The short answer is no. BIMI (Brand Indicators for Message Identification) absolutely cannot work without a correctly configured DMARC record in place. Think of DMARC as the foundation of a house and BIMI as the fancy mailbox out front; you simply cannot have the mailbox without first building the house.
BIMI is a DNS record that allows you to display your brand's logo in your recipients' inboxes, but its functionality is entirely dependent on the security and authentication framework provided by DMARC (Domain-based Message Authentication, Reporting, and Conformance). As the team at Openprovider puts it, BIMI can't function without a valid DMARC record. This relationship is not accidental; it's by design.
Why DMARC is a strict prerequisite
DMARC's job is to tell a receiving mail server what to do with an email that fails authentication checks (specifically SPF and DKIM). It protects your domain from being used for phishing and spoofing attacks. BIMI builds on top of this security layer. By requiring a strong DMARC policy, mailbox providers can be confident that the sender is who they claim to be before they agree to display a logo associated with that brand.
In essence, your logo becomes a visual indicator of trust. Mailbox providers are essentially vouching for you by showing your logo, and they will only do that if you have proven your commitment to email security through DMARC enforcement. As Mailgun rightly points out, because you can't have a BIMI logo without a strong DMARC policy, the logo itself proves you take security seriously.
Your DMARC policy must be at enforcement
It's not enough to simply have a DMARC record. For BIMI to work, your DMARC policy must be set to an enforcement level. This means your policy tag (p=) must be set to either p=quarantine or p=reject. A policy of p=none, which is a monitoring-only mode, is insufficient.
This requirement makes perfect sense. An enforcement policy tells the world that you are actively instructing mailbox providers to quarantine or reject unauthenticated mail sent from your domain. This proactive stance against abuse is precisely what BIMI is designed to reward visually.
The correct implementation path
If your goal is to implement BIMI, you must follow a specific sequence of steps. There are no shortcuts, and DMARC is the critical first phase.
- Authenticate your mail: Ensure all legitimate emails sent from your domain are properly signed with SPF and DKIM.
- Deploy DMARC in monitoring mode: Start with a p=none policy. This allows you to gather data on who is sending email on your behalf without affecting mail flow.
- Analyze and adjust: Use DMARC reports to identify and authenticate any legitimate sending sources you may have missed.
- Move to enforcement: Once you are confident that all legitimate mail is authenticated, move your policy to p=quarantine and eventually to p=reject.
- Publish your BIMI record: Only after achieving DMARC enforcement can you publish your BIMI record and expect it to work.
Ultimately, the answer is clear. A DMARC record is not just recommended for BIMI; it's a mandatory requirement. Attempting to set up BIMI without first achieving DMARC enforcement is like trying to earn a diploma without attending any classes, it simply won't work.
Can DMARC policies be applied without an SPF or DKIM record?
Does BIMI require a DMARC policy of 'p=none' for testing?
Does BIMI require strict DMARC alignment for both SPF and DKIM?
Does BIMI provide a fallback for unsupported clients?
Does BIMI rely on DNSSEC for certificate validation?
Does BIMI prevent email spoofing directly?
