Suped

Does BIMI require DMARC at the organizational level, and can it be implemented only at the subdomain level?

12Marketer opinions4Expert opinions5Technical articles6Resources

Summary

The consensus from experts, marketers, and documentation is that BIMI (Brand Indicators for Message Identification) requires DMARC (Domain-based Message Authentication, Reporting & Conformance) at the *organizational domain level*. A DMARC policy of either `p=quarantine` or `p=reject` is essential for BIMI to function correctly and ensure only authenticated emails display a brand's logo, protecting recipients from fraudulent messages. While BIMI records can be implemented on subdomains, the DMARC policy *must* exist and be enforced at the organizational level. A key point is that a specific DMARC policy on a subdomain will override the organizational DMARC policy for that subdomain. For Gmail, a Verified Mark Certificate (VMC) is also a requirement. If implementing solely on the third-level domain it is possible it may not affect corporate email.

Key findings

  • DMARC Mandatory: BIMI requires DMARC for proper functionality.
  • Enforcement Policy: DMARC policy must be set to either `p=quarantine` or `p=reject`.
  • Organizational Level: DMARC must be configured at the organizational domain level.
  • Subdomain Implementation Possible: BIMI can be implemented on subdomains but is dependent on the DMARC record on the root domain.
  • Gmail Specific Requirement: For Gmail, a VMC is required in addition to DMARC and BIMI.
  • Subdomain Specific DMARC Records: Any subdomain specific DMARC records override top level domain DMARC policies for that subdomain.

Key considerations

  • DMARC Implementation: Prioritize setting up a robust DMARC policy at the organizational level before implementing BIMI.
  • Policy Choice: Carefully consider the implications of choosing `p=quarantine` versus `p=reject` for your DMARC policy.
  • Subdomain Strategy: Understand that while BIMI can be set up on subdomains, it's the *organizational* DMARC policy that provides the foundation and security.
  • Gmail Readiness: If targeting Gmail users, factor in the additional step and cost of obtaining a Verified Mark Certificate (VMC).
  • Security and Authentication: Recognize that BIMI and DMARC are essential for brand protection and preventing email fraud.
  • Subdomain DMARC awareness: Be aware that any DMARC subdomain records will override top level domain policies.

What email marketers say
12Marketer opinions

BIMI (Brand Indicators for Message Identification) requires DMARC (Domain-based Message Authentication, Reporting & Conformance) at the organizational domain level, specifically with a policy of either `p=quarantine` or `p=reject`. This ensures email authentication and prevents unauthorized logo usage. While BIMI can technically be implemented on subdomains, the enforcement of DMARC policies at the organizational level is crucial for proper functionality and security. A specific DMARC policy on a subdomain overrides the organizational domain’s subdomain policy, providing flexibility in managing email authentication. Some sources noted that if BIMI is implemented only at the third-level domain, it might not affect corporate email, allowing for targeted brand representation. Furthermore, Verified Mark Certificates (VMC) are required for BIMI implementation with Gmail.

Key opinions

  • DMARC Requirement: BIMI mandates DMARC with a policy of `p=quarantine` or `p=reject` at the organizational level.
  • Subdomain Implementation: BIMI can be implemented on subdomains, but DMARC enforcement at the organizational level remains essential.
  • Subdomain Override: Specific DMARC policies on subdomains override organizational policies.
  • Third-Level Domains: BIMI on third-level domains may not affect corporate email.
  • VMC Requirement: Gmail requires Verified Mark Certificates (VMC) for BIMI implementation.

Key considerations

  • Organizational DMARC Policy: Ensure a robust DMARC policy is in place at the organizational level before implementing BIMI.
  • Subdomain DMARC Management: Carefully manage DMARC policies on subdomains to avoid unintended consequences.
  • Gmail Requirements: Understand Gmail's specific requirements, including the need for VMCs, when implementing BIMI.
  • Impact on Corporate Email: Assess the impact of BIMI implementation on corporate email, especially if using third-level domains.
  • DMARC Override Policies: Be aware that any DMARC subdomain records will override top level domain policies.
Marketer view

Marketer from Email Geeks explains that DMARC can be on a subdomain, but the organizational domain must also have an enforcing policy (at least quarantine). He provides an example with different policies for the org domain and a subdomain.

October 2023 - Email Geeks
Marketer view

Marketer from Email Geeks confirms DMARC needs to be at the organizational domain level and that BIMI requires an enforcing DMARC policy of p=quarantine or p=reject. He also mentions self-asserted BIMI for Yahoo and the requirements for Gmail's BIMI implementation.

August 2024 - Email Geeks
Marketer view

Email marketer from SparkPost says that BIMI can be implemented on subdomains, but DMARC needs to be configured at the organizational domain level with a policy of `p=quarantine` or `p=reject`. The subdomain must also pass DMARC authentication to show the BIMI logo.

December 2024 - SparkPost
Marketer view

Marketer from Email Geeks states that a specific policy on a subdomain overrides the organizational domain’s subdomain policy.

April 2023 - Email Geeks
Marketer view

Email marketer from Valimail shares that BIMI requires DMARC enforcement to ensure that only legitimate senders can display their logos. The domain in the BIMI record must be DMARC-protected, meaning a policy of either `p=quarantine` or `p=reject` is in place.

June 2021 - Valimail
Marketer view

Email marketer from Mailjet emphasizes that a DMARC policy is a prerequisite for BIMI. Without DMARC set to `p=quarantine` or `p=reject`, BIMI cannot function. They also mentioned VMC for Gmail.

December 2024 - Mailjet
Marketer view

Marketer from Email Geeks shares that, using "xfinity.com" as an example, BIMI is only used on emails.xfinity.com, not on xfinity.com. However, DMARC now protects xfinity.com (p=), and all subdomains (sp=).

August 2023 - Email Geeks
Marketer view

Marketer from Email Geeks mentions that if the BIMI is only on the third-level domain that it wouldn't affect the Corporate email. He then states that BIMI itself can exist just on the subdomain and doesn't have to impact the root domain.

February 2023 - Email Geeks
Marketer view

Email marketer from Proofpoint states for BIMI implementation, your sending domain must be secured with DMARC set to `p=quarantine` or `p=reject`. Without this, BIMI won't work, as it's designed to enhance security and trust in email communication.

September 2024 - Proofpoint
Marketer view

Email marketer from EmailToolTester mentions that to set up BIMI, it needs a DMARC record set to either `p=quarantine` or `p=reject` which needs to be applied at the organizational domain level. Also, highlights BIMI itself can exist at subdomain level, DMARC compliance is very important.

June 2024 - EmailToolTester
Marketer view

Email marketer from AuthSMTP explains for BIMI to be effective, the sending domain needs to have DMARC enabled with a policy of either `p=quarantine` or `p=reject`. Also it mentions BIMI can technically be implemented on subdomains, the DMARC requirements are typically organizational.

May 2024 - AuthSMTP
Marketer view

Email marketer from Reddit shares that BIMI requires a valid DMARC record with a policy of quarantine or reject on the organizational domain, and explains while BIMI can work on subdomains, the DMARC enforcement is crucial for the overall setup.

January 2022 - Reddit

What the experts say
4Expert opinions

The experts agree that BIMI fundamentally requires DMARC enforcement, with a minimum policy of `p=quarantine`. While BIMI records *can* exist at the organizational level or on subdomains (to display at Verizon), DMARC must be configured at the organizational level to ensure proper authentication and prevent unauthorized logo usage. The underlying DMARC enforcement needs to cover the entire domain, even if the BIMI record resides on a subdomain.

Key opinions

  • DMARC is Mandatory: BIMI requires DMARC to be implemented.
  • Enforcement Level: A DMARC policy of at least `p=quarantine` is necessary for BIMI.
  • Organizational vs. Subdomain: While BIMI records can exist on subdomains, DMARC needs to be configured at the organizational level.
  • Verizon Support: BIMI records on subdomains may be relevant for display at Verizon.

Key considerations

  • Prioritize DMARC Setup: Ensure DMARC is correctly configured at the organizational level *before* attempting to implement BIMI.
  • Understand DMARC Policy: Implement a DMARC policy of at least `p=quarantine`; consider the implications of `p=reject`.
  • Verizon Display: If targeting Verizon users, consider placing BIMI records on relevant subdomains in addition to the organizational level.
  • Testing and Validation: Thoroughly test and validate both DMARC and BIMI configurations to ensure they are working as expected.
Expert view

Expert from Email Geeks explains BIMI records can be at the organizational level or on subdomains to display at Verizon.

February 2023 - Email Geeks
Expert view

Expert from Email Geeks clarifies that BIMI requires enforcement, so p=quarantine is the minimum level required for DMARC.

June 2021 - Email Geeks
Expert view

Expert from Email Geeks says BIMI should be at the organizational level.

September 2024 - Email Geeks
Expert view

Expert from Word to the Wise explains that BIMI requires DMARC to be configured at the organizational level with a policy set to either `p=quarantine` or `p=reject`. This ensures proper authentication and prevents unauthorized logo usage. While BIMI records themselves might be present on subdomains, the underlying DMARC enforcement must cover the entire domain.

September 2024 - Word to the Wise

What the documentation says
5Technical articles

The documentation consistently states that BIMI implementation requires a DMARC policy with either `p=quarantine` or `p=reject` set on the organizational domain. This DMARC policy is essential for ensuring only authenticated emails display your logo, protecting recipients from fraudulent messages. While BIMI can be implemented on subdomains, the core DMARC policy must exist at the organizational level. Entrust documentation adds that for Gmail, a Verified Mark Certificate (VMC) is also necessary.

Key findings

  • DMARC Requirement: BIMI necessitates a DMARC policy of `p=quarantine` or `p=reject`.
  • Organizational Domain: The DMARC policy must be set on the organizational domain.
  • Subdomain Implementation: While BIMI can be implemented on subdomains, it doesn't negate the need for organizational DMARC.
  • Authentication: DMARC ensures only authenticated emails display the logo, protecting against fraud.
  • Gmail VMC: For Gmail, a Verified Mark Certificate (VMC) is also a requirement.

Key considerations

  • DMARC Setup: Prioritize setting up a robust DMARC policy at the organizational level before implementing BIMI.
  • Policy Selection: Carefully consider whether to use `p=quarantine` or `p=reject` based on your organization's needs.
  • Subdomain Usage: Understand that while you can set up BIMI on subdomains, the organizational DMARC policy is the foundation.
  • Gmail Compliance: If targeting Gmail users, obtain a Verified Mark Certificate (VMC) in addition to DMARC and BIMI.
  • Fraud Protection: Recognize that DMARC and BIMI are crucial for protecting your brand and recipients from email fraud.
Technical article

Documentation from Fastmail states that you need to have a DMARC record published for your domain, set to either `p=quarantine` or `p=reject`, to implement BIMI. The DMARC policy must apply to the domain where you intend to use BIMI.

December 2021 - Fastmail
Technical article

Documentation from BIMI Group explains that BIMI requires a DMARC policy with either `p=quarantine` or `p=reject` set on the organizational domain. This ensures that only authenticated emails displaying your logo reach inboxes, protecting recipients from fraudulent messages.

March 2024 - BIMI Group
Technical article

Documentation from Entrust explains that to use BIMI with Gmail, a Verified Mark Certificate (VMC) and a DMARC policy set to `p=quarantine` or `p=reject` are required for the sending domain. This assures Gmail that your brand logo is legitimate and safe to display.

July 2023 - Entrust
Technical article

Documentation from Global Cyber Alliance mentions BIMI implementation requires a DMARC policy of either `p=quarantine` or `p=reject` on the organizational domain, and specifies while BIMI can be setup on subdomains, the DMARC policy should be at organizational level.

November 2024 - Global Cyber Alliance
Technical article

Documentation from dmarcian explains BIMI works alongside DMARC, and requires the domain to have a DMARC policy set to either `p=quarantine` or `p=reject`. This ensures that only authenticated emails get to display the logo. It also highlights that while BIMI can be implemented on subdomains, a DMARC policy must exist on the organizational domain.

March 2025 - dmarcian

Related resources
6Resources

What is BIMI and why do businesses need it?
What is BIMI and why do businesses need it?

Brand indicators for message identification (BIMI) is a fail-proof way to gain brand recognition in your customer's inbox. This articles tells you what BIMI is, how it benefits and how you can get it for your company emails.

Zoho Zeptomail
How DMARC works with subdomains and the sp tag - Valimail
How DMARC works with subdomains and the sp tag - Valimail

Learn how DMARC works with your subdomains and the sp tag to bring DMARC to enforcement and protect your business from impersonation.

Valimail -
Understanding BIMI | Kickbox University
Understanding BIMI | Kickbox University

Part 5 of our email authentication series covers BIMI: what it is, its implementation & benefits. BIMI allows senders to display their logo in the inbox

Kickbox Blog
Implementation guidance: email domain protection (ITSP.40.065 v1 ...
Implementation guidance: email domain protection (ITSP.40.065 v1 ...

Implementation guidance: email domain protection (ITSP.40.065 v1.1)

Canadian Centre for Cyber Security
Understanding DMARC Authentication | Kickbox University
Understanding DMARC Authentication | Kickbox University

Part 4 of our email authentication series will help you understand DMARC: what it is, how it helps to prevent domain spoofing, plus implementation tips & more

Kickbox Blog
DMARC is easy! Implementation of SPF, DKIM, and DMARC ...
DMARC is easy! Implementation of SPF, DKIM, and DMARC ...

What is DMARC and does deploying DMARC work? What policies to publish? Should you implement or Correct DKIM and SPF for email authentication

EasyDMARC

Related questions