Suped

Does BIMI require DMARC enforcement policy 'p=reject' or 'p=quarantine'?

Yes, it is an absolute requirement. To implement BIMI (Brand Indicators for Message Identification), your domain's DMARC policy must be set to an enforcement level. This means your policy must be either p=quarantine or p=reject. A DMARC policy of p=none, which is used for monitoring, is not sufficient for your logo to appear in the inbox. This is a core requirement across all mailbox providers that support BIMI.

www.mailgun.com logo
Mailgun says:
Visit website
This is known as your DMARC policy. For BIMI to work, your DMARC policy must be set to either quarantine or reject. There are three DMARC...
Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What are the DMARC enforcement policies?

DMARC allows you to tell receiving mail servers how to handle emails that claim to be from your domain but fail authentication checks. This instruction is set using the policy (p) tag in your DMARC DNS record. There are three possible values for this tag.

  • p=none: This is a monitoring-only policy. It instructs mailbox providers to deliver the email but to send you a DMARC report about it. No blocking or quarantining action is taken based on this policy. It's the starting point for any DMARC project.
  • p=quarantine: This policy requests that receivers move unauthenticated mail to a place other than the inbox, such as the spam or junk folder. It offers a good level of protection without the high risk of rejecting potentially legitimate emails.
  • p=reject: This is the strictest policy. It instructs the receiving server to completely reject the email, meaning it will not be delivered to the recipient at all. This offers the strongest protection against domain spoofing.

Why does BIMI require an enforcement policy?

BIMI is designed as a visual reward for good security practices. It allows brands to display their logo next to their emails, but only if they have proven they are properly authenticating their mail and protecting their domain from abuse. DMARC is the mechanism for providing this proof.

A DMARC policy of p=none doesn't prevent fraudulent email from reaching the inbox. It only monitors it. Mailbox providers like Google and Yahoo require a stronger commitment to security before they will display your logo. An enforcement policy of p=quarantine or p=reject demonstrates that you are actively telling them to filter or block unauthenticated mail. This commitment is what unlocks the benefit of BIMI.

www.emailonacid.com logo
Email on Acid says:
Visit website
To get a BIMI logo, you must have a DMARC policy of either p=quarantine or p=reject. However, too many senders chose to stick with a p=none...

Should I use p=quarantine or p=reject for BIMI?

For the purpose of BIMI, both policies are equally valid. The official BIMI Group documentation confirms that either quarantine or reject will satisfy the requirement. The choice depends on where you are in your DMARC journey.

bimigroup.org logo
BIMI Group says:
Visit website
Enforcement can be “p=quarantine” which indicates failed messages should be quarantined, or “p=reject” which indicates failed messages should be rejected. The...

Many organizations begin with p=quarantine. This allows them to enable BIMI and begin seeing the benefits while still having a safety net; legitimate emails that fail DMARC will go to spam instead of being blocked entirely. Once you are fully confident that all legitimate mail streams are properly authenticated (SPF and DKIM aligned), you can then move to the more secure p=reject policy for maximum brand protection. Ultimately, the choice is yours, as both satisfy the BIMI requirement.

Start improving your email deliverability today

Get started