How to setup BIMI when sending from Iterable through SES shared pools?
Matthew Whittaker
Co-founder & CTO, Suped
Published 11 Aug 2025
Updated 16 Aug 2025
6 min read
Setting up Brand Indicators for Message Identification (BIMI) can be tricky, especially when your email sending infrastructure involves a combination like Iterable through Amazon SES shared pools. Many senders find their emails delivering successfully even without explicitly configuring certain DNS records for their sending domain, which can be confusing when a BIMI checker flags missing elements.
The core of this confusion often lies in how shared IP pools and default configurations handle email authentication. While your emails might be reaching the inbox, the underlying authentication mechanisms, like SPF and DKIM, might not be aligning in a way that satisfies BIMI's strict requirements.
To unlock the visual branding benefits of BIMI, a deeper dive into your DNS setup and how Iterable integrates with SES is necessary. It involves taking ownership of your domain's authentication beyond the defaults to ensure explicit alignment for DMARC, which is a prerequisite for BIMI.
Understanding Iterable and SES shared pools
When you send emails through Iterable, especially using their default configuration with Amazon SES shared IP pools, your email's SPF authentication typically relies on the Return-Path header. This Return-Path often points to a domain managed by Amazon SES (e.g., `amazonses.com`). The SPF record check then passes because `amazonses.com` is authorized to send on behalf of the shared IP. This is why your emails are successfully delivered, even if your sending domain's own DNS records for SPF and MX are not explicitly configured.
While this setup works for basic deliverability, it presents a challenge for BIMI. BIMI requires that your DMARC policy is enforced, and for DMARC to pass, both SPF and DKIM authentication must align with your email's `From` domain. Since the default SES `Return-Path` SPF alignment doesn't align with your specific sending domain, it won't satisfy the DMARC requirement for BIMI.
To achieve BIMI compliance, you need to move beyond this default behavior and explicitly configure your domain's authentication. This involves ensuring that the SPF and DKIM records directly relate to and authorize your `From` domain, thereby enabling DMARC alignment.
Understanding SPF with SES shared pools
When sending with Amazon SES shared pools, your SPF record for your `From` domain still needs to include SES as an authorized sender. However, the DMARC check for SPF alignment will look at the `From` domain, not just the `Return-Path`.
The DMARC alignment requirement for BIMI
BIMI mandates that your domain has a DMARC policy of `p=quarantine` or `p=reject`. For DMARC to pass, either your SPF or DKIM (or both) must align with your `From` domain. Since Iterable's default SPF often aligns with amazonses.com, you must ensure your DKIM setup is configured for your sending domain. Without this, your DMARC will fail, preventing BIMI from displaying.
Essential email authentication for BIMI
The cornerstone of BIMIimplementation is a strong DMARC policy. You need to ensure your DMARC record specifies either a `p=quarantine` or `p=reject` policy. This signals to recipient mail servers that you are actively monitoring and enforcing your domain's email authentication, which is a trust signal essential for BIMI.
Crucially, for DMARC to pass, either your SPF or DKIM authentication must align with your `From` domain. Since SES's default shared pool configuration often uses its own domain for SPF (via Return-Path), your primary focus for DMARC alignment and BIMI enablement will be on setting up custom DKIM for your sending domain.
This means working within Iterable to configure your custom sending domain, which will generate the necessary DNS records for DKIM. Once DKIM is correctly set up and aligning with your `From` domain, your DMARC policy will be able to pass, paving the way for your brand's logo to appear in supporting inboxes.
Configuring DMARC is a crucial step for BIMI, but it also significantly enhances your overall email security and deliverability. It provides visibility into your email ecosystem and protects your brand from phishing and spoofing attacks. For more on the requirements, consider this helpful guide on BIMI and Amazon SES.
Configuring custom DNS records for BIMI
The key to setting up BIMI when sending via Iterable and SES shared pools is to configure a custom sending domain within your Iterable project. This process will typically provide you with CNAME records that you need to add to your domain's DNS.
These CNAME records are essential for Iterable (and thus SES) to sign your outgoing emails with DKIM using your domain. This ensures that the DKIM signature aligns with your `From` domain, satisfying one of the key requirements for DMARC pass and, consequently, BIMI.
Regarding SPF, while SES defaults might cover the Return-Path, you should still ensure your sending domain has an SPF record that explicitly authorizes SES or your designated Mail From domain. This collective effort ensures that both SPF and DKIM contribute to a DMARC-compliant setup, paving the way for your BIMI logo to display.
Before custom configuration
Your emails send successfully, but SPF alignment may occur against the Amazon SES Return-Path domain, not your `From` domain.
SPF: Passes via SES Return-Path, but fails DMARC alignment.
DKIM: May be signed by Iterable's default settings, or not aligning with `From` domain.
DMARC: Likely at `p=none` or nonexistent, leading to no enforcement and no BIMI.
After custom configuration for BIMI
You gain full control over your domain's authentication, enabling DMARC compliance and BIMI display.
SPF: Your `From` domain's SPF record includes SES, achieving DMARC alignment.
DKIM: Custom CNAMEs from Iterable enable SES to sign emails with your domain, aligning perfectly with DMARC.
DMARC: Policy is at `p=quarantine` or `p=reject`, leading to successful BIMI display.
Implementing BIMI and troubleshooting
Once your DKIM and DMARC are properly aligned and enforced, you can proceed with the actual BIMI TXT record. This record points to your brand's logo, which must be a Scalable Vector Graphics (SVG) file accessible via a secure HTTPS URL. For wider adoption and increased trust, particularly with major mailbox providers like Gmail and Yahoo Mail, you will also need a Verified Mark Certificate (VMC).
The BIMI TXT record is added to your DNS with a selector (e.g., `default._bimi`) and points to your SVG logo file and optionally your VMC. Make sure to use a reliable BIMI checker tool after publishing to verify correct configuration and DNS propagation. You can learn more about how BIMI works in Amazon SES here.
Common troubleshooting issues often revolve around DNS propagation times, incorrect record values, or DMARC policy not being at enforcement (`quarantine` or `reject`). Patience is key, as DNS changes can take time to fully propagate globally. Regularly checking your DMARC reports will also provide insights into your authentication status and help identify any issues that might be preventing your BIMI logo from appearing.
Successful BIMI implementation
With proper DMARC enforcement and DKIM alignment, your brand logo can appear next to your sender name in supported inboxes, enhancing trust and brand recognition.
Brand recognition: Your logo helps recipients immediately identify your emails.
Trust and security: BIMI signals a commitment to email security standards.
Higher engagement: Visually appealing emails often lead to better open rates.
Final thoughts
Achieving BIMI with Iterable through SES shared pools is entirely possible, but it requires a clear understanding of how email authentication works beyond the default configurations. By taking control of your domain's DKIM and DMARC records, you can ensure proper alignment and unlock the visual benefits of BIMI for your brand.
Views from the trenches
Best practices
Always use a custom sending domain within Iterable to ensure full control over your DNS records and authentication.
Verify that your DKIM records provided by Iterable are correctly published and authenticated for your domain.
Implement a DMARC policy of p=quarantine or p=reject on your sending domain and its apex, as required for BIMI.
Common pitfalls
Assuming successful email delivery means your domain is fully configured for BIMI requirements (e.g., DMARC enforcement).
Not understanding that SES's default SPF alignment often occurs on the Return-Path, not your From domain.
Forgetting to publish a DMARC record or setting it to p=none, which prevents BIMI from displaying.
Expert tips
Use your Iterable CSM or support team as a resource, as they can guide you through their specific DNS setup process.
Utilize online BIMI checker tools to validate your records and logo format after implementation.
Start with a DMARC p=none policy and gradually move to p=quarantine or p=reject once you're confident in your authentication.
Expert view
Expert from Email Geeks says that default SES DKIM/SPF settings provide initial coverage, but full domain configuration is necessary for advanced features like BIMI.
2022-10-21 - Email Geeks
Expert view
Expert from Email Geeks notes that SPF passes due to alignment with the Amazon SES Return-Path, not the sending domain itself.
Iterable, especially using their default configuration with 
Amazon SES shared IP pools, your email's SPF authentication typically relies on the Return-Path header. This Return-Path often points to a domain managed by 
Gmail and 
Yahoo Mail, you will also need a Verified Mark Certificate (VMC).
