Does BIMI require strict DMARC alignment for both SPF and DKIM?
Matthew Whittaker
Co-founder & CTO, Suped
Published 8 Dec 2024
Updated 21 Sep 2025
7 min read
The world of email authentication can often feel like a maze of acronyms and technical specifications. One question that frequently arises, especially for those aiming to boost their brand's visibility in the inbox, is whether BIMI requires strict DMARC alignment for both SPF and DKIM.
BIMI, or Brand Indicators for Message Identification, allows your brand's logo to appear next to your emails in supporting inboxes. This feature adds a significant layer of trust and brand recognition, but it comes with rigorous requirements, most notably a robust DMARC policy.
While DMARC itself provides flexibility regarding which authentication method, SPF or DKIM, passes alignment, BIMI introduces its own set of standards that can make this a more complex consideration. Let's delve into the specifics to clarify what's truly needed to get your brand logo shining in your recipients' inboxes.
The fundamentals of DMARC alignment
The fundamentals of DMARC alignment
At its core, DMARC (Domain-based Message Authentication, Reporting, and Conformance) relies on SPF and DKIM to verify email authenticity. For a message to pass DMARC, it needs to satisfy at least one of two conditions: either SPF alignment passes, or DKIM alignment passes. It's not strictly necessary for both to align simultaneously for a DMARC pass. This flexibility is built into the DMARC protocol to accommodate various email sending infrastructures.
SPF alignment checks if the domain in the Return-Path header (also known as the Mail From or Envelope From) matches the From header domain. DKIM alignment, on the other hand, verifies that the domain used to sign the email cryptographically (the d= tag in the DKIM signature) matches the From header domain. For DMARC, either of these passing is sufficient for authentication.
While DMARC only needs one of SPF or DKIM to pass, having both configured correctly creates a more resilient authentication setup. This redundancy helps ensure your emails are authenticated even if one method encounters an issue.
You can monitor your DMARC reports to see how well your SPF and DKIM authentication are performing. Tools like Suped provide AI-powered recommendations to help you fix issues and strengthen your policy, making DMARC monitoring straightforward.
BIMI's specific DMARC requirements
BIMI's specific DMARC requirements
While DMARC allows for either SPF or DKIM to align, BIMI has a more stringent requirement. For BIMI to work, your domain's DMARC policy must be set to enforcement, meaning p=quarantine or p=reject. This signals to receiving mail servers that you are actively protecting your domain against unauthorized use. It also means that at least one of SPF or DKIM must pass alignment for BIMI to be considered.
The key takeaway here is that BIMI does not explicitly demand that both SPF and DKIM align. Rather, it requires a DMARC pass, which can be achieved through either one of them successfully aligning. However, it's a common misconception that both are strictly required. The official BIMI Group FAQs clarify this, stating, "BIMI relies upon DMARC alignment passing (via SPF or DKIM). As long as DKIM alignment passes, your BIMI record will be retrieved and evaluated." You can find more details at the BIMI Group FAQs page.
Therefore, while the DMARC policy must be enforced (not p=none), the alignment itself only needs to be successful for at least one of the underlying protocols. This distinction is crucial for understanding how to configure DMARC for BIMI effectively.
BIMI requires
Validated DMARC: An active DMARC record must be published.
Enforced Policy: The DMARC policy must be set to p=quarantine or p=reject.
DMARC Pass: At least one of SPF or DKIM must achieve DMARC alignment.
What BIMI doesn't require
Dual Alignment: It is not necessary for both SPF and DKIM to align for a DMARC pass.
Specific Protocol: No preference for SPF over DKIM or vice versa, as long as one passes.
Testing Policy: A p=none DMARC policy is insufficient for BIMI.
Why both SPF and DKIM are still valuable
Why both SPF and DKIM are still valuable
While BIMI might not demand both SPF and DKIM alignment, having both correctly configured and aligning offers significant advantages for your overall email deliverability and security. Redundancy is a major factor. If one authentication method fails due to a configuration error, a third-party sending service change, or an issue with the receiving server, the other method can still ensure DMARC passes. This helps maintain your email reputation and ensures your messages reach the inbox.
Many email providers, like Gmail and Yahoo, have tightened their sending requirements, often preferring or even implicitly requiring both SPF and DKIM to be properly set up for optimal inbox placement. Even if only one is strictly needed for a DMARC pass, failing to implement both diligently can negatively impact deliverability. You can learn more about DKIM domain alignment for these new requirements.
Moreover, certain email blocklists (or blacklists) might factor in the completeness of your email authentication setup when determining your sender reputation. A robust implementation of both SPF and DKIM, alongside an enforced DMARC policy, contributes to a stronger domain reputation, reducing the chances of your emails being flagged as spam or rejected.
Implementing and monitoring for BIMI
Implementing and monitoring for BIMI
To successfully implement BIMI, your primary focus should be on achieving a DMARC policy of p=quarantine or p=reject with a high percentage of emails passing DMARC alignment via either SPF or DKIM. The journey typically begins with a p=none policy to gather data and identify all legitimate sending sources.
Once you have a clear picture, you can gradually move to a more enforced policy. This transition needs careful monitoring to avoid legitimate emails being quarantined or rejected. Tools like Suped are essential here, providing unified monitoring for DMARC, SPF, and DKIM. Our platform gives you real-time alerts and actionable recommendations to help you safely transition your DMARC policy.
Effective DMARC monitoring is not just about compliance, but also about understanding your email ecosystem. Suped's unified platform, with its AI-powered insights, helps you easily track DMARC aggregate and forensic reports, identify sources of non-compliance, and continuously refine your email authentication strategy. This proactive approach ensures your brand is protected and your emails achieve maximum impact with BIMI.
Achieving BIMI readiness
Achieving BIMI readiness
In conclusion, BIMI does not require strict DMARC alignment for both SPF and DKIM to pass simultaneously. The primary requirement is that your DMARC record enforces a policy of p=quarantine or p=reject, and that your emails achieve DMARC alignment through either SPF or DKIM. However, implementing both authentication protocols correctly is a best practice that significantly enhances your email deliverability, security, and sender reputation.
By focusing on a strong DMARC foundation and leveraging comprehensive monitoring solutions like Suped, you can confidently pursue BIMI adoption, showcasing your brand logo and building greater trust with your recipients. Our platform simplifies the complex task of DMARC compliance, offering unmatched insights and a generous free plan to get you started on your journey to better email security and deliverability.
Gmail and 
Yahoo, have tightened their sending requirements, often preferring or even implicitly requiring both SPF and DKIM to be properly set up for optimal inbox placement. Even if only one is strictly needed for a DMARC pass, failing to implement both diligently can negatively impact deliverability. You can learn more about DKIM domain alignment for these new requirements.
