Does BIMI require a reject policy on the top level domain if subdomains have it?

Key findings

• DMARC policy necessity: BIMI (Brand Indicators for Message Identification) relies heavily on a robust DMARC implementation. To display a BIMI logo, your domain must have an enforced DMARC policy of at least quarantine or reject. A p=none policy is not sufficient.
• Organizational domain requirement: The most crucial aspect for BIMI is that the top-level (organizational) domain must have a DMARC policy set to either quarantine (100%) or reject. This policy cascades down and covers all subdomains, even if individual subdomains also have their own DMARC records.
• Subdomain policy scope: While you can implement DMARC for subdomains, and they might have their own reject policies, the BIMI specification requires the organizational domain's policy to be enforced at the quarantine or reject level.
• Consistency is key: To ensure reliable BIMI display, the DMARC enforcement policy must be consistently applied at the root domain level. This helps maintain trust and ensures that all mail streams, including those from subdomains, are properly authenticated.

Key considerations

• Gradual DMARC enforcement: If your top-level domain is not yet at a quarantine or reject policy, consider a phased approach. Start with DMARC monitoring (p=none) to gather insights, then gradually move to quarantine, and finally to reject. This minimizes disruption to legitimate email.
• Impact on unauthenticated mail: Implementing a reject policy on your top-level domain means that any unauthenticated mail, even from currently unused subdomains, will be rejected. Thorough testing and monitoring are essential before making this change.
• Subdomain policy (sp) tag: The DMARC sp tag can specify a policy for subdomains different from the organizational domain. However, for BIMI, the top-level policy must still be at enforcement level.
• BIMI and subdomain configuration: While the organizational DMARC policy is paramount, BIMI records can be published for specific subdomains using selectors if you wish to display different logos or manage them separately. However, the foundational DMARC policy still needs to be strong at the main domain level.

Key opinions

• BIMI and DMARC enforcement: Many marketers understand that BIMI won't work without a DMARC policy set to at least quarantine. They recognize this as a non-negotiable requirement for displaying their brand logo.
• Organizational domain policy: There's a general consensus among marketers that the DMARC policy for the organizational domain must be at an enforcement level (quarantine or reject) for BIMI to function, even if subdomains have their own enforcement policies.
• Hesitation with reject policy: Some marketers express reluctance to move their top-level domain to a reject policy due to concerns about potentially blocking legitimate email traffic that might not perfectly align with DMARC.
• Subdomain independence: A common question is whether a reject policy on subdomains is enough, highlighting a desire for more granular control without impacting the main domain's broader email ecosystem.

Key considerations

• Phased DMARC deployment: Marketers often consider starting with a quarantine policy and closely monitoring DMARC reports before transitioning to reject, allowing them to identify and resolve any authentication issues.
• Impact on deliverability: Concerns about email deliverability are paramount when considering a reject policy. Marketers need assurance that legitimate emails will not be impacted.
• Brand consistency: While BIMI offers brand consistency in the inbox, marketers must weigh the benefits against the technical hurdles of implementing a strong DMARC policy across their entire domain infrastructure.
• Understanding subdomain policies: It is important for marketers to understand that even with individual DMARC records on subdomains, the primary requirement for BIMI is the enforcement policy at the main organizational domain. This is critical for unified brand display across different sending entities within the domain.

Key opinions

• DMARC foundation: Experts universally agree that BIMI fundamentally relies on a DMARC policy set to either quarantine or reject at the organizational domain. This is not optional.
• Cascading policy: The organizational domain's DMARC policy automatically applies to all subdomains, meaning that if the top-level domain is not at an enforcement policy, BIMI will not work, even for subdomains with stricter policies.
• Reject vs. Quarantine: While quarantine (p=quarantine) is technically acceptable for BIMI, some experts suggest that a reject policy (p=reject) provides the highest level of trust and the most consistent BIMI display across all mailbox providers.
• Long-term strategy: Many experts advise transitioning to a reject policy as part of a comprehensive email authentication strategy, improving overall deliverability and protection against impersonation.

Key considerations

• Careful transition: Experts stress the importance of a meticulous DMARC implementation plan, especially when moving to a reject policy. This includes thorough analysis of DMARC reports to ensure all legitimate sending sources are correctly authenticated.
• Subdomain considerations: While subdomains can have their own DMARC records, the primary DMARC record for the main domain dictates the overall enforcement for BIMI. Ensure you understand how organizational DMARC policies cover subdomains.
• DNS configuration: Proper DNS configuration for DMARC, SPF, and DKIM is critical. Errors can lead to authentication failures and prevent BIMI display, even with the correct DMARC policy.
• Beyond BIMI: Experts often highlight that enforcing DMARC to reject or quarantine not only enables BIMI but also significantly enhances overall email security and sender reputation, reducing spam and phishing attempts.

Key findings

• BIMI Group Guidelines: The BIMI Group's official FAQs explicitly state that senders need an email sending domain with a DMARC policy of at least quarantine or reject for BIMI to work. This applies to the organizational domain.
• Organizational Domain Enforcement: Documentation confirms that the organizational domain must be at an enforcement DMARC policy (quarantine or reject) because subdomains will fall under the organizational domain's policy.
• No p=none for BIMI: Technical specifications reiterate that a DMARC policy of p=none does not qualify for BIMI based on its guidelines.
• BIMI selectors: While BIMI supports selectors for subdomains to allow different logos, the underlying DMARC requirement at the organizational level remains critical for the BIMI record to be honored.

Key considerations

• Unified DMARC approach: Documentation implies that a unified DMARC enforcement approach across the primary domain and its subdomains is the most reliable way to ensure BIMI display and overall email authentication.
• Impact of sp tag: The DMARC sp tag can be used to set a specific subdomain policy, but this doesn't override the organizational domain's need for an enforced policy to enable BIMI across the board.
• Implementation guidance: Official guidance often recommends a DMARC reject policy for full email domain protection, which directly supports BIMI readiness.
• BIMI as an enhancement: Documentation positions BIMI as an enhancement to existing email authentication protocols (SPF, DKIM, DMARC), meaning that it layers on top of a fully implemented and enforced DMARC policy.