The short answer is no. You cannot use a DMARC policy of p=none for BIMI to work, even for testing. BIMI requires a DMARC policy at enforcement, which means your policy must be set to p=quarantine or p=reject.
This is a common point of confusion. While p=none is a critical first step in implementing DMARC, it is only a monitoring policy. BIMI is designed to be a visual reward for senders who have properly secured their domain against spoofing, which requires an enforcement policy.
Why BIMI requires a strict DMARC policy
Brand Indicators for Message Identification (BIMI) is built directly on the foundation of DMARC. The entire purpose of BIMI is to give mailbox providers a verified, authenticated signal that the email is legitimate and the sender's identity is trustworthy. As the BIMI Group states, this reliance is fundamental to how it operates.
A DMARC policy of p=none simply tells receivers to report authentication failures but to take no action. It's often called a "monitoring" policy. Because no action is taken, it doesn't prevent spoofing or phishing attacks. Therefore, it doesn't provide the level of trust required for a mailbox provider to display your logo. For BIMI to work, you must be at what's called DMARC enforcement.
As many sources like DeBounce and GoDMARC confirm, a policy of p=quarantine or p=reject is a non-negotiable prerequisite.
The correct journey to BIMI
So, if you can't test BIMI with p=none, what is it for? The p=none policy is your starting point. It allows you to test your DMARC setup without impacting your legitimate mail flow. You use this monitoring phase to gather data on all the services sending email on your behalf and ensure they are correctly configured with SPF and DKIM.
The correct path from having no DMARC record to having a BIMI logo displayed in inboxes looks like this:
- Publish a DMARC record with p=none. This is your monitoring phase. You need to collect DMARC aggregate reports to understand who is sending email from your domain.
- Analyze your reports. Identify all legitimate email sources and fix any SPF or DKIM alignment issues. This ensures your own mail doesn't get blocked when you move to a stricter policy.
- Move to an enforcement policy. Once you are confident that all your legitimate mail is passing DMARC checks, you can change your policy to p=quarantine. This tells mailbox providers to send unauthenticated mail to the spam folder. You can start with a small percentage (e.g., pct=5) and gradually increase it to 100.
- Consider moving to p=reject. This is the strongest policy, instructing receivers to block any mail that fails DMARC checks. Both p=quarantine and p=reject are valid for BIMI.
- Implement BIMI. Only after you have an enforcement policy in place can you publish your BIMI record and expect your logo to be displayed.
In conclusion
To be crystal clear, BIMI absolutely does not support a DMARC policy of p=none. However, the p=none policy is an essential and mandatory first step on your DMARC journey. It's the training wheels you must use to prepare your domain for the enforcement policy that BIMI requires. Without starting at p=none, you risk blocking your own legitimate emails when you eventually move to p=quarantine or p=reject.
What is the default value for the DMARC 'p' tag?
Can DMARC policies be applied without an SPF or DKIM record?
Does DMARC require both SPF and DKIM to pass?
What does a DMARC 'p=none' policy signify?
What does a DMARC record that is 'p=none' and 'pct=100' mean?
Does BIMI require DMARC enforcement policy 'p=reject' or 'p=quarantine'?
