Can BIMI be implemented on a subdomain only?

Yes, BIMI can be applied to a specific subdomain. You achieve this by publishing the BIMI TXT record directly within the DNS zone of that subdomain (e.g., default._bimi.sub.yourdomain.com ). This ensures the logo only appears for emails sent from that specific subdomain.

Does DMARC enforcement need to be active for the subdomain's BIMI to work?

Yes, a DMARC policy (p=quarantine or p=reject) must be in place for the domain or subdomain from which emails are being sent. If you're applying BIMI to a subdomain, that subdomain's DMARC policy must be at enforcement, or the organizational domain's DMARC policy must cover it and be at enforcement. You can learn more about if BIMI requires DMARC at the organizational level .

Do I need a separate Verified Mark Certificate (VMC) for each subdomain?

A Verified Mark Certificate (VMC) is generally issued for your organizational (root) domain, but it can support BIMI records on subdomains under that organizational domain. You typically do not need a separate VMC for each subdomain unless your subdomains represent legally distinct entities or brands requiring individual trademark verification. Understanding how BIMI VMC certificates work with subdomains is important.

What are common reasons BIMI fails to display on a subdomain?

If your BIMI logo isn't appearing on a subdomain, check for these common issues: 1. DNS record accuracy: Ensure the BIMI TXT record is correctly formatted and published on the exact subdomain you're sending from. 2. DMARC enforcement: Confirm your DMARC policy for the subdomain is at quarantine or reject, and passing authentication. 3. SVG and VMC accessibility: Verify your logo SVG and VMC files are publicly accessible via HTTPS. 4. Mailbox provider support: Not all mailbox providers support BIMI, or they may have specific requirements.

How to apply BIMI to a specific subdomain instead of the entire domain? - Technical - Email deliverability - Knowledge base

Implementing Brand Indicators for Message Identification (BIMI) can feel complex, especially when your goal is to apply your brand logo only to a specific subdomain rather than your entire primary domain. Many organizations use subdomains for distinct purposes, such as transactional emails, marketing campaigns, or even different brands, making a universal BIMI application impractical. The good news is that it is possible to configure BIMI for a specific subdomain, allowing for greater flexibility and control over your email branding.

While the core principles of BIMI, like DMARC enforcement and a Verified Mark Certificate (VMC), remain crucial, the placement of your BIMI DNS record is key to targeting specific subdomains. This approach ensures your branded logo appears only on emails sent from that designated subdomain, avoiding potential conflicts or unintended branding on other email streams.

Meeting the core requirements

Before you can apply BIMI to any domain or subdomain, you must have a robust email authentication setup, specifically DMARC, implemented and enforced. Your DMARC policy (p=quarantine or p=reject) needs to be active and aligned for the domain or subdomain you intend to apply BIMI to. This foundational step is non-negotiable for BIMI to function correctly.

When you establish DMARC at the organizational (root) domain level, its policy often extends to all subdomains by default, unless explicitly overridden. This is important because even if you're targeting a subdomain for BIMI, the DMARC enforcement from the parent domain might still be a factor for some mailbox providers. You can read more about whether a parent domain needs BIMI for subdomain BIMI to work.

For BIMI to display on a specific subdomain, the BIMI record itself needs to be published directly on that subdomain. This means creating a unique BIMI TXT record for, say, marketing.yourdomain.com, rather than for yourdomain.com. This specific placement directs mailbox providers to look for the BIMI information only when emails originate from that exact subdomain.

Prerequisites

DMARC enforcement: Ensure your DMARC policy for the subdomain (or the organizational domain covering it) is set to p=quarantine or p=reject. This is a fundamental requirement for BIMI adoption, as outlined by the BIMI Group.
Logo format: Your logo must be in SVG Tiny PS format and hosted on a secure server (HTTPS).
Verified Mark Certificate (VMC): Obtain a VMC from an accredited certificate authority. While the VMC is typically issued for your organizational domain, it can support BIMI records on subdomains under that organizational domain.

Configuring your DNS record for subdomain BIMI

The process for implementing BIMI on a subdomain largely mirrors that of a root domain, with the crucial difference being how you structure the DNS TXT record. Instead of placing the default._bimi record on your primary domain, you'll create it directly on the subdomain.

BIMI TXT record for a subdomainDNS

default._bimi.sub.yourdomain.com. IN TXT "v=BIMI1;l=https://cdn.yourdomain.com/logo.svg;a=https://cdn.yourdomain.com/vmc.pem;"

In the example above, sub.yourdomain.com would be the specific subdomain you want BIMI to apply to. This ensures that the BIMI logo is only displayed for emails sent from this particular subdomain, giving you granular control over your branding. If you need to set up BIMI DNS records for subdomains and apex domains, the process is similar but focuses on the different hostnames.

Some mailbox providers, like Yahoo, honor BIMI records on subdomains, even though they might prefer it set up at the organizational level. This means your targeted subdomain BIMI implementation has a good chance of being recognized by major providers.

Benefits and considerations

The use of subdomains for email sending is a common best practice in email deliverability. It helps segment your email traffic, which can protect your main domain's reputation in case of issues with a specific type of email, such as marketing or transactional. Applying BIMI to specific subdomains aligns perfectly with this strategy.

Domain-level BIMI

Broad application: Applies the logo to all emails sent from the main domain and, by default, its subdomains.
Simpler setup: One BIMI record might cover many sending identities.
Potential conflicts: If different subdomains require different branding or no branding.

Subdomain-level BIMI

Granular control: Apply logos only where desired, allowing for distinct branding.
Brand differentiation: Ideal for organizations with multiple brands or departments under one main domain.
Complexity: Requires careful management of DNS records for each relevant subdomain.

Remember that BIMI's success hinges on proper alignment of SPF, DKIM, and DMARC. Even if your BIMI record is on a subdomain, the underlying authentication mechanisms must pass for that specific email stream. Misconfigurations can lead to your emails failing DMARC and, consequently, BIMI not displaying.

For specific scenarios like implementing BIMI for multiple brands with subdomains, careful planning of your DNS entries for each brand's subdomain is essential. Each subdomain that needs a unique BIMI logo should have its own default._bimi TXT record.

Troubleshooting subdomain BIMI display

Even with correct DNS setup, you might encounter situations where your BIMI logo doesn't display on a subdomain. This could be due to several factors, including propagation delays, issues with your VMC, or mailbox provider-specific policies. It's crucial to monitor your email deliverability and authentication reports (especially DMARC reports) to identify any underlying issues.

A common point of confusion is how the Verified Mark Certificate (VMC) interacts with subdomains. While VMCs are usually issued for the root domain, they can generally support BIMI records on subdomains, provided the DMARC policy for those subdomains is correctly configured and enforced. If you're experiencing issues, ensure your VMC is valid and correctly linked in your BIMI record.

If your BIMI is not showing on a marketing subdomain, double-check the exact hostname in your DNS record, the SVG and PEM file accessibility, and your DMARC aggregate reports for that subdomain. These reports will often provide clues as to why BIMI might not be displaying. Additionally, if the root domain DMARC policy is not enforced, it could impact BIMI display on subdomains.

Best practices for subdomain BIMI

To successfully apply BIMI to a specific subdomain, consider these best practices:

Separate sending identities: Use distinct subdomains for different types of email (e.g., marketing.yourdomain.com and transactional.yourdomain.com). This isolates your sender reputation.
Consistent DMARC enforcement: Ensure the DMARC policy for the chosen subdomain is at enforcement, even if the root domain has a more lenient policy. This is critical for BIMI validation.
Careful DNS record placement: Create the BIMI TXT record directly on the subdomain's DNS zone, using the format default._bimi.subdomain.yourdomain.com.

By following these guidelines, you can effectively implement BIMI on specific subdomains, enhancing brand recognition and trust for your targeted email communications without affecting other email streams from your main domain or other subdomains. This approach gives you fine-grained control over your email's visual identity.

Views from the trenches

From my experience in email deliverability, BIMI implementation can sometimes present unique challenges, especially when dealing with subdomains. Here are some real-world perspectives and actionable advice.

Best practices

Ensure your DMARC record for the specific subdomain has a policy of p=quarantine or p=reject to meet BIMI's strict requirements.

Host your SVG logo and VMC file on a highly available, secure HTTPS server for consistent access by mailbox providers.

Use a dedicated subdomain for marketing or transactional emails to segment your sender reputation and apply specific BIMI branding.

Verify that your BIMI TXT record's hostname precisely matches the subdomain you intend to brand, for example, `default._bimi.marketing.yourdomain.com`.

Common pitfalls

Assuming a root domain's DMARC policy automatically ensures BIMI success on subdomains without checking specific subdomain DMARC enforcement.

Incorrectly formatting the BIMI TXT record or misplacing it in the wrong DNS zone, leading to non-display.

Forgetting to update the VMC or SVG file URL in the BIMI record after making changes or renewals.

Not monitoring DMARC aggregate reports, which are crucial for troubleshooting BIMI display issues on subdomains.

Expert tips

Regularly check your DMARC reports for the subdomain to confirm DMARC pass rates and identify any authentication failures that could prevent BIMI display.

Test your BIMI setup using an

type

text

Expert view

Expert from Email Geeks says that by default, BIMI settings often trickle down from the apex (top) level domain to all subdomains, so specific adjustments are needed for subdomain-only application.

2024-11-27 - Email Geeks

Expert view

Expert from Email Geeks mentions that to apply BIMI to only a specific subdomain, the BIMI DNS record's hostname must be changed to include that subdomain, such as `default._bimi.test.usnews.com` for the 'test' subdomain.

2024-11-27 - Email Geeks

Tailoring your brand identity with subdomain BIMI

Applying BIMI to a specific subdomain is a powerful way to manage your brand's visual identity across different email streams. It allows for targeted branding, ensures consistency for distinct communication types, and aligns with best practices for email deliverability by segmenting your sending reputation. While it requires careful attention to DNS records and DMARC policies, the ability to control where your logo appears provides significant flexibility.

By understanding the prerequisites, correctly configuring your DNS records, and staying vigilant with monitoring, you can successfully implement BIMI on your desired subdomains. This strategic approach not only enhances trust and recognition but also supports the overall security posture of your email program against phishing and impersonation, helping your emails land in the inbox rather than the spam or junk folder.