Does BIMI trickle down to subdomains and how to control subdomain BIMI display?
Matthew Whittaker
Co-founder & CTO, Suped
Published 11 Jul 2025
Updated 18 Aug 2025
8 min read
The question of whether BIMI (Brand Indicators for Message Identification) automatically extends to subdomains, mirroring how DMARC (Domain-based Message Authentication, Reporting, and Conformance) policies often do, is a common one. While DMARC's flexibility with its sp tag can make a top-level policy apply to subdomains, BIMI operates a bit differently when it comes to displaying your brand logo.
My experience has shown that BIMI doesn't inherently trickle down in the same passive way DMARC might. To ensure your brand logo appears for emails sent from a specific subdomain, you typically need to explicitly publish a BIMI record for that subdomain. However, the Verified Mark Certificate (VMC), a crucial component for many BIMI implementations, can often cover multiple subdomains under a single root domain, simplifying the certificate management aspect.
This setup allows for granular control, letting you decide which subdomains display your logo and which do not. Understanding how to manage these records and their interaction with your DMARC policy is key to successful BIMI adoption across your email sending infrastructure, especially when dealing with various email streams like marketing, transactional, or internal communications.
We'll explore the specific requirements for BIMI on subdomains, how it differs from DMARC inheritance, and practical steps to control your logo's display.
BIMI vs. DMARC inheritance
Unlike DMARC, where a policy set on the organizational domain can apply to subdomains through the sp tag, BIMI requires an explicit DNS TXT record for each subdomain you wish to enable. This means if you have example.com and mail.example.com, you'll need two separate BIMI records to display logos for both.
The foundational requirement for BIMI on any domain or subdomain is a DMARC policy enforced at p=quarantine or p=reject. If your subdomain's DMARC policy is set to p=none, your BIMI logo will not display. This is a critical point that often causes confusion. You might want to consider if a parent domain DMARC policy is sufficient or if an explicit subdomain DMARC record is needed.
For the BIMI logo to appear, both your DMARC and BIMI TXT records must be correctly configured at the specific domain or subdomain level. The BIMI Group FAQs provide more details on these requirements.
This record is specifically for sub.example.com, setting its policy to quarantine and directing reports to specific addresses. This explicit declaration is necessary for BIMI to function correctly on the subdomain, regardless of the parent domain's DMARC policy.
Implementing BIMI on subdomains
Implementing BIMI on a subdomain involves a few key steps that mirror the process for a root domain, but with the explicit subdomain in the DNS record. First, ensure your DMARC policy for the specific subdomain is at an enforcement level (quarantine or reject).
Next, you will need to publish a BIMI TXT record for that specific subdomain. This record, typically named default._bimi.sub.example.com, will point to the location of your SVG logo and, if applicable, your Verified Mark Certificate (VMC). You can find more information on how to set up BIMI DNS records in our guides.
It's worth noting that if you wish to apply BIMI to a specific subdomain without affecting the main domain or other email streams, this explicit subdomain-level configuration is the way to go. This approach is particularly useful for segmenting email deliverability and branding efforts, for instance, distinguishing marketing emails from transactional ones.
While a VMC can be purchased for the organizational domain and cover all subdomains, each subdomain still requires its own BIMI TXT record that references that VMC. For details on how VMCs work with subdomains, our comprehensive guides offer deeper insights.
Enabling BIMI
DMARC Enforcement: Ensure the subdomain has a DMARC policy of p=quarantine or p=reject.
BIMI TXT Record: Publish a unique BIMI TXT record for the specific subdomain. This record will specify the SVG logo URL and VMC URL (if applicable).
VMC Linkage: If using a VMC for the organizational domain, ensure the subdomain's BIMI record correctly references it. A single VMC can be used across multiple subdomains of the same root domain, as long as each subdomain has its own BIMI TXT record.
Disabling BIMI
Omit BIMI Record: The simplest way to prevent BIMI display is to not publish a BIMI TXT record for that specific subdomain. Since BIMI doesn't trickle down, no record means no logo.
Explicit Null Record: For more explicit control, especially if a general organizational BIMI policy might imply display, you can publish a v=BIMI1; record without an l= (logo) tag. This tells mail clients that BIMI is present but there's no logo to show for this specific subdomain.
DMARC Policy Adjustment: Setting the subdomain's DMARC policy to p=none will also prevent BIMI from displaying, as enforcement is a prerequisite. This is not recommended for security, but it works.
Controlling subdomain BIMI display
Controlling the display of your BIMI logo on subdomains gives you significant flexibility in branding. For instance, you might want your marketing emails sent from marketing.example.com to display your main company logo, while transactional emails from transactional.example.com might not need a logo, or perhaps a different, more subdued one. The process for applying BIMI to a specific subdomain is straightforward due to its explicit DNS record requirement.
If you wish to prevent BIMI from displaying on a particular subdomain, you can simply avoid publishing a BIMI TXT record for it. Alternatively, to explicitly signal that no logo should be displayed, you can publish a minimalist BIMI record stating only the version, like v=BIMI1;, without a logo URL. This is a neat trick to suppress the logo when needed. We have further guidance on how to prevent BIMI logos from displaying on subdomains if desired.
Remember, the enforcement of DMARC is paramount. Without a DMARC policy that is at quarantine or reject for the specific subdomain, the BIMI logo will not appear, regardless of your BIMI TXT record. This is why thorough testing, perhaps initially on a less critical subdomain, can be a strategic move to validate your setup, as suggested by BIMI Certifications for minimizing risk.
Verified Mark Certificates and subdomain strategy
Managing BIMI across multiple subdomains requires careful planning. While a single VMC (from providers like DigiCert or Entrust) can indeed cover an entire domain and its subdomains, this does not eliminate the need for individual BIMI TXT records at each desired subdomain. These records will all point to the same VMC URL.
This setup allows for scalability and centralized VMC management, while still providing the granular control over which subdomains actually display the logo. It is a nuanced but powerful way to handle brand presence across diverse email sending platforms and purposes. The most common BIMI record for subdomains generally uses the default._bimi selector.
Ensuring DMARC alignment and enforcement for each subdomain is paramount. Even if your main domain's DMARC policy is robust, a subdomain sending emails must also achieve DMARC compliance for its BIMI logo to appear. This is especially true for subdomains with very specific sending needs that might have their own distinct DMARC configuration, or if you need to exclude the parent domain from BIMI.
For complex setups with many subdomains or multiple brands, consider how your BIMI implementation strategy aligns with your overall email security posture. This might include how to implement BIMI for multiple brands that use different subdomains.
Views from the trenches
Best practices
Always ensure your subdomain's DMARC policy is at enforcement (quarantine or reject) before deploying BIMI.
Use a consistent naming convention for your BIMI TXT records across all subdomains for easier management.
Test your BIMI implementation on a less critical subdomain first to validate the setup.
Common pitfalls
Expecting BIMI to automatically trickle down from the organizational domain without specific subdomain records.
Having a DMARC policy of p=none or sp=none for the subdomain, which prevents BIMI display.
Incorrectly formatting the SVG logo, leading to display issues or rejection by mail clients.
Expert tips
You can explicitly prevent a subdomain from showing a BIMI logo by publishing a BIMI TXT record with only 'v=BIMI1;' and no logo URL. This signals no logo is intended.
If using different logos for different subdomains, ensure each has a unique SVG URL in its respective BIMI TXT record.
Monitor your DMARC reports for your subdomains to ensure consistent authentication and policy enforcement, which are critical for BIMI.
Expert view
Expert from Email Geeks says BIMI records do not simply trickle down; you must set them up explicitly at the subdomain level where you want the logo to appear.
2023-05-08 - Email Geeks
Marketer view
Marketer from Email Geeks says that a key requirement for BIMI to work on subdomains is that the subdomain's DMARC policy must be at an enforcement level, like quarantine or reject, not none.
2023-05-08 - Email Geeks
Key takeaways for subdomain BIMI
In summary, while DMARC policies can be configured to apply to subdomains, BIMI's logo display mechanism requires explicit attention at the subdomain level. You cannot rely on a top-level BIMI record to trickle down and automatically display your logo on all subdomains. Each subdomain where you want your logo to appear must have its own BIMI TXT record. This record will point to your SVG logo and VMC, if applicable.
Crucially, for BIMI to work on any subdomain, that subdomain must have a DMARC policy enforced at quarantine or reject. This strong authentication foundation is what gives mail clients the confidence to display your brand's verified logo. By understanding these distinctions and implementing the necessary DNS records, you can effectively manage your brand's visual presence across all your sending domains and subdomains.
Implementing BIMI requires attention to detail, but the brand recognition and trust it builds are well worth the effort. By ensuring proper DMARC enforcement and explicit BIMI record publication, you empower your subdomains to showcase your brand with confidence in the inbox.
DigiCert or Entrust) can indeed cover an entire domain and its subdomains, this does not eliminate the need for individual BIMI TXT records at each desired subdomain. These records will all point to the same VMC URL.
