Does BIMI always require p=reject?

No, BIMI requires an enforced DMARC policy, which can be either p=quarantine or p=reject . A p=none policy is not sufficient for BIMI.

Why is the DMARC policy on the organizational domain important, even if it doesn't send emails?

The organizational domain is frequently spoofed by malicious actors. A DMARC record with an enforced policy on this domain protects your brand from these attacks and is a prerequisite for BIMI.

What is the difference between p=quarantine and p=reject for DMARC?

P=quarantine instructs receiving servers to send unauthenticated emails to spam, while p=reject tells them to block those emails completely. Both are enforced policies compatible with BIMI.

Can I start with p=reject immediately?

It is generally not recommended to start with p=reject immediately. It is safer to begin with p=none for monitoring, then transition to p=quarantine , and finally p=reject once you are confident all your legitimate emails are properly authenticating.

Does a DMARC policy on the organizational domain apply to subdomains?

Yes, the DMARC policy on the organizational domain typically applies to subdomains unless a specific DMARC record is published for a subdomain with its own sp (subdomain policy) tag.

Do DMARC and BIMI require p=reject to be present on the organizational domain? - Technical - Email deliverability - Knowledge base

Many email senders, especially those aiming for enhanced brand visibility with Brand Indicators for Message Identification (BIMI), often wonder about the specific DMARC policy requirements for their organizational domain. It's a common misconception that a p=reject policy is strictly necessary. While p=reject offers the strongest enforcement, the landscape of DMARC and BIMI compatibility provides some flexibility. Understanding the nuances of DMARC policies, particularly how they apply to your top-level domain versus subdomains, is crucial for both security and successful BIMI implementation.

The core of the matter revolves around ensuring proper authentication and demonstrating that you, as the domain owner, have control over the email sending. This is why DMARC plays a foundational role in enabling BIMI. Let's delve into the requirements and implications to clarify what's truly needed for your domains.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding DMARC policies

DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol that helps protect your domain from spoofing and phishing. It builds upon SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) by providing instructions to receiving mail servers on how to handle emails that fail authentication. Your DMARC policy is defined by the p= tag in your DMARC record.

There are three main policy options you can set:

P=none: This policy instructs receiving mail servers to take no action on emails that fail DMARC, but it still allows you to receive DMARC reports. It's often used for monitoring purposes to understand legitimate email streams and identify unauthorized sending.
P=quarantine: With p=quarantine, receiving mail servers are told to place emails that fail DMARC authentication into the recipient's spam or junk folder. This provides a balance between enforcement and caution, allowing you to gradually move towards stronger policies.
P=reject: This is the strictest policy. When p=reject is set, emails that fail DMARC authentication are outright refused and will not be delivered to the recipient's inbox or spam folder. This offers the highest level of protection against spoofing, effectively blocking unauthorized use of your domain.

The choice of policy depends on your domain's sending patterns and your comfort level with potential legitimate email blocking. For many, transitioning slowly from p=none to p=quarantine and then to p=reject is a recommended approach. You can learn more about safely implementing a DMARC p=reject policy.

DMARC policy requirements for BIMI

When it comes to Brand Indicators for Message Identification (BIMI), the DMARC policy on your organizational domain plays a critical role. BIMI allows your brand's logo to appear next to your email messages in supported inboxes, enhancing brand recognition and trust. However, BIMI has specific DMARC requirements to ensure that only authenticated and legitimate senders can display a logo.

BIMI requires that your organizational domain (the primary domain, not just a subdomain) has a DMARC policy set to either p=quarantine or p=reject. A p=none policy is not sufficient for BIMI enablement. This requirement ensures that your domain is actively protected against spoofing, thereby preventing unauthorized parties from displaying your logo. The BIMI Group's FAQs clarify these essential DMARC policy prerequisites.

Even if you send emails from subdomains with their own DMARC records, the organizational domain's DMARC policy is what BIMI validators check. This is because the organizational domain serves as the root of your brand's email identity. Without an enforced DMARC policy at this level, the integrity required for BIMI cannot be guaranteed. This also answers the question of whether BIMI requires DMARC at the organizational level.

Key BIMI DMARC policy states

P=none: Not supported by BIMI. Emails that fail DMARC will still be delivered, but your logo will not display.
P=quarantine: Supported by BIMI. Emails that fail DMARC are sent to spam, and your logo can display.
P=reject: Supported by BIMI. Emails that fail DMARC are rejected, and your logo can display. This offers the strongest brand protection.

Organizational domain DMARC and its importance

The question of whether p=reject needs to be present on the organizational domain is often linked to the broader security implications of DMARC. Even if your organizational domain, say example.com, doesn't directly send emails, having a DMARC record on it is vital. This is because attackers commonly spoof the organizational domain to launch phishing attacks, leveraging its trust and familiarity.

An organizational domain DMARC policy, even if set to p=quarantine, is crucial for protecting your brand's overall email integrity. It tells mail servers how to handle emails claiming to be from your main domain, preventing bad actors from sending fraudulent messages that appear to originate from your brand. Without this, even if your subdomains are perfectly protected, your main brand remains vulnerable. Many authorities, including Google, emphasize this organizational-level enforcement.

Brand protection: Prevents malicious actors from spoofing your main domain.
Policy inheritance: Subdomains often inherit the organizational domain's DMARC policy unless overridden. This ensures consistent security across your email ecosystem. You can explore how an organizational DMARC policy covers subdomains for BIMI.
BIMI eligibility: As discussed, BIMI mandates an enforced DMARC policy (quarantine or reject) at the organizational level to display your logo.

Therefore, while a p=reject policy isn't the only option for BIMI, an enforced DMARC policy (either p=quarantine or p=reject) on the organizational domain is a non-negotiable requirement for both brand protection and BIMI adoption.

P=quarantine

This policy directs mail servers to place unauthenticated emails into the recipient's spam folder. It's often seen as a safer step before moving to full rejection.

Impact: Emails failing DMARC typically land in spam.
BIMI: Fully compatible.
Deployment: Less risky than reject, as legitimate misconfigured emails might still be delivered to spam, allowing for easier detection during rollout.

P=reject

This policy tells mail servers to outright block any emails that fail DMARC authentication. It provides the highest level of protection.

Impact: Emails failing DMARC are completely blocked, not delivered.
BIMI: Fully compatible.
Deployment: Requires thorough monitoring of DMARC reports to ensure legitimate mail isn't accidentally blocked. Requires careful implementation to avoid deliverability issues.

Implementing the correct DMARC policy

To successfully implement DMARC for BIMI, or just for stronger email security, begin with a p=none policy and carefully monitor your DMARC reports. This phase is crucial for identifying all legitimate sending sources for your domain and subdomains. Misconfigurations can lead to legitimate emails being quarantined or rejected once you switch to a stronger policy. You can use our DMARC monitoring tools to gain insights.

Once you are confident that all your legitimate email streams are authenticating correctly via SPF or DKIM, you can then move your DMARC policy to p=quarantine. This is the first enforcement step and will filter unauthenticated mail to the spam folder. Monitor your DMARC reports closely during this period for any unexpected issues. This transition should be done carefully, as discussed in best practices for implementing DMARC policies.

Finally, if your goal is the highest level of email security and brand protection (and you are ready for the implications), you can transition to p=reject. For BIMI, either p=quarantine or p=reject will work, but p=reject offers the strongest defense against spoofing. Remember that Google and Yahoo's new sender requirements emphasize strong authentication, making enforced DMARC policies more critical than ever.

DMARC record for example.complain text

_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:reports@example.com; ruf=mailto:forensic@example.com; adkim=r; aspf=r;"

Views from the trenches

Best practices

Always start DMARC with p=none and thoroughly analyze reports before moving to stricter policies.

Ensure all legitimate email sending sources are correctly authenticated with SPF and DKIM before enforcing DMARC.

Regularly review DMARC aggregate and forensic reports to identify unauthorized sending and potential issues.

Common pitfalls

Jumping straight to p=reject without proper monitoring can lead to legitimate emails being blocked.

Neglecting to publish a DMARC record on the organizational domain, leaving it vulnerable to spoofing.

Not ensuring SPF and DKIM alignment for all email streams, causing DMARC failures.

Expert tips

Consider using a DMARC management platform to simplify reporting and policy enforcement.

Gradually increase your pct tag value when transitioning from p=none to p=quarantine or p=reject to test the waters.

Implement SPF and DKIM for all sending domains, including those that do not send email, to prevent abuse.

Expert view

Expert from Email Geeks says: Having a DMARC policy that is at least as strict as the one on any subdomain you're using is essential, otherwise, DMARC loses much of its protective value.

2020-02-19 - Email Geeks

Expert view

Expert from Email Geeks says: BIMI is indeed compatible with a p=quarantine policy at the organizational level.

2020-02-19 - Email Geeks

Securing your brand and enabling BIMI

While it is not mandatory for DMARC and BIMI to require a p=reject policy, it is essential to have an enforced policy, meaning either p=quarantine or p=reject, on your organizational domain. This is not just a technicality for BIMI, but a fundamental security measure to prevent domain spoofing and protect your brand's reputation. A p=none policy, while useful for monitoring, will not unlock the visual brand benefits of BIMI.

Moving to an enforced DMARC policy requires careful planning and monitoring of DMARC reports to ensure all legitimate email streams are properly authenticated. Whether you choose p=quarantine or p=reject, prioritizing your organizational domain's DMARC setup will significantly enhance your email security posture and pave the way for successful BIMI implementation, displaying your brand logo in recipient inboxes.