Yes, it is an absolute requirement. To implement BIMI (Brand Indicators for Message Identification), your domain's DMARC policy must be set to an enforcement level. This means your policy must be either p=quarantine or p=reject. A DMARC policy of p=none, which is used for monitoring, is not sufficient for your logo to appear in the inbox. This is a core requirement across all mailbox providers that support BIMI.
What are the DMARC enforcement policies?
DMARC allows you to tell receiving mail servers how to handle emails that claim to be from your domain but fail authentication checks. This instruction is set using the policy (p) tag in your DMARC DNS record. There are three possible values for this tag.
- p=none: This is a monitoring-only policy. It instructs mailbox providers to deliver the email but to send you a DMARC report about it. No blocking or quarantining action is taken based on this policy. It's the starting point for any DMARC project.
- p=quarantine: This policy requests that receivers move unauthenticated mail to a place other than the inbox, such as the spam or junk folder. It offers a good level of protection without the high risk of rejecting potentially legitimate emails.
- p=reject: This is the strictest policy. It instructs the receiving server to completely reject the email, meaning it will not be delivered to the recipient at all. This offers the strongest protection against domain spoofing.
Why does BIMI require an enforcement policy?
BIMI is designed as a visual reward for good security practices. It allows brands to display their logo next to their emails, but only if they have proven they are properly authenticating their mail and protecting their domain from abuse. DMARC is the mechanism for providing this proof.
A DMARC policy of p=none doesn't prevent fraudulent email from reaching the inbox. It only monitors it. Mailbox providers like Google and Yahoo require a stronger commitment to security before they will display your logo. An enforcement policy of p=quarantine or p=reject demonstrates that you are actively telling them to filter or block unauthenticated mail. This commitment is what unlocks the benefit of BIMI.
Should I use p=quarantine or p=reject for BIMI?
For the purpose of BIMI, both policies are equally valid. The official BIMI Group documentation confirms that either quarantine or reject will satisfy the requirement. The choice depends on where you are in your DMARC journey.
Many organizations begin with p=quarantine. This allows them to enable BIMI and begin seeing the benefits while still having a safety net; legitimate emails that fail DMARC will go to spam instead of being blocked entirely. Once you are fully confident that all legitimate mail streams are properly authenticated (SPF and DKIM aligned), you can then move to the more secure p=reject policy for maximum brand protection. Ultimately, the choice is yours, as both satisfy the BIMI requirement.
