Does BIMI require a reject policy on the top level domain if subdomains have it?
Michael Ko
Co-founder & CEO, Suped
Published 12 May 2025
Updated 16 Aug 2025
7 min read
When you're looking to implement Brand Indicators for Message Identification (BIMI) to display your logo in email inboxes, a common question arises regarding DMARC policies, especially when dealing with subdomains. Many organizations use distinct subdomains for various email purposes, like transactional messages or marketing campaigns, and these subdomains often have stricter DMARC policies than the main organizational domain.
The core of the question is whether BIMI will function for emails sent from a subdomain if that subdomain has a strong DMARC p=reject policy, but the top-level or organizational domain does not. Understanding this relationship is crucial for successful BIMI deployment and email deliverability.
BIMI is a visual enhancement for email that allows your brand's logo to appear next to your sender information in supported email clients. However, it's not merely a cosmetic addition, it's deeply rooted in email security standards. The underlying requirement for BIMI is a properly configured and enforced DMARC policy. This means your domain's DMARC record must be set to either p=quarantine or p=reject. Without this enforcement, BIMI simply will not display your logo.
This strict DMARC requirement serves a vital purpose. It signals to receiving mail servers, such as those operated by major mailbox providers, that your domain is actively protected against email spoofing and phishing attacks. By enforcing a DMARC policy, you help ensure that only emails authenticated by SPF and DKIM are treated as legitimate, building trust and improving your overall email deliverability.
The confusion often arises when organizations have a top-level domain, let's say example.com, with a more relaxed DMARC policy, such as p=none, while subdomains like mail.example.com or marketing.example.com have opted for the stricter p=reject policy. This is where the specific requirements for BIMI on subdomains come into play.
For a deeper dive into these authentication protocols, consider reviewing a simple guide to DMARC, SPF, and DKIM. It can provide a comprehensive understanding of how these systems work together to secure your email sending.
Subdomain policies and the organizational domain
The short answer to whether your top-level domain needs an enforcement policy for BIMI to work on subdomains is generally yes. The BIMI specification broadly requires that the organizational (top-level) domain, and all its subdomains, are covered by a DMARC policy of p=quarantine or p=reject. Even if a specific subdomain has a strong DMARC policy, if the parent domain has p=none, BIMI may not be honored for any of its subdomains. This is a common point of confusion, and there's a specific article addressing whether a parent domain needs BIMI for subdomain BIMI to work.
The technical rationale behind this requirement is that the BIMI standard aims for a holistic security posture across your entire domain space. A relaxed policy on the organizational domain, even if subdomains are strict, could create a loophole that undermines the overall security and trust that BIMI is designed to foster. This is particularly relevant for some mailbox providers that view the top-level domain's policy as indicative of the brand's overall commitment to email security.
Mailbox providers such as Gmail and Yahoo have been at the forefront of requiring stricter DMARC policies. They explicitly require the organizational domain to have an enforcement DMARC policy for BIMI to work on its subdomains. This commitment to a strong security foundation across the entire domain hierarchy helps prevent brand impersonation and ensures a more secure email ecosystem. For more information, you can read whether BIMI requires DMARC at the organizational level.
Top-level domain enforcement
BIMI generally requires that your organizational (top-level) domain has a DMARC policy of p=quarantine or p=reject. This rule applies even if you are only attempting to enable BIMI on a subdomain that already has such a policy. This is because the overall security posture of the domain hierarchy is considered. Knowing if an organizational DMARC policy covers subdomains for BIMI is important.
If your top-level domain has a p=none DMARC policy, even if your subdomains are at p=reject, your BIMI logo might not display. The core principle is that the organizational domain sets the foundational trust level. Therefore, you need to ensure both the organizational domain and the subdomains sending BIMI-enabled emails meet the enforcement criteria. This also applies when considering how to implement DMARC with BIMI on multiple subdomains.
Practical implications and the sp tag
While the general rule dictates that the top-level domain should have an enforcement policy, DMARC does offer flexibility through the sp tag, which stands for subdomain policy. This tag allows you to specify a DMARC policy specifically for subdomains that can override the organizational domain's p= policy. However, for BIMI purposes, even if sp=reject is set on the top-level domain, the p= policy for the organizational domain itself still needs to be quarantine or reject. Understanding the meanings of DMARC tags is vital.
The challenge lies in transitioning a top-level domain's DMARC policy from p=none to p=quarantine or p=reject. This process requires careful planning and monitoring of DMARC reports to ensure legitimate emails are not inadvertently affected or blocked. It's often recommended to adopt a gradual approach, starting with a p=none policy and slowly increasing the percentage (via the pct tag) before moving to full enforcement. You can learn how to safely transition your DMARC policy.
p=quarantine or p=reject on organizational domain
Impact on BIMI: Directly enables BIMI for the organizational domain and allows subdomains to also qualify if they meet their own DMARC and authentication requirements.
Scope: Applies to the organizational domain itself.
Security Posture: Strong, indicates active enforcement against unauthenticated mail, reducing risk of being added to an email blacklist or blocklist (sometimes referred to as a denylist).
sp=quarantine or sp=reject on organizational domain
Impact on BIMI: Primarily dictates subdomain policy if no explicit subdomain DMARC record exists. However, for BIMI on subdomains, the organizational domain's p= policy still needs enforcement. Read more about how the DMARC sp tag affects subdomain policies.
Scope: Applies only to subdomains.
Security Posture: Important for subdomains, but doesn't replace the need for the p= policy on the organizational domain for BIMI.
Understanding these distinctions is key to a smooth BIMI implementation, especially if you're managing a complex domain structure with many subdomains.
Views from the trenches
Best practices
Implement DMARC gradually, starting with `p=none` and monitoring reports before moving to enforcement.
Ensure all legitimate email sending sources for your top-level domain and subdomains are properly authenticated with SPF and DKIM.
Use DMARC monitoring tools to gain visibility into your email ecosystem and identify any potential issues before changing policies.
Common pitfalls
Not having a strong enough DMARC policy (`p=quarantine` or `p=reject`) on the top-level domain.
Misunderstanding the `sp` tag, believing it completely negates the need for a strong root domain policy for BIMI.
Failing to monitor DMARC reports, leading to legitimate emails being blocked or quarantined after policy changes.
Expert tips
Prioritize DMARC enforcement on your organizational domain, as it underpins BIMI and overall email security.
Regularly check your DMARC alignment and make sure all sending services are correctly configured for both SPF and DKIM.
Be patient. Achieving full DMARC enforcement and BIMI readiness can take time, but the benefits for brand trust and email deliverability are substantial.
Expert view
Expert from Email Geeks says the minimum DMARC policy for BIMI is 'quarantine' at 100%, otherwise BIMI will not work, though results may vary at individual mailbox providers.
2022-11-10 - Email Geeks
Expert view
Expert from Email Geeks says that BIMI records are published to DNS for each domain. BIMI can function similarly to DMARC, allowing a single global BIMI record for an organizational domain to cascade to subdomains, or specific records for individual subdomains. BIMI also supports selectors for multiple logos.
2022-11-10 - Email Geeks
The path to BIMI success
To summarize, for BIMI to work on your subdomains, your top-level organizational domain generally does need to have a DMARC policy set to either p=quarantine or p=reject. While subdomains can have their own stringent policies, the overall domain security posture, as indicated by the organizational domain's DMARC policy, is a critical factor for BIMI adoption across your brand.
Prioritizing your organizational domain's DMARC enforcement is a crucial step towards full BIMI enablement. This commitment not only helps ensure your brand logo appears consistently, but also reinforces trust in your email communications, helps prevent your domain from appearing on a blacklist or blocklist, and contributes to a more secure email ecosystem for everyone.
Gmail and 
Yahoo have been at the forefront of requiring stricter DMARC policies. They explicitly require the organizational domain to have an enforcement DMARC policy for BIMI to work on its subdomains. This commitment to a strong security foundation across the entire domain hierarchy helps prevent brand impersonation and ensures a more secure email ecosystem. For more information, you can read whether BIMI requires DMARC at the organizational level.
