Summary
To successfully implement BIMI and display your brand logo in email inboxes, a DMARC policy of either 'quarantine' or 'reject' (p=quarantine or p=reject) is mandatory for both the main domain and any subdomains (sp=quarantine or sp=reject). Experts recommend a phased approach, beginning with 'p=quarantine' to observe potential impacts on email deliverability and authentication reporting. Before enforcing a stricter 'reject' policy, it's crucial to thoroughly assess subdomain sending practices and ensure that legitimate email is properly authenticated. For subdomains not actively sending email, implementing 'sp=reject' can provide an additional layer of security against spoofing attempts.
Key findings
- BIMI DMARC Requirement: BIMI requires a DMARC policy set to either 'quarantine' or 'reject' (p=quarantine or p=reject).
- Subdomain Policy Alignment: For BIMI to function correctly, the subdomain policy (sp=) must also be set to either 'quarantine' or 'reject'.
- Importance of Gradual Rollout: A gradual implementation strategy, starting with 'p=quarantine' and monitoring reports, is highly recommended to minimize deliverability issues.
- Subdomain Assessment: Before changing the subdomain policy, assess which subdomains send email and confirm their authentication configurations.
- Enhanced Security for Non-Sending Subdomains: Setting 'sp=reject' on subdomains that do not send email provides an added layer of security against potential spoofing.
Key considerations
- Impact on Deliverability: Enforcing a 'reject' policy prematurely can negatively impact email deliverability if legitimate emails fail authentication checks.
- Authentication Accuracy: Verify proper SPF and DKIM configuration for all sending domains and subdomains to avoid false positives and deliverability problems.
- DMARC Report Analysis: Regularly monitor and analyze DMARC reports to identify and resolve authentication failures proactively.
- Phased Implementation: Adopt a phased approach when implementing DMARC and BIMI to identify and address potential issues before full enforcement.
- Subdomain Specific Considerations: Consider the specific sending practices of each subdomain before applying a global 'sp=' policy, ensuring legitimate email flow is maintained.
What email marketers say
11 marketer opinions
For BIMI to function correctly, a DMARC policy with either 'quarantine' or 'reject' is required for both the primary domain (`p=`) and subdomains (`sp=`). It is widely recommended to start with a 'quarantine' policy and closely monitor email deliverability and authentication reports before transitioning to a 'reject' policy to avoid unintended deliverability issues. The 'sp=' setting should align with the 'p=' setting, but it is critical to assess subdomain sending practices to ensure legitimate email is properly authenticated before enforcing a stricter 'reject' policy. For subdomains that do not send email, using 'sp=reject' can enhance security.
Key opinions
- DMARC Requirement: BIMI mandates a DMARC policy of either 'quarantine' or 'reject' (p=quarantine or p=reject).
- Subdomain Policy: The subdomain policy ('sp=') should also be set to either 'quarantine' or 'reject' for BIMI compliance.
- Gradual Implementation: It is recommended to start with 'p=quarantine' to monitor the impact on deliverability before switching to 'p=reject'.
- Subdomain Assessment: Evaluate subdomain sending practices to ensure legitimate email is authenticated before setting 'sp=reject'.
- Security for Non-Sending Subdomains: For subdomains that do not send email, 'sp=reject' is a good security practice to prevent spoofing.
Key considerations
- Authentication Practices: Ensure proper SPF and DKIM setup for all sending domains and subdomains to avoid deliverability issues when enforcing DMARC policies.
- Monitoring: Closely monitor DMARC reports to identify and address any authentication failures before implementing a 'reject' policy.
- Impact on Deliverability: Be aware that a 'reject' policy can impact deliverability if legitimate emails fail authentication checks. Start with 'quarantine' to minimize potential disruptions.
- Subdomain Specifics: Understand which subdomains send email and ensure their authentication is configured correctly before applying a global subdomain policy.
- Gradual Enforcement: Implement DMARC and BIMI policies gradually to avoid deliverability problems and allow time to address any issues.
Marketer view
Email marketer from Email Marketing Forum shares that BIMI is only possible if you have a DMARC policy in place set to either quarantine or reject. Implementing gradually is important to avoid deliverability issues.
18 Apr 2023 - Email Marketing Forum
Marketer view
Marketer from Email Geeks explains that the required DMARC policy for BIMI for both p= and sp= is either quarantine or reject. The correct DMARC policy for your domain depends on your current authentication practices and how sure you are that they're complete.
16 Apr 2023 - Email Geeks
What the experts say
2 expert opinions
For BIMI implementation, a DMARC policy of either 'quarantine' or 'reject' is necessary. Experts recommend a cautious approach, starting with 'p=quarantine' and monitoring DMARC reports before moving to 'p=reject'. Before adjusting the 'sp=' setting, particularly towards 'reject', it's essential to identify which subdomains send mail and ensure they are correctly configured to avoid disrupting legitimate email flow.
Key opinions
- DMARC Requirement: BIMI requires a DMARC policy of either 'quarantine' or 'reject'.
- Monitoring is Key: Monitoring DMARC reports is crucial before enforcing a stricter 'reject' policy.
- Subdomain Identification: Identify sending subdomains and their DNS setup before changing the 'sp=' policy.
Key considerations
- Gradual Enforcement: Implement DMARC and BIMI gradually to prevent deliverability issues.
- Subdomain Authentication: Ensure all sending subdomains are properly authenticated before enforcing 'sp=reject'.
- Risk Mitigation: Assess the risk of disrupting legitimate email flow when moving to a 'reject' policy.
Expert view
Expert from Word to the Wise explains that a DMARC policy of either quarantine or reject is required for BIMI. They advise starting with `p=quarantine` and monitoring reports before moving to `p=reject`.
2 Sep 2023 - Word to the Wise
Expert view
Expert from Email Geeks shares that before changing `sp=`, ask your devs or IT to give you some idea of what subdomains send mail and are set up in DNS to avoid issues. You likely want to get to sp=reject to match your p=reject, but you have the usual DMARC concern of "hey I need to make sure all email authenticates before I do that"
23 Feb 2022 - Email Geeks
What the documentation says
4 technical articles
BIMI (Brand Indicators for Message Identification) requires a DMARC policy of either 'quarantine' or 'reject' (p=quarantine or p=reject) to display your logo. The subdomain policy (sp=) should also be set to 'quarantine' or 'reject' to meet BIMI's requirements. Monitoring reports when first implementing DMARC policies is also recommended.
Key findings
- DMARC Requirement: BIMI mandates a DMARC policy of either 'quarantine' or 'reject' (p=quarantine or p=reject).
- Subdomain Policy: The subdomain policy (sp=) should also be set to 'quarantine' or 'reject'.
- Monitoring: Monitoring reports when implementing DMARC policies is recommended.
Key considerations
- Impact on Deliverability: Incorrect DMARC settings can impact deliverability. Monitor DMARC reports carefully when first implementing DMARC policies.
- Authentication Practices: Ensure proper SPF and DKIM setup for all sending domains and subdomains to avoid deliverability issues when enforcing DMARC policies.
Technical article
Documentation from dmarc.org specifies that BIMI requires a DMARC policy with `p=quarantine` or `p=reject`. The subdomain policy `sp=` must also be either `quarantine` or `reject` to meet BIMI's requirements.
25 Sep 2023 - dmarc.org
Technical article
Documentation from Valimail.com explains that to display your logo using BIMI, your domain must have a DMARC policy of 'quarantine' or 'reject' (p=quarantine or p=reject). The sp= setting should also be set to 'quarantine' or 'reject'.
30 Mar 2025 - Valimail.com
Can BIMI logos be animated and how do Google profile images interact with BIMI?
Do DMARC and BIMI require p=reject to be present on the organizational domain?
Do I need a VMC for BIMI to work with Google and Gmail?
Does BIMI require a reject policy on the top level domain if subdomains have it?
How do I implement BIMI and get my logo to show in Gmail and Yahoo Mail?
How do I set up DMARC for BIMI and what are the key considerations?
