Suped

Does BIMI require a DMARC policy of 'p=none' for testing?

The short answer is no. You cannot use a DMARC policy of p=none for BIMI to work, even for testing. BIMI requires a DMARC policy at enforcement, which means your policy must be set to p=quarantine or p=reject.

This is a common point of confusion. While p=none is a critical first step in implementing DMARC, it is only a monitoring policy. BIMI is designed to be a visual reward for senders who have properly secured their domain against spoofing, which requires an enforcement policy.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

Why BIMI requires a strict DMARC policy

Brand Indicators for Message Identification (BIMI) is built directly on the foundation of DMARC. The entire purpose of BIMI is to give mailbox providers a verified, authenticated signal that the email is legitimate and the sender's identity is trustworthy. As the BIMI Group states, this reliance is fundamental to how it operates.

bimigroup.org logo
BIMI Group says:
Visit website
BIMI leverages the existing DMARC protocol, ensuring that email messages pass DMARC authentication checks before displaying brand-controlled logos.

A DMARC policy of p=none simply tells receivers to report authentication failures but to take no action. It's often called a "monitoring" policy. Because no action is taken, it doesn't prevent spoofing or phishing attacks. Therefore, it doesn't provide the level of trust required for a mailbox provider to display your logo. For BIMI to work, you must be at what's called DMARC enforcement.

www.forrester.com logo
Forrester says:
Visit website
Setting DMARC policy to either p=quarantine or p=reject is considered DMARC enforcement. Setting the policy to p=none provides domain owners...

As many sources like DeBounce and GoDMARC confirm, a policy of p=quarantine or p=reject is a non-negotiable prerequisite.

The correct journey to BIMI

So, if you can't test BIMI with p=none, what is it for? The p=none policy is your starting point. It allows you to test your DMARC setup without impacting your legitimate mail flow. You use this monitoring phase to gather data on all the services sending email on your behalf and ensure they are correctly configured with SPF and DKIM.

knak.com logo
Knak says:
Visit website
Start with p=none to avoid disrupting your mail flow as you observe how many of your messages pass or fail DMARC checks.

The correct path from having no DMARC record to having a BIMI logo displayed in inboxes looks like this:

  • Publish a DMARC record with p=none. This is your monitoring phase. You need to collect DMARC aggregate reports to understand who is sending email from your domain.
  • Analyze your reports. Identify all legitimate email sources and fix any SPF or DKIM alignment issues. This ensures your own mail doesn't get blocked when you move to a stricter policy.
  • Move to an enforcement policy. Once you are confident that all your legitimate mail is passing DMARC checks, you can change your policy to p=quarantine. This tells mailbox providers to send unauthenticated mail to the spam folder. You can start with a small percentage (e.g., pct=5) and gradually increase it to 100.
  • Consider moving to p=reject. This is the strongest policy, instructing receivers to block any mail that fails DMARC checks. Both p=quarantine and p=reject are valid for BIMI.
  • Implement BIMI. Only after you have an enforcement policy in place can you publish your BIMI record and expect your logo to be displayed.

In conclusion

To be crystal clear, BIMI absolutely does not support a DMARC policy of p=none. However, the p=none policy is an essential and mandatory first step on your DMARC journey. It's the training wheels you must use to prepare your domain for the enforcement policy that BIMI requires. Without starting at p=none, you risk blocking your own legitimate emails when you eventually move to p=quarantine or p=reject.

Start improving your email deliverability today

Get started