.
  • Fraud Protection: Recognize that DMARC and BIMI are crucial for protecting your brand and recipients from email fraud.

Technical article

Documentation from Fastmail states that you need to have a DMARC record published for your domain, set to either `p=quarantine` or `p=reject`, to implement BIMI. The DMARC policy must apply to the domain where you intend to use BIMI.

9 Jun 2022 - Fastmail

Technical article

Documentation from BIMI Group explains that BIMI requires a DMARC policy with either `p=quarantine` or `p=reject` set on the organizational domain. This ensures that only authenticated emails displaying your logo reach inboxes, protecting recipients from fraudulent messages.

9 Sep 2023 - BIMI Group

Start improving your email deliverability today

Get a demo