What is the exact DNS record name for BIMI?

The exact DNS record name for BIMI is typically default._bimi.yourdomain.com , where yourdomain.com is the organizational domain or specific subdomain for which you're enabling BIMI. The default acts as a selector, and _bimi is the mandated subdomain prefix.

Can BIMI be implemented on a subdomain without having it on the organizational domain?

Yes, BIMI can be implemented on a subdomain independently. While the BIMI Group suggests a default record at the organizational level, you can publish a unique BIMI TXT record directly on a specific subdomain (e.g., default._bimi.sub.example.com ) to manage its display separately. This allows for more granular control over branding.

What happens if my DMARC policy is not at 'quarantine' or 'reject' for BIMI?

If your DMARC policy is not at p=quarantine or p=reject for the domain in question, BIMI will not work. Mailbox providers require this enforcement level to trust the sending domain's authenticity before displaying your brand logo. You'll need to safely transition your DMARC policy to one of these states.

Does the BIMI TXT record need a Verified Mark Certificate (VMC)?

While a VMC is not strictly required for a basic BIMI implementation with some email clients, it is highly recommended and increasingly becoming a standard for full support across all major mailbox providers (like Gmail ). A VMC verifies the authenticity of your brand logo and is referenced within the a tag of your BIMI TXT record. It adds an extra layer of trust and helps prevent impersonation. You can validate your BIMI SVG and certificate .

Does BIMI use a specific DNS subdomain for its TXT record? - BIMI - Email authentication - Knowledge base

Stylized graphic illustrating DNS records and specific subdomain targeting for email authentication

Brand Indicators for Message Identification, or BIMI, is a powerful email standard that allows you to display your brand's logo next to your authenticated email messages in supported inboxes. When considering how to implement BIMI, one of the most common questions revolves around its DNS record placement. Like other email authentication protocols such as SPF and DKIM, BIMI relies on DNS records to function correctly.

The short answer is yes, BIMI does use a specific DNS subdomain for its TXT record. It's not simply placed on the root domain like some other DNS entries. This specificity is crucial for email clients to locate and validate your brand logo information, ensuring it's tied directly to the sending domain's authentication status.

Understanding this dedicated subdomain is fundamental to successful BIMI deployment, especially when managing email for multiple subdomains or complex organizational structures. Properly configuring this record is a key step towards leveraging BIMI for enhanced brand visibility and trust in the inbox.

The dedicated BIMI subdomain

The BIMI TXT record is always published under a specific subdomain, which acts as a pointer to where the brand logo information is stored. This dedicated subdomain is _bimi, followed by the domain or subdomain for which you are enabling BIMI. For example, if your sending domain is example.com, the BIMI record would be located at _bimi.example.com.

This setup allows for flexibility. You can configure BIMI for your main organizational domain, or you can opt to enable it for specific subdomains, such as marketing.example.com or newsletters.example.com. The key is that each domain or subdomain requiring BIMI will have its own _bimi subdomain entry. This is detailed further in guides like what is the specific format for the BIMI TXT record name.

Example BIMI TXT record for a subdomaindns

default._bimi.sub.example.com. IN TXT "v=BIMI1;l=https://cdn.example.com/logo.svg;a=https://cdn.example.com/vmc.pem"

It's important to note that the default part of the record (often called a selector) is also a standard component, similar to how DKIM uses selectors. This default selector is used in combination with the _bimi subdomain to form the full DNS entry where the BIMI TXT record is published. To learn more about this, you can look into what is the selector for a BIMI record.

BIMI's reliance on DMARC

It's impossible to talk about BIMI without mentioning its foundational requirement: DMARC. BIMI builds upon a properly implemented DMARC policy that is set to a policy of quarantine (p=quarantine) or reject (p=reject). This means that before you can even think about publishing a BIMI record, your domain must have DMARC in place and actively enforcing a policy. Without DMARC, BIMI will simply not work.

Why DMARC is essential for BIMI

Authenticity: DMARC ensures that the sending domain is authenticated, preventing spoofing and unauthorized use of your brand. BIMI leverages this trust to display your logo.
Security: A strong DMARC policy signifies to mailbox providers (like Gmail or Yahoo) that your domain is protected, making them more likely to trust your BIMI record. For DMARC reporting, Suped offers comprehensive DMARC monitoring with a generous free plan.
Compliance: The BIMI Group, which maintains the BIMI standard, explicitly states the DMARC requirement on their FAQs for Senders & ESPs.

The DMARC policy itself can be applied at the organizational level or specifically for subdomains. If your organizational DMARC policy is strong (p=quarantine or p=reject) and includes a subdomain policy (sp=quarantine or sp=reject), it can cover subdomains for BIMI. However, for precise control over subdomain BIMI display, it's often beneficial to have specific BIMI TXT records on the subdomain itself. This ensures that BIMI does not trickle down inadvertently to subdomains where it's not intended or properly configured.

Implementing BIMI for organizational vs. subdomains

When deciding where to publish your BIMI record, you have two primary choices: the organizational domain or a specific subdomain. The organizational domain (often the root domain) can have a BIMI record that, in theory, can be inherited by subdomains, provided the DMARC policy also supports this. However, this isn't always the most flexible or desired approach.

Organizational domain BIMI

Placement: Record at _bimi.example.com.
Inheritance: Can potentially apply to subdomains if DMARC's sp tag is set to quarantine or reject.
Control: Less granular control over which subdomains display BIMI. You might need to check if a parent domain needs BIMI for subdomain BIMI to work.

Subdomain specific BIMI

Placement: Record at _bimi.sub.example.com.
Inheritance: No automatic inheritance, explicit record per subdomain.
Control: Offers precise control. Each subdomain can have a unique logo or no logo, allowing for distinct branding strategies. You can also set up BIMI records for multiple subdomains.

For most organizations, especially those with diverse sending practices across different departments or services, setting up BIMI on a subdomain-specific basis provides the most flexibility and control. This ensures that only authorized and properly authenticated sending domains display your brand's logo, maintaining brand consistency and trust. The official BIMI Group documentation recommends publishing the default BIMI record at the organizational domain, allowing inheritance by all subdomains. However, the domain administrator can publish unique DNS TXT records for each subdomain to override this.

Components of the BIMI TXT record

Beyond the _bimi subdomain, the BIMI TXT record itself contains specific tags that provide instructions to email clients about your brand's logo. These tags include the BIMI version, the URL where your SVG logo file is hosted, and optionally, the URL to your Verified Mark Certificate (VMC).

Tag	Description	Example Value
v	BIMI version, currently BIMI1.	v=BIMI1
l	Location (URL) of your SVG logo file. This must be an HTTPS URL.	l=https://cdn.example.com/logo.svg
a	Authority (URL) to your Verified Mark Certificate (VMC), if applicable. This ensures your logo is legally verified by a BIMI accredited certificate provider.	a=https://cdn.example.com/vmc.pem

The combination of these elements within the default._bimi subdomain record allows mail servers to retrieve and validate your brand logo. This complex interplay of DNS, DMARC, and BIMI records is why robust DMARC monitoring and reporting tools are invaluable for ensuring everything is configured correctly and functioning as intended.

Why the specific subdomain is necessary

The use of a specific _bimi subdomain is crucial for several reasons related to security, scalability, and standardization. It provides a dedicated namespace for BIMI records, preventing conflicts with other DNS entries and making it easy for mailbox providers to identify BIMI-related information.

Isolation: It isolates BIMI records from other DNS configurations, reducing the chance of misconfigurations impacting other services or being overlooked during DNS updates.
Standardization: By following a consistent naming convention, email clients can reliably query for BIMI records across all participating domains, regardless of their specific DNS setup.
Scalability: This approach supports domains that operate on multiple levels of subdomains, allowing each to have its own distinct BIMI entry if needed.

For organizations leveraging BIMI, understanding this specific subdomain structure is not just a technical detail, but a fundamental aspect of successful deployment and brand management within the email ecosystem. Implementing BIMI correctly ensures your brand logo appears consistently and reliably in your recipients' inboxes, reinforcing brand identity and trust.

Conclusion

In summary, BIMI explicitly requires a dedicated DNS subdomain for its TXT record, formatted as default._bimi.yourdomain.com. This specific placement, along with a robust DMARC policy, is essential for BIMI to function correctly and display your brand logo in supporting email clients. This structure provides the necessary security, standardization, and flexibility for effective email branding.

As with all email authentication protocols, careful configuration and ongoing monitoring are key. Tools like Suped simplify this process by providing comprehensive DMARC monitoring and reporting, ensuring your email authentication, including BIMI, is always optimized. This helps protect your domain from abuse and enhances your brand's presence in the inbox.