What DMARC policy is required for BIMI?

BIMI requires a DMARC policy of either p=quarantine or p=reject . A p=none policy is not sufficient because it does not enforce authentication and would allow unauthenticated emails to potentially display a logo.

Can I test BIMI with a p=none DMARC policy?

No, you cannot test BIMI with a p=none DMARC policy. BIMI providers will not display your brand logo unless your DMARC policy is set to enforce authentication, which means p=quarantine or p=reject .

Why is p=none useful if it doesn't support BIMI?

The p=none policy is crucial for the initial phase of DMARC implementation. It allows you to monitor your email traffic and receive DMARC reports without affecting email delivery, helping you identify all legitimate sending sources and fix any authentication issues before moving to an enforcement policy.

What happens if I try to implement BIMI with p=none?

If your DMARC policy is p=none , your brand logo will not be displayed by email clients that support BIMI. The BIMI standard requires DMARC enforcement to ensure the authenticity of the sender.

How do I transition my DMARC policy to support BIMI?

You should begin with p=none to gather data and ensure all legitimate emails pass SPF and DKIM. Once confident, gradually transition to p=quarantine , monitoring reports carefully, and then to p=reject if desired. Tools like Suped can help streamline this process with actionable recommendations.

Does BIMI require a DMARC policy of 'p=none' for testing? - BIMI - Email authentication - Knowledge base

The question of whether BIMI requires a DMARC policy of 'p=none' for testing is a common one, especially for organizations just starting their email authentication journey. Many brands are eager to implement BIMI (Brand Indicators for Message Identification) to display their logo in email clients, boosting trust and brand recognition. However, there's a fundamental misunderstanding that needs to be clarified: BIMI explicitly requires an enforced DMARC policy, meaning 'p=none' is insufficient for BIMI to function.

A DMARC policy of p=none serves a crucial role in the initial stages of DMARC deployment. It allows you to monitor your email traffic and identify unauthorized senders without impacting email delivery. This is essential for gathering data and understanding your email ecosystem before moving to more restrictive policies. However, BIMI's primary goal is to enhance trust through visual brand verification, and that trust hinges on a strong DMARC enforcement policy.

To fully leverage BIMI and display your brand logo, your DMARC record must be set to either p=quarantine or p=reject. This requirement ensures that only authenticated and legitimate emails from your domain will carry your brand's verified logo, protecting both your brand and your recipients from phishing and spoofing attempts. The 'p=none' policy does not provide this necessary level of enforcement.

Understanding BIMI and DMARC enforcement

Understanding BIMI's reliance on DMARC enforcement

BIMI works by connecting your verified brand logo (stored in a DNS record) to your DMARC authentication. For a logo to display, the incoming email must successfully pass DMARC checks. This includes both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) authentication, and crucially, DMARC alignment. The DMARC policy p=none tells receiving mail servers to do nothing if DMARC fails, except report the failure. This lack of enforcement is precisely why BIMI cannot rely on it.

Major email providers and organizations that support BIMI, like

Google and

Yahoo, have explicitly stated that BIMI requires a DMARC policy of p=quarantine or p=reject. This is a non-negotiable prerequisite to ensure the integrity of the displayed brand logo and to prevent malicious actors from impersonating legitimate brands. You can find more information on Google's DMARC requirements for BIMI.

Implementing BIMI without this enforcement would undermine its core value proposition, which is to provide a visible signal of trust and authenticity. If emails failing DMARC could still display a brand logo, it would create an easy avenue for spoofing and phishing attacks, eroding user confidence. Therefore, testing BIMI necessarily involves moving beyond p=none.

Why p=none is insufficient for BIMI

Why 'p=none' is insufficient for BIMI

The primary purpose of a p=none DMARC policy is to gather data and monitor email sending behavior. It allows domain owners to receive DMARC reports (RUA and RUF) that detail authentication results without instructing receiving mail servers to take any action on failed emails. This is crucial during the initial DMARC deployment phase, helping identify all legitimate sending sources.

However, for BIMI to display your logo, there must be a guarantee that the sender is authorized. A p=none policy provides no such guarantee. It allows unauthenticated emails to still reach the inbox, albeit without the brand logo. To prevent unauthorized use of your brand logo, BIMI mandates that your DMARC policy must be in an enforcement mode, either p=quarantine or p=reject. These policies instruct receiving mail servers to either move non-compliant emails to spam or block them entirely.

Using p=none

Purpose: Monitor email traffic, gather authentication data, and identify all legitimate sending sources.
Action: No enforcement action taken on failed emails; they still reach the inbox. No impact on deliverability while testing DMARC.
BIMI compatibility: Not compatible with BIMI. Logos will not display. This policy offers insufficient security for BIMI.

Using p=quarantine/reject

Purpose: Enforce DMARC, protect against spoofing, and ensure only authenticated emails are delivered cleanly.
Action: Emails failing DMARC are either quarantined (sent to spam) or rejected (blocked entirely).
BIMI compatibility: Required for BIMI. Logos will display for authenticated emails, enhancing brand trust.

Therefore, if your goal is to enable BIMI, you must eventually transition your DMARC policy from p=none to an enforcement policy. For a deeper dive into the specifics, the BIMI Group FAQs for senders provide additional insights.

The path to BIMI implementation

The recommended approach to implementing DMARC and then BIMI is a phased one. You should start with a p=none policy for monitoring. This step is critical for gaining visibility into your email ecosystem and ensuring that all legitimate sending sources are properly authenticated with SPF and DKIM. Once you are confident in your DMARC reports and see consistent authentication passes, you can then move to an enforcement policy.

Transitioning your policy from p=none to p=quarantine and then p=reject should be a gradual process, often starting with a low percentage (e.g., pct=10) and slowly increasing it. This minimizes any potential disruption to your legitimate email flow while you fine-tune your authentication. This safe DMARC policy transition is critical.

Key steps for BIMI readiness

DMARC record: Ensure you have a DMARC record published in your DNS.
SPF & DKIM: Properly configure SPF and DKIM for all sending domains and subdomains.
Alignment: Verify that your SPF and DKIM are in DMARC alignment with your From: header domain.
Policy enforcement: Set your DMARC policy to p=quarantine or p=reject.
VMC: Obtain a Verified Mark Certificate (VMC) for your brand logo.

Only after these steps are completed can you proceed with publishing your BIMI DNS record, which points to your VMC and SVG logo file. This systematic approach ensures that your brand is protected and that your BIMI implementation is successful.

Monitoring DMARC and BIMI for continued success

Even after you've implemented BIMI with an enforced DMARC policy, ongoing monitoring is essential. DMARC reporting provides valuable insights into your email delivery, identifying any authentication failures or unauthorized senders trying to use your domain. This allows you to quickly address issues and maintain strong email security and deliverability.

A visual representation of DMARC compliance monitoring and reporting.

Tools like Suped offer comprehensive DMARC monitoring and reporting solutions. Our platform provides AI-powered recommendations to help you fix issues and strengthen your policy, real-time alerts for critical events, and a unified dashboard for DMARC, SPF, and DKIM monitoring, along with blocklist and deliverability insights. Suped also offers SPF flattening and is built for scale with an MSP and multi-tenancy dashboard, making DMARC accessible and manageable for all types of organizations, including agencies and Managed Service Providers. We also offer a generous free plan to help you get started with DMARC monitoring and protect your brand.

Example DMARC record for enforcementDNS

v=DMARC1; p=quarantine; rua=mailto:reports@yourdomain.com; fo=1;

Regularly reviewing your DMARC reports will help you ensure that your email authentication remains robust, protecting your brand from impersonation and ensuring your BIMI logo continues to display correctly in supporting inboxes.

Conclusion

In summary, BIMI does not require a DMARC policy of p=none for testing or implementation. While p=none is an invaluable first step in your DMARC journey for monitoring purposes, BIMI mandates an enforced policy of p=quarantine or p=reject. This strict requirement ensures that only legitimate and authenticated emails from your brand display your logo, enhancing trust and providing crucial protection against email fraud.

By following a structured DMARC deployment plan and using robust monitoring solutions like Suped, you can confidently move to an enforcement policy and unlock the full benefits of BIMI, strengthening your brand's presence in the inbox.