Can BIMI be implemented when some subdomains have p=none DMARC policies?
Michael Ko
Co-founder & CEO, Suped
Published 15 Nov 2025
Updated 15 Nov 2025
7 min read
Many email senders wonder if they can implement Brand Indicators for Message Identification (BIMI) across their domain when some subdomains maintain a p=none DMARC policy for various reasons, such as internal development streams. It is a common misconception that a single p=none DMARC policy anywhere in your domain hierarchy will prevent BIMI from working entirely.
The good news is that BIMI can indeed be implemented for domains and subdomains that have an enforced DMARC policy, even if other subdomains within the same organizational domain are set to p=none. The key lies in how mailbox providers evaluate DMARC and BIMI records for each specific sending domain.
Mailbox providers primarily care about the DMARC policy and authentication status of the specific domain or subdomain that is actively sending the email. If your apex domain and certain subdomains are configured with p=quarantine or p=reject, BIMI can display for those sending identities, regardless of other subdomains having a more relaxed policy.
How DMARC policies impact BIMI
BIMI requires that the domain sending the email has a DMARC policy enforced at either p=quarantine or p=reject. A p=none DMARC policy means that recipients should take no action on emails that fail DMARC authentication, only report on them. This relaxed stance is insufficient for BIMI, which aims to provide strong visual brand authentication. You can learn more about the implications of a p=none policy.
For your brand logo to appear, the DMARC policy for the specific sending domain must be at an enforcement level. This ensures that only authenticated emails from your brand are delivered, preventing imposters from displaying your logo. The BIMI Group’s implementation guide confirms this requirement, stating that DMARC must be at enforcement on the organizational domain and subdomains.
Google also reiterates this, explicitly stating that BIMI doesn't support DMARC policies with the p option set to none. So, while you can publish a p=none policy for some subdomains, BIMI will simply not display for those specific sending identities.
BIMI enforcement requirements
DMARC Policy: The sending domain must have a DMARC policy of p=quarantine or p=reject.
DMARC Alignment: SPF and DKIM must be configured correctly and align with the From: domain. Learn more about BIMI and strict DMARC alignment.
BIMI Record: A valid BIMI DNS record pointing to your brand's SVG logo must be published for the specific domain or subdomain.
Verified Mark Certificate (VMC): While not always mandatory, a VMC is strongly recommended to ensure maximum BIMI adoption across participating mailbox providers.
Subdomain DMARC policies and BIMI visibility
DMARC policies are hierarchical but can also be explicitly defined for subdomains. If you have an organizational domain with a p=reject policy, and you explicitly set a subdomain (e.g., dev.example.com) to p=none, that specific subdomain will operate under its p=none policy. Any other subdomain without an explicit policy will inherit the organizational domain's policy.
Mailbox providers do not aggregate or penalize your entire domain based on a single subdomain's p=none policy when evaluating BIMI. They check the DMARC record for the exact domain found in the From: header of an incoming email. If that specific domain has an enforced DMARC policy and a valid BIMI record, the logo will be displayed.
Therefore, if your primary sending domains (e.g., example.com and marketing.example.com) are at p=reject, you can implement BIMI for them. The existence of dev.example.com with p=none will not affect BIMI display on the other, enforced domains. If you are specifically interested in how DMARC enforcement policies impact BIMI for subdomains, you might want to read our article on whether an organizational DMARC policy covers subdomains for BIMI.
Subdomain with p=none
Policy: DMARC record is set to p=none.
BIMI Display: BIMI logo will not be displayed for emails sent from this subdomain, even if a BIMI record exists.
Use Case: Suitable for testing, internal development, or non-critical email streams where brand visibility isn't paramount.
Subdomain with p=quarantine/reject
Policy: DMARC record is set to p=quarantine or p=reject.
BIMI Display: BIMI logo will be displayed for emails sent from this subdomain, provided a valid BIMI record is published and other requirements are met. You can find out which email clients support BIMI.
Use Case: Ideal for marketing, transactional, and other customer-facing email streams where brand recognition and trust are crucial.
Steps for implementing BIMI with mixed DMARC policies
The implementation strategy involves setting up BIMI records (and optionally, VMCs) for each specific domain or subdomain where you desire your logo to appear. This means you can have a BIMI record for your apex domain (example.com) and for specific subdomains (marketing.example.com) that are under DMARC enforcement.
If you have a subdomain like dev.example.com with p=none, you simply would not publish a BIMI record for dev.example.com. This approach allows you to selectively enable BIMI where it matters most, without being hindered by less critical subdomains. However, you can't implement BIMI without a DMARC record at all.
To effectively manage your DMARC policies and ensure BIMI readiness, robust DMARC monitoring is essential. Suped provides an advanced DMARC monitoring platform that offers AI-powered recommendations to help you fix issues and strengthen your policy, real-time alerts for any anomalies, and a unified platform for DMARC, SPF, DKIM, and blocklist insights. Our platform also includes SPF flattening and a multi-tenancy dashboard ideal for MSPs. This comprehensive approach simplifies the complexities of email authentication, making DMARC accessible and actionable for businesses of all sizes.
Example BIMI DNS TXT RecordTXT
default._bimi.example.com. IN TXT "v=BIMI1;l=https://example.com/logo.svg;a=https://example.com/vmc.pem"
Practical considerations for BIMI and DMARC
The strategy works because email authentication, including DMARC and BIMI, is evaluated on a per-domain basis by the receiving mail server. A DMARC record for dev.example.com only applies to emails sent from that specific subdomain. It doesn't interfere with the DMARC or BIMI policies of example.com or marketing.example.com.
When transitioning your DMARC policy from p=none to an enforcement policy for BIMI, it is crucial to monitor your DMARC reports closely. These reports provide invaluable insight into your email ecosystem, showing you which sources are authenticating correctly and which are failing. This data is vital for identifying legitimate email streams that need proper authentication configured and for detecting any malicious activity (phishing or spoofing). To learn more, check out our guide on safely transitioning your DMARC policy.
DMARC Policy
BIMI Logo Display
Security Level
Recommended Use
p=none
No
Monitoring only
Initial setup, development subdomains
p=quarantine
Yes
Emails failing DMARC moved to spam
Transition phase, cautious enforcement
p=reject
Yes
Emails failing DMARC are blocked
Full enforcement, maximum protection
Views from the trenches
Best practices
Ensure DMARC enforcement (p=quarantine or p=reject) for domains intended to display BIMI.
Publish a separate BIMI record for each subdomain where you want your brand logo to appear.
Regularly monitor DMARC reports to ensure all legitimate email sources are authenticating correctly.
Gradually move from p=none to enforcement to avoid disrupting legitimate email flows.
Always validate your BIMI SVG and certificate to ensure proper rendering across clients.
Common pitfalls
Assuming a p=none DMARC policy on any subdomain will block BIMI for your entire domain.
Failing to publish a BIMI record for each specific subdomain or the apex domain.
Neglecting DMARC alignment for SPF and DKIM, which is essential for BIMI to work.
Not monitoring DMARC reports, leading to authentication issues going unnoticed.
Expecting BIMI to display instantly after implementation, as propagation can take time.
Expert tips
Use a DMARC record with p=none for monitoring during the initial setup phase.
Leverage DMARC aggregate reports to identify all sending sources for your domain.
Consider a Verified Mark Certificate (VMC) for broader BIMI adoption and trust.
Educate your team on DMARC and BIMI requirements to maintain compliance.
Automate DMARC report analysis with a tool for actionable insights and faster issue resolution.
Expert view
Expert from Email Geeks says BIMI will only not show on the subdomain with a p=none policy, but it should display correctly on other subdomains and the root domain that have enforcement policies.
2025-07-21 - Email Geeks
Expert view
Expert from Email Geeks says mailbox providers only consider mail they actually receive, so they won't be concerned with how a subdomain not sending email to them is configured. They focus on the domains in the received mail and the apex domain for authentication.
2025-07-21 - Email Geeks
Key takeaways on BIMI and subdomain DMARC
In summary, having some subdomains with a p=none DMARC policy does not preclude you from implementing BIMI on other domains and subdomains that adhere to the enforcement policy requirement. BIMI is a powerful tool for brand recognition and trust, but its visibility is directly tied to the DMARC enforcement level of the specific sending domain.
By understanding the per-domain evaluation of DMARC and strategically applying BIMI records, you can leverage this authentication standard for your key communication channels while maintaining flexibility for less critical email streams. Utilize platforms like Suped to monitor DMARC and other email authentication protocols, ensuring your brand's emails are both secure and prominently displayed in the inbox.
Initial setup, development subdomains
Transition phase, cautious enforcement
Full enforcement, maximum protection
