How do I set up DMARC for BIMI and what are the key considerations?

Key findings

• DMARC foundation: BIMI mandates that your domain has an active DMARC record with an enforcing policy, meaning p=quarantine or p=reject. A p=none policy, while useful for monitoring, is insufficient for BIMI.
• Authentication alignment: For DMARC to pass, both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) must be configured correctly and aligned with your domain. This means the domain in the From header must match the domains used in SPF and DKIM.
• Monitoring is key: Implementing DMARC successfully involves starting with a p=none policy and meticulously analyzing DMARC reports. These reports reveal which of your email streams are passing or failing authentication, allowing you to identify and fix issues before moving to an enforcing policy.
• Phased implementation: Transitioning to p=quarantine or p=reject should be done incrementally (e.g., gradually increasing the percentage for enforcement) to avoid legitimate emails being blocked or marked as spam.
• BIMI specific requirements: Beyond DMARC, BIMI requires your brand logo to be in SVG Tiny 1.2 format and, for most prominent placements, a Verified Mark Certificate (VMC) issued by an accredited authority. More details can be found on the BIMI Group website.

Key considerations

• Mailstream inventory: Identify all sources sending email on behalf of your domain. This includes marketing platforms, transactional email services, internal corporate email systems, HR software, and any third-party cloud services.
• Time investment: The full DMARC implementation and enforcement process can take several months, as it involves monitoring reports and making adjustments to ensure all legitimate email is authenticated.
• Subdomain policies: Ensure that both your primary organizational domain and any relevant subdomains have DMARC policies in place, particularly if you use subdomains for different email types (e.g., marketing, transactional).
• Collaboration: DMARC and BIMI setup often requires collaboration between marketing, IT, and legal teams (for VMC). Clear communication is vital.
• Logo preparation: Beyond technical specifications, ensure your logo is officially copyrighted and represents your brand accurately, as it will be publicly displayed.

Key opinions

• Brand visibility boost: Marketers are primarily interested in BIMI for the enhanced brand recognition it offers, displaying their logo directly in the inbox, which they believe improves engagement and trust.
• Technical hurdle: Many marketers find the initial DMARC setup, especially understanding alignment and report analysis, to be a significant technical challenge requiring IT or expert assistance.
• Deliverability improvement: There's a strong belief that implementing DMARC (and by extension, BIMI) positively impacts overall email deliverability by signaling trustworthiness to mailbox providers.
• Value of enforcement: Marketers understand that a p=quarantine or p=reject policy is necessary for BIMI, despite the potential initial fear of blocking legitimate emails.

Key considerations

• Understanding DMARC reports: Marketers often need clearer explanations of DMARC aggregate reports to understand what email streams are failing and why.
• SVG logo creation: The specific technical requirements for the BIMI SVG logo (e.g., SVG Tiny 1.2, square dimensions) can be challenging.
• VMC acquisition: The process of obtaining a Verified Mark Certificate (VMC) is often seen as complex and involves legal and financial commitments, as highlighted in guides like The SSL Store's BIMI setup guide.
• Client support: Marketers question which email clients support BIMI to justify the investment in its setup.

Key opinions

• Phased DMARC deployment: Experts universally recommend starting DMARC with a p=none policy to collect reports and understand email flows before moving to enforcement.
• Importance of alignment: Achieving DMARC compliance hinges on proper SPF and DKIM alignment, ensuring that the visible From domain matches the authenticated domains in SPF or DKIM.
• DMARC reports are crucial: DMARC aggregate reports (RUAs) provide invaluable insights into email authentication results across all sending sources for a domain, which is essential for identifying unauthenticated mailstreams.
• Org domain enforcement: For BIMI, the organizational domain (not just subdomains) typically needs to be at DMARC enforcement (either p=quarantine or p=reject) to be eligible.

Key considerations

• Comprehensive mailstream identification: Ensure all mailstreams, including less obvious ones like HR, payroll, or internal system notifications, are properly authenticated. Missing any can lead to deliverability issues once DMARC is enforced.
• Gradual policy escalation: The transition from p=none to p=quarantine and then p=reject should be a measured process, often taking several months, to allow for adjustments and mitigate risks.
• Understanding DMARC reports: Leverage DMARC aggregate reports effectively. Tools that simplify these XML reports are highly recommended to accurately assess authentication status and identify spoofing attempts.
• Leveraging external resources: Refer to authoritative sources like DMARC.org for detailed explanations and best practices regarding DMARC implementation and its prerequisites for BIMI.
• Potential for issues: Be prepared for issues such as DKIM signature failures or SPF mismatches, which require careful troubleshooting and adjustments to mail generation processes.

Key findings

• DMARC is a prerequisite: BIMI leverages the existing DMARC protocol, requiring that email messages pass DMARC authentication checks before displaying brand-controlled logos.
• Enforcing DMARC policy: To be eligible for BIMI, the DMARC policy for the sending domain (or organizational domain) must be set to p=quarantine or p=reject, ideally at 100% enforcement.
• Authentication alignment: DMARC requires either SPF or DKIM to align with the From domain. This is a fundamental concept for DMARC to authenticate messages effectively.
• SVG format specifics: BIMI explicitly requires logos to be in SVG Tiny 1.2 format, hosted on a secure (HTTPS) server, and often with specific dimensions and formatting guidelines for optimal display.
• Verified Mark Certificate (VMC): For many participating email clients, a VMC, issued by a trusted Certificate Authority (CA), is required to prove ownership of the logo and associated brand, adding an extra layer of trust.

Key considerations

• DMARC record structure: Properly structuring the DMARC TXT record in DNS, including tags like p (policy), rua (aggregate reports), and ruf (forensic reports), is critical for effective monitoring and enforcement. You can learn more about DMARC tags here.
• Gradual policy rollout: Documentation often advises a phased approach (starting with p=none, then p=quarantine, then p=reject) to ensure legitimate mail is not impacted. This is a common recommendation across various guides, including those discussing BIMI implementation requirements.
• Subdomain handling: The DMARC policy for the organizational domain generally needs to be at enforcement for BIMI to function, even if a subdomain is used for sending. This is a key detail for proper setup.
• Official source: The BIMI Group FAQs for Senders & ESPs serves as a primary source for understanding BIMI requirements and how it interacts with DMARC.