Does BIMI require strict DMARC alignment for both SPF and DKIM?

The short answer is no, BIMI does not require strict alignment for both SPF and DKIM. It requires that your DMARC authentication passes, which can be achieved if either SPF or DKIM is aligned. Let's break down what this means.

Before you can implement BIMI, you first need a solid DMARC setup. DMARC works by checking that your emails are properly authenticated with SPF and DKIM, and it introduces the concept of “alignment” to tie those authentication methods to the domain your recipients see in the "From" field.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

DMARC’s primary job is to ensure the domain in your visible "From" address is the same one that is authorizing the email. It checks this through SPF and DKIM alignment. For DMARC to pass, only one of these needs to be aligned.

• SPF Alignment: This checks if the domain in the email's 'Return-Path' (the one authenticated by SPF) matches the domain in the 'From' header.
• DKIM Alignment: This checks if the domain in the DKIM signature (the 'd=' tag) matches the domain in the 'From' header.

Both SPF and DKIM have two alignment modes: relaxed and strict. Relaxed alignment allows subdomains to match (e.g., mail.example.com can align with example.com), while strict requires an exact domain match.

Zoho says:

Visit website

There are two different alignment modes for a DMARC record—strict mode and relaxed mode. Strict mode requires the SPF and DKIM records to have an exact match with the sender’s “From” address. Relaxed mode allows a partial match.

BIMI builds on top of your DMARC configuration. It doesn't introduce new alignment rules, it just enforces existing ones. The official BIMI Group, the standard's authoring body, clarifies the requirement.

BIMI Group says:

Visit website

BIMI relies upon DMARC alignment passing (via SPF or DKIM). As long as DKIM alignment passes, your BIMI record will be retrieved and evaluated.

This means you do not need both SPF and DKIM to be aligned. You don't even need them to be strictly aligned. As long as DMARC passes because one of the protocols is aligned (in either relaxed or strict mode), you've met that part of the BIMI criteria.

The other critical piece for BIMI is your DMARC policy. Your DMARC record must have a policy of p=quarantine or p=reject. A policy of p=none is not sufficient for BIMI.

DDMA says:

Visit website

From a security perspective, BIMI can only be implemented when the DMARC policy for that particular domain is set to either p=quarantine or p=reject.

While not technically required for BIMI, aiming for strict alignment for both SPF and DKIM is a very good idea. It provides the highest level of security by ensuring that the domains used for authentication exactly match your brand's sending domain. This tightens your email security and reduces the risk of sophisticated spoofing attacks.

Furthermore, major mailbox providers are pushing for stronger alignment. Google, for instance, recommends it, suggesting that it may become a more significant factor in deliverability in the future.

In summary, to get your BIMI logo to display, you need:

• A DMARC record published on your domain.
• A DMARC policy of p=quarantine or p=reject.
• Passing DMARC alignment, which means either SPF or DKIM (or both) must be aligned with your "From" domain. This alignment can be relaxed or strict.

You don't need strict alignment for both. However, striving for strict alignment with both protocols is the gold standard for email security and is a good practice to adopt.