How do I implement DMARC with BIMI on multiple subdomains?

Key findings

• Policy Inheritance: The DMARC policy set at the organizational domain (root domain) will apply to all subdomains by default, unless those subdomains have their own explicit DMARC records.
• BIMI Requirement: For BIMI to display your brand logo, the DMARC policy on the organizational domain (or the specific subdomain sending the email) must be at an enforcement level, such as p=quarantine or p=reject.
• Subdomain Overrides: It is possible to set separate DMARC records for individual subdomains. This allows for different policies (e.g., p=none) on certain subdomains while the organizational domain maintains an enforcement policy for BIMI.
• Alignment Requirements: DMARC by default uses relaxed alignment. However, if strict alignment is specified, a subdomain match is required for authentication to pass.

Key considerations

• Phased Deployment: Always start DMARC implementation with a p=none policy to monitor email streams and identify authentication issues without impacting delivery. Only proceed to quarantine or reject once all legitimate email sources are properly authenticated.
• Risk Assessment: Moving directly to an enforcement policy without proper analysis of DMARC reports (RUA/RUF) is a high-risk move that can lead to significant email delivery disruption. Use a DMARC monitoring service to track your progress and ensure all legitimate mail is covered.
• Impact on Subdomains: Be aware that if your organizational DMARC policy is set to quarantine or reject, any unauthenticated email (even legitimate) from any subdomain not explicitly overridden will be subject to that policy. For more details on this, see how DMARC policies apply to subdomains.
• BIMI Implementation Steps: Before enabling BIMI, ensure your DMARC is at enforcement, your logo is properly formatted (SVG Tiny 1.2), and you have an optional Verified Mark Certificate (VMC). The BIMI Group provides a comprehensive implementation guide.

Key opinions

• Start with Monitoring: Many marketers emphasize starting with a p=none DMARC policy to gather data via RUA reports and identify any authentication failures before moving to enforcement.
• BIMI Policy Requirement: It's understood that BIMI requires a DMARC enforcement policy (p=quarantine or p=reject) at the domain level where BIMI is being applied.
• Subdomain Policy Control: Marketers appreciate the flexibility to set different DMARC policies for subdomains, allowing them to manage risk for less critical sending sources while maintaining an enforcement policy for their main domain (for BIMI).
• Cautious Progression: There's a strong consensus that rushing to p=quarantine or p=reject can lead to significant deliverability problems if email authentication is not perfectly configured across all sending systems.

Key considerations

• Monitor Reports: Even after moving to a quarantine policy, continuous monitoring of DMARC reports is essential to detect any unexpected authentication failures or bounces. This helps ensure your legitimate mail streams remain unaffected, a key part of boosting email deliverability rates.
• Identify All Sending Systems: Before changing DMARC policies, marketers must ensure they have identified and properly authenticated all systems sending email for their domain and subdomains. This includes transactional, marketing, and internal email systems.
• Backup Plan: Have a clear plan to roll back your DMARC policy if you encounter unexpected deliverability issues or high bounce rates after moving to enforcement.
• DMARC Policy for BIMI: The DMARC policy for the organizational domain generally needs to be at p=quarantine or p=reject for BIMI to work effectively. Mailgun's blog reinforces this, stating that BIMI setup requires DMARC enforcement.

Key opinions

• Gradual Policy Enforcement: Experts strongly advise against deploying DMARC at p=quarantine or p=reject on a production system without a deep understanding of its implications, advocating for a cautious, phased approach.
• Organizational Domain Prerequisite: For BIMI to function, the DMARC policy at the organizational domain must be set to an enforcing policy (p=quarantine or p=reject), even if subdomains have different policies.
• Subdomain Policy Flexibility: While the organizational domain may enforce DMARC for BIMI, experts confirm that individual subdomains can still have their own overriding DMARC policies, including p=none, if they are not yet ready for stricter enforcement.
• Understanding Ramifications: Experts stress that comprehending the full impact of DMARC policies on email deliverability is more important than simply enabling BIMI, which is a visual benefit secondary to core authentication.

Key considerations

• Review DMARC Reports: Thoroughly analyze your DMARC aggregate reports (RUA) to identify all legitimate sending sources and ensure they are authenticating correctly. This step is critical before safely transitioning DMARC policy.
• Authentication Gaps: Be aware that setting an organizational domain DMARC policy to enforcement will result in unauthenticated (and potentially legitimate) mail from any subdomain being quarantined or rejected if not properly covered by SPF and DKIM. This relates to DMARC verification failures.
• Subdomain Isolation: If certain subdomains are not ready for an enforcement policy, explicitly set their DMARC records to p=none to prevent them from inheriting the stricter policy of the organizational domain.
• DMARC Enforcement Priority: Prioritize achieving a stable DMARC quarantine or reject policy first, as this foundation ensures robust email authentication before adding the visual component of BIMI. Spamresource.com offers insights into advanced DMARC strategies.

Key findings

• DMARC Policy Precedence: A DMARC record at the organizational domain applies to all subdomains by default, unless a subdomain has its own explicit DMARC record that overrides this policy. This behavior is governed by DMARC's subdomain policy tag (sp).
• BIMI DMARC Requirement: BIMI requires that the domain sending the email has a DMARC policy set to p=quarantine or p=reject. A p=none policy will not enable BIMI display.
• DMARC Alignment: DMARC checks for alignment between the RFC5322.From domain and the SPF or DKIM authenticated domains. By default, it operates on a relaxed alignment, but strict alignment can be specified, requiring exact domain matching (including subdomains).
• BIMI DNS Record: A BIMI record is a TXT record published in the DNS that points to the Verified Mark Certificate (VMC) and the SVG image of the logo. This record can be published on the organizational domain or a specific subdomain where BIMI is desired.

Key considerations

• Comprehensive Authentication: Before implementing BIMI, ensure that all email sending sources for your domain and its subdomains are properly authenticated with SPF and DKIM, and that they achieve DMARC alignment. The BIMI Group FAQs emphasize this.
• DMARC Policy Application: Be aware that if your organizational DMARC record is at p=quarantine or p=reject, any email sent from a subdomain that doesn't have its own overriding DMARC record and fails authentication will be subject to that enforcement policy.
• Subdomain Policy Tag: The sp (subdomain policy) tag in your organizational DMARC record allows you to define how DMARC should handle emails from subdomains. It can be used to apply a different policy to subdomains than the organizational domain, as described by DMARC best practices.
• VMC Requirement: For your BIMI logo to display in certain mail clients (like Gmail and Yahoo Mail), a Verified Mark Certificate (VMC) issued by an accredited Certificate Authority is often required. The SSL Store provides a guide on how to set up BIMI, including VMC details.