Do DMARC and BIMI require p=reject to be present on the organizational domain?

Key findings

• BIMI requirements: For BIMI to display a brand logo, the organizational domain must have a DMARC policy of at least p=quarantine or p=reject, not necessarily p=reject exclusively. This ensures proper email authentication and prevents spoofing, a core requirement for BIMI adoption. For more details, see the BIMI Group FAQs.
• Organizational domain importance: A strong DMARC policy on the organizational domain is crucial because attackers can spoof the root domain even if subdomains have their own policies. If the organizational domain lacks a protective DMARC policy, spoofing remains a significant risk.
• Policy progression: The recommended approach to DMARC implementation is to start with p=none, monitor reports, and then gradually transition to p=quarantine or p=reject once confident in authentication alignment. This process is essential for avoiding legitimate mail blocking, as discussed in our guide on safely implementing DMARC p=reject.
• Subdomain coverage: The DMARC policy for the organizational domain also applies to subdomains by default, unless a specific subdomain has its own DMARC record. This hierarchical application is key to comprehensive domain protection, as explained in our article on DMARC policies for organizational domains and subdomains.

Key considerations

• DMARC policy strength: While p=reject offers the strongest protection against spoofing, p=quarantine is often sufficient for meeting BIMI requirements and provides a safer transition path for domains with complex sending infrastructures.
• Monitoring DMARC reports: Regardless of the chosen policy, continuous monitoring of DMARC reports is essential. These reports provide insights into email authentication failures and help identify legitimate mail streams that might be misaligned, preventing accidental blocking or blacklisting (or blocklisting) of your emails.
• Impact on email deliverability: Improperly configured DMARC policies, especially p=reject, can lead to legitimate emails being rejected or sent to spam. It is vital to ensure all sending sources are properly authenticated with SPF and DKIM before moving to enforcement policies. Learn more about email deliverability issues.
• BIMI implementation strategy: While BIMI offers brand visibility benefits, its implementation should follow a careful DMARC rollout plan. Ensuring a stable DMARC p=quarantine or p=reject policy on the organizational domain is the foundational step for a successful BIMI deployment. The BIMI Group's Implementation Guide provides further guidance.

Key opinions

• Initial confusion: Many marketers initially find the concept of publishing a p=reject policy on a domain that doesn't directly send emails counterintuitive, leading to questions about the latest DMARC updates.
• BIMI as a driver: The requirement for DMARC enforcement (at least p=quarantine or p=reject) for BIMI often becomes the primary motivation for marketers to implement stricter DMARC policies on their organizational domains.
• Holistic domain protection: There's a growing understanding that a DMARC policy on the organizational domain is essential to prevent spoofing of the root domain, even if specific subdomains have their own policies.
• Gradual enforcement preferred: Marketers generally prefer a phased approach to DMARC enforcement, starting with a monitoring policy and moving to quarantine or reject only after verifying all legitimate email flows are aligned. This minimizes the risk of legitimate emails being blocked or landing on a blocklist.

Key considerations

• Balancing security and deliverability: Marketers must carefully consider the impact of DMARC policies on deliverability. A strict p=reject policy without proper alignment can cause legitimate emails to fail, impacting campaigns and sender reputation. This is why understanding when to use DMARC policies is critical.
• Vendor guidance: Some marketers rely on information from ESPs or other email service providers regarding DMARC and BIMI requirements, which may not always align perfectly with the core specifications. It's important to cross-reference information with official sources.
• Subdomain management: Even if subdomains have their own DMARC records, the organizational domain's policy still plays a crucial role in overall domain protection. Marketers need to ensure consistency and proper inheritance across all domains and subdomains.
• BIMI specific requirements: For BIMI, the DMARC policy on the organizational domain must be at p=quarantine or p=reject. Marketers should prioritize getting to one of these enforcement policies to leverage BIMI benefits. Learn more about BIMI requirements and implementation steps.

Key opinions

• Root domain protection: Experts agree that for DMARC to be truly effective, the organizational domain must have a policy that is at least as strict as any subdomain. Otherwise, bad actors can simply spoof the root domain, rendering subdomain policies less impactful.
• BIMI flexibility: While p=reject is the strongest, BIMI generally accepts a DMARC policy of p=quarantine on the organizational domain as sufficient for its requirements.
• No updates missed: The need for a strong organizational DMARC policy isn't a new update but rather a fundamental aspect of DMARC's design to prevent broad domain spoofing.
• Preventing widespread abuse: Without an organizational DMARC policy, spammers and phishers can exploit the lack of enforcement, potentially leading to brand damage and increased blocklist (or blacklist) risks.

Key considerations

• Transitioning policies safely: While the end goal might be p=reject for maximum protection, experts strongly advise a cautious transition through p=none and p=quarantine to avoid disrupting legitimate email flows, as detailed in our guide on safely transitioning DMARC policy.
• Alignment is key: For DMARC to work, email sources must properly align with SPF and DKIM. Experts stress that without this alignment, even a p=reject policy will block legitimate mail, leading to deliverability issues.
• Subdomain handling: Experts advise a consistent strategy for subdomains, either by explicitly defining policies for active subdomains or allowing the organizational domain's policy to apply to all subdomains through the sp tag. This is a critical aspect of DMARC best practices.
• BIMI readiness: To fully leverage BIMI for brand visibility, experts confirm that the DMARC policy on the organizational domain must indeed be at an enforcement level (quarantine or reject). More on this can be found at Mailgun's BIMI explanation.

Key findings

• BIMI DMARC policy: BIMI requires a DMARC policy of p=quarantine or p=reject to be present on the organizational domain for brand logo display.
• Organizational domain enforcement: The DMARC policy must be at an enforcement level on the organizational domain and its subdomains for BIMI to work effectively and for overall domain protection.
• DMARC as a prerequisite: BIMI implementation is contingent upon proper DMARC configuration and enforcement. Without it, BIMI cannot be operationalized.
• Policy strength for protection: Documentation confirms that DMARC policies like p=quarantine or p=reject are necessary to provide protective action against unauthenticated emails.

Key considerations

• Clear policy definition: Documentation provides clear examples of DMARC records, including p=quarantine and p=reject, assisting in proper setup. Refer to our DMARC record and policy examples for practical insights.
• Consistency across subdomains: The documentation underscores that the organizational domain's DMARC policy applies to subdomains unless overridden, ensuring comprehensive brand protection across all sending identities.
• Authentication standards: BIMI relies heavily on established email authentication protocols like SPF and DKIM being correctly implemented and aligning with the DMARC record. This reinforces the interconnectedness of these standards.
• Evolution of requirements: While p=none was once a common starting point, the trend in email authentication, driven by initiatives like BIMI, is towards stronger enforcement policies to combat phishing and spoofing. You can explore a more comprehensive view of these protocols in our simple guide to DMARC, SPF, and DKIM.