Does BIMI require DMARC at the organizational level, and can it be implemented only at the subdomain level?

Key findings

• DMARC requirement: BIMI mandates that DMARC be implemented at the organizational domain (root domain) level, not just on the sending subdomain. This foundational DMARC policy must be an enforcing one, meaning either p=quarantine or p=reject.
• BIMI at subdomain: While the overarching DMARC policy must be at the organizational level, the BIMI TXT record itself can be published on a subdomain. This allows for specific branding for different email streams originating from subdomains.
• Policy enforcement: A DMARC policy of p=none is insufficient for BIMI. The domain must have an active enforcement policy to ensure the authenticity of sender identities, a core requirement for displaying a brand logo.
• Subdomain DMARC override: A DMARC policy set specifically on a subdomain (e.g., sub.example.com) will override the organizational domain’s subdomain policy (specified by the sp tag).

Key considerations

• Holistic DMARC strategy: Before implementing BIMI, ensure your DMARC strategy covers all sending domains and subdomains, with proper authentication (SPF/DKIM) and alignment in place. This includes understanding DMARC policies for organizational domains and subdomains.
• Phased DMARC rollout: Transitioning to an enforcing DMARC policy (quarantine or reject) should be done carefully after thorough monitoring with a p=none policy. This helps identify legitimate email streams that might fail authentication.
• DNS record placement: Accurate placement of the BIMI TXT record (e.g., default._bimi.yourdomain.com or default._bimi.sub.yourdomain.com) is crucial. Even a small error can prevent the record from propagating and BIMI from working.
• VMC and trademark: For full BIMI adoption, especially with major mailbox providers like Gmail, a Verified Mark Certificate (VMC) and a registered trademark for your logo are often required. More details can be found on the BIMI Group's FAQ for Senders & ESPs.
• IT collaboration: Given the technical nature of DNS record changes and DMARC policies, close collaboration with your IT or DNS administration team is essential to avoid issues that could impact corporate mail flow. Consider key considerations and challenges for DMARC implementation.

Key opinions

• DMARC is fundamental: Many marketers quickly realize that DMARC must be properly configured first, especially at the organizational level, before BIMI can be successfully implemented.
• Enforcing policy needed: The general consensus is that a DMARC policy of p=quarantine or p=reject is essential for BIMI to work, going beyond a mere monitoring policy.
• Subdomain BIMI interest: There's often a desire to apply BIMI to specific sending subdomains without affecting the entire corporate domain, indicating a need for granular control over branding.
• IT resistance: Marketers frequently face reluctance from IT departments to make DNS changes, especially if there's a perceived risk to existing email infrastructure or corporate mail accounts.
• Propagation challenges: Confusion sometimes arises around DNS propagation times for new TXT records, leading to troubleshooting efforts when BIMI doesn't manifest immediately.

Key considerations

• Communicate DMARC's role: Clearly explain to IT that DMARC strengthens email security and deliverability for the entire domain, not just for BIMI. This can help overcome reluctance by highlighting broader benefits. For more, see how important DMARC is for email and spam protection.
• Pilot programs: Be aware that certain mailbox providers, like Gmail, may initially run pilot programs requiring full BIMI implementation, including VMCs and trademarks, while others (e.g., Yahoo) might support self-asserted BIMI.
• Verify DNS records: Use reliable DNS lookup tools to confirm that BIMI TXT records have been correctly published and are propagating. This helps quickly diagnose issues if BIMI doesn't appear as expected, a common concern discussed on the Dotdigital blog.
• Consult external expertise: If internal IT teams are uncomfortable, consider bringing in a specialized consultant or expert for DMARC and BIMI implementation. This ensures proper setup without risking corporate mail accounts.
• Subdomain impact: Understand that implementing BIMI on a third-level domain (sub-subdomain) generally will not affect the primary corporate email domain, provided the DMARC record on the main domain covers it.

Key opinions

• Organizational DMARC is crucial: Experts universally agree that DMARC must be deployed at the organizational domain level for BIMI to function correctly.
• Enforcing policy minimum: A DMARC policy of at least p=quarantine is the minimum required enforcement level for BIMI.
• BIMI at subdomain is possible: While DMARC is at the root, the BIMI record itself can reside on a subdomain, offering flexibility for brand display on specific sending entities. This is demonstrated by real-world examples like Xfinity.
• DNS propagation speed: New DNS records, especially for something that didn't exist before, should not take long to propagate, usually minutes for a negative cache. If not visible, it indicates a publication error.
• Subdomain policy precedence: A specific DMARC policy defined on a subdomain will always override the sp tag policy inherited from the organizational domain.

Key considerations

• Verify record publication: Always confirm that the BIMI TXT record has actually been published to DNS and is visible using tools like dig or online DNS checkers. An NXDOMAIN result indicates the record does not exist.
• Understand DMARC alignment: Ensure that your SPF and DKIM authentication is configured to align with your DMARC policy, especially when dealing with subdomains. BIMI relies on this alignment for verification. Learn more about DMARC, SPF, and DKIM.
• Yahoo's exception (historical): Be aware that while the BIMI specification requires DMARC at the organizational level, some providers, like Yahoo, historically accepted DMARC at the subdomain level. However, this could change, making adherence to the spec critical. This is highlighted by Marcel Becker of Yahoo, as referenced by EmailKarma.
• Corporate email impact: Address IT concerns by explaining that BIMI on a third-level domain (e.g., go.yourdomain.com) should not directly impact the root corporate email (e.g., yourdomain.com) as long as the DMARC policy for the root domain is correctly configured to cover subdomains.
• Troubleshooting tools: Become familiar with DNS query tools like dig (or equivalent) for quick verification of TXT records. See how to set up DMARC for BIMI.

Key findings

• DMARC at organizational level: The BIMI protocol is fundamentally built upon DMARC, requiring a DMARC record to be present at the organizational domain (also known as the root or apex domain).
• Enforcing DMARC policy: For BIMI to display, the DMARC policy for the organizational domain must be set to either p=quarantine or p=reject, indicating strong enforcement.
• BIMI record on subdomain: BIMI records themselves can be published at the subdomain level (e.g., default._bimi.sub.example.com), provided the organizational domain has the necessary DMARC enforcement.
• Subdomain policy inheritance: If a DMARC record is not explicitly set for a subdomain, it will inherit the policy of the organizational domain. A specific DMARC record on the subdomain will override this inherited policy.
• VMC requirement: For maximum compatibility and trust, particularly with major email clients like Gmail, a Verified Mark Certificate (VMC) is required, which in turn necessitates a registered trademark for the logo.

Key considerations

• DMARC alignment: BIMI relies on DMARC authentication passing with identifier alignment (either SPF or DKIM). Ensure that your SPF and DKIM records are correctly configured and align with the From: domain. This is covered in depth in the requirements and implementation steps for BIMI.
• DNS record syntax: Pay close attention to the exact syntax and placement of the BIMI TXT record in your DNS. The BIMI Group provides guidance on BIMI selectors and record structure.
• Policy scope: Ensure that your organizational DMARC policy (the p tag) and its subdomain policy (the sp tag) cover all domains and subdomains from which you intend to send email and display BIMI logos. For instance, Resend documentation details that for BIMI on a subdomain, the root domain must also have a DMARC policy of p=quarantine or p=reject.
• Ongoing monitoring: Regularly monitor DMARC reports to ensure continuous compliance and identify any authentication failures that could prevent BIMI from being displayed. This practice is crucial for maintaining both security and brand visibility.
• Support variation: While the core requirements are standardized, support for various BIMI elements (like VMCs) can differ among email clients. It is essential to refer to the latest updates from mailbox providers. See which email clients actually support BIMI.