What is the primary condition for a root domain BIMI record to apply to subdomains?

The primary condition is that the root domain's DMARC policy must be set to enforcement ( p=quarantine or p=reject ) and include an 'sp' tag that applies to subdomains, with no explicit DMARC record on the subdomain.

Do subdomains need their own DMARC records for BIMI to work?

Not necessarily. If the root domain's DMARC record includes an 'sp' tag set to an enforcement policy, subdomains will inherit that policy and can then use the root's BIMI record. However, subdomains can also have their own DMARC records.

When should a subdomain have its own BIMI record?

A subdomain should have its own BIMI record if it requires a different logo than the root domain or if it has a unique Verified Mark Certificate (VMC) that needs to be referenced.

What is the role of the 'sp' tag in DMARC for BIMI inheritance?

The 'sp' (subdomain policy) tag in a root DMARC record specifies the policy for subdomains that do not have their own DMARC record. If 'sp' is set to 'quarantine' or 'reject', it enables BIMI inheritance for those subdomains.

How can I monitor if my BIMI records are working correctly across my domains and subdomains?

Monitoring your DMARC reports is essential. Platforms like Suped provide comprehensive DMARC reporting, real-time alerts, and AI-powered recommendations to help ensure proper configuration and optimal email deliverability, which is vital for BIMI display.

Does a root domain BIMI record apply to subdomains without their own record? - DMARC - Email authentication - Knowledge base

Many email senders wonder about the intricacies of Brand Indicators for Message Identification (BIMI), especially when it comes to managing multiple domains and subdomains. A common question is whether a BIMI record published on the root domain automatically extends its branding to subdomains that lack their own explicit BIMI record. The short answer is often yes, but with critical caveats primarily related to your DMARC policy configuration.

BIMI's core function is to display your brand's logo next to your authenticated emails in supported inboxes, enhancing trust and brand recognition. However, BIMI doesn't operate in a vacuum. It relies heavily on a robust DMARC policy set to an enforcement policy (quarantine or reject). This means the effectiveness of a root domain's BIMI record on its subdomains is directly tied to how DMARC is configured across your entire domain ecosystem.

Understanding this relationship is key to ensuring your brand logo is consistently displayed and your emails are properly authenticated. We'll explore the conditions under which BIMI inheritance occurs, when you might need individual subdomain records, and essential factors for successful implementation.

The fundamentals of BIMI and DMARC

BIMI is explicitly designed to work with DMARC, a crucial email authentication protocol. For a BIMI logo to display, the sending domain must have a DMARC policy of p=quarantine or p=reject. This strict enforcement ensures that only legitimate emails from your domain, which pass SPF and DKIM authentication and DMARC alignment, are permitted to display your logo. Without an enforced DMARC policy, BIMI cannot function, regardless of any BIMI records present.

A DMARC record published on the organizational domain (often referred to as the root domain) can indeed apply to subdomains. This is achieved through the sp (subdomain policy) tag within your DMARC record. If sp is set to quarantine or reject, and a subdomain does not have its own explicit DMARC record, it will inherit the sp policy from the root. This inheritance is fundamental to how BIMI can apply to subdomains.

For BIMI to truly display for a subdomain without its own record, two conditions must be met: the subdomain must be DMARC compliant (passing SPF or DKIM with alignment), and its DMARC policy (either inherited from the root or explicitly defined) must be at enforcement. If these conditions are met, the subdomain can then leverage the root domain's BIMI record, assuming it has a valid Verified Mark Certificate (VMC) if required.

BIMI Group FAQs state that a default BIMI record should be published at the organizational domain, allowing it to be inherited by all subdomains. This clarifies the general expectation for inheritance.

How subdomain BIMI inheritance works

The principle of BIMI inheritance on subdomains is similar to DMARC policy inheritance. If your root domain has a DMARC record with an sp tag set to an enforcement policy, and no specific DMARC record exists for a subdomain, that subdomain will inherit the root's policy. Consequently, if that subdomain also lacks its own BIMI record, it will then look to the root domain's BIMI record for display instructions, provided DMARC passes for the sending domain.

This means a parent domain generally needs BIMI for subdomain BIMI to work, assuming the subdomain doesn't have its own explicitly defined record. The BIMI record is typically a TXT record that specifies the location of your logo (SVG file) and optionally your VMC. For subdomains to benefit from the root's BIMI, they must still align with the DMARC policy, which itself must be inherited or explicitly defined at an enforcement level.

However, there are scenarios where you might want to control subdomain BIMI display separately. If a subdomain requires a different logo or a unique VMC, you would then publish a specific BIMI TXT record for that subdomain. This explicit record would override any potential inheritance from the root domain. Think of it like a cascade: if a specific record exists, use that, otherwise, look to the parent.

When a subdomain needs its own BIMI record

While inheritance is convenient, there are specific situations where a subdomain should have its own BIMI record. The primary reason is often distinct branding needs. If different departments, brands, or marketing initiatives use subdomains that require their own unique logo display in email clients, then individual BIMI records for those subdomains are necessary.

Another scenario involves Verified Mark Certificates (VMCs). If a subdomain requires a VMC, it typically needs its own BIMI record pointing to that specific certificate. This is particularly relevant when setting up BIMI records for multiple subdomains while excluding the parent or if different sub-brands have different VMCs. Each BIMI record is identified by a selector, similar to how DKIM public keys are identified.

Default BIMI inheritance

Root DMARC policy: The organizational domain has a DMARC policy (p=quarantine or p=reject) with an sp tag that applies to subdomains.
No subdomain record: The specific subdomain sending email does not have its own DMARC or BIMI TXT record.
DMARC alignment: Emails sent from the subdomain still pass SPF or DKIM authentication and achieve DMARC alignment with the root domain.

Specific subdomain BIMI setup

Unique branding: Different logos are required for different subdomains, necessitating separate BIMI records.
Separate DMARC policy: A subdomain has its own DMARC record, overriding the root domain's sp tag.
VMC requirements: A Verified Mark Certificate is acquired for a specific subdomain, which must be referenced in its own BIMI record.

The Brand Indicators for Message Identification (BIMI) specification (currently in draft status) outlines how domain owners communicate their desired indicators through the BIMI Assertion Record in DNS. This document serves as the authoritative source for how these records should be formatted and evaluated, including the hierarchy of domain and subdomain records.

Key considerations and potential challenges

Regardless of whether you rely on inheritance or explicit subdomain records, a strong DMARC policy is non-negotiable for BIMI. Without DMARC enforcement, your BIMI logo simply won't display. This emphasizes the importance of meticulously configuring your DMARC records and monitoring their impact. Tools that provide comprehensive DMARC reporting and insights are invaluable for ensuring your policies are correctly applied and that your emails are consistently authenticating.

It is also worth noting that DMARC standards are evolving. There's a future update, known as DMARCbis, that may introduce changes to how DMARC records are evaluated, particularly for deeper levels of subdomains (e.g., fourth-level domains) due to a concept called "Treewalk." These potential changes might necessitate updates to BIMI documentation and evaluation processes down the line. Staying informed about these developments is crucial for long-term email security and branding.

Warning: Without a DMARC policy set to p=quarantine or p=reject (either on the subdomain itself or inherited via the sp tag from the root domain), your BIMI logo will not appear. DMARC enforcement is a strict prerequisite for BIMI to function.

Effective DMARC monitoring is critical for correctly implementing BIMI and maintaining email deliverability. Suped offers advanced DMARC reporting and monitoring, providing AI-powered recommendations to help you fix issues and strengthen your policy. Our platform includes real-time alerts, a unified dashboard for DMARC, SPF, and DKIM, and SPF flattening, making it simple for businesses of all sizes, including MSPs, to manage their email authentication. With Suped, you can ensure your BIMI implementation is solid and your brand is consistently protected.

Views from the trenches

Best practices

Always ensure your root domain's DMARC policy includes a strong 'sp' (subdomain policy) tag.

Regularly monitor your DMARC reports to identify authentication failures on subdomains.

If subdomains have unique branding needs, set up individual BIMI records for each of them.

Common pitfalls

Forgetting to set an 'sp' tag on your root DMARC record, preventing subdomain inheritance.

Assuming BIMI will work on subdomains without an enforced DMARC policy (p=quarantine/reject).

Not accounting for DMARCbis changes, especially for deeper subdomain levels in the future.

Expert tips

Use DMARC monitoring to get an overview of all your sending sources and ensure they are authenticating correctly. This is crucial for BIMI.

Even with inheritance, consider explicit subdomain BIMI records for critical sending subdomains to ensure maximum control and visibility.

If you're using a VMC, ensure the BIMI record correctly points to it for all domains where you expect the logo to display.

Expert view

Expert from Email Geeks says a root domain BIMI record will generally apply to subdomains if there's no specific record on the subdomain and the DMARC policy is correctly set.

2024-09-24 - Email Geeks

Expert view

Expert from Email Geeks says that the 'sp' tag on the root DMARC record, when set to 'quarantine' or 'reject', is sufficient for subdomains to inherit the policy and allow BIMI to work, provided no overriding record exists on the subdomain.

2024-09-24 - Email Geeks

Bringing it all together

In summary, a root domain BIMI record can indeed apply to subdomains without their own explicit record, provided the organizational DMARC policy is set to enforcement (p=quarantine or p=reject) and includes an appropriate sp tag. This inheritance simplifies BIMI deployment for many organizations, but careful attention to DMARC configuration and authentication alignment remains paramount.

While this setup works for general branding, specific branding needs or VMC requirements for subdomains will necessitate individual BIMI records. As DMARC standards continue to evolve, staying updated and using reliable monitoring tools will be crucial for maintaining brand visibility and email security.

To ensure your BIMI implementation is robust and your email ecosystem is secure, consider leveraging a dedicated DMARC monitoring platform like Suped. Our comprehensive DMARC monitoring, AI-powered recommendations, and real-time alerts provide the insights needed to confidently manage your domains and ensure your brand's logo is consistently displayed.