How do I set up DMARC for BIMI and what are the key considerations?
Michael Ko
Co-founder & CEO, Suped
Published 9 Jul 2025
Updated 15 Aug 2025
9 min read
Getting your brand logo to appear next to your email inboxes through Brand Indicators for Message Identification (BIMI) is a powerful way to build trust and boost engagement. However, the path to BIMI starts with a strong foundation in email authentication, specifically with Domain-based Message Authentication, Reporting, and Conformance (DMARC). Many people ask me about this setup, and it's certainly an area where attention to detail pays off.
It’s not just about enabling a feature, it’s about solidifying your domain’s reputation and ensuring that your legitimate emails are recognized and delivered. Missteps in DMARC configuration can lead to significant deliverability issues, like emails being sent to spam folders or even being outright rejected. I've seen organizations struggle with this when they rush the process, so taking a methodical approach is key.
The implementation requires careful planning and continuous monitoring. You need to understand how DMARC interacts with other authentication protocols, like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), and what specific policy settings are necessary for BIMI eligibility. Let's walk through the process, covering the essential steps and important considerations to ensure a smooth setup.
Before you can even think about DMARC for BIMI, you need to have a robust setup for SPF and DKIM. These are the foundational email authentication protocols that DMARC builds upon. SPF allows you to specify which mail servers are authorized to send email on behalf of your domain, while DKIM adds a digital signature to your outgoing emails, verifying that the message hasn't been tampered with and is indeed from your domain.
Critically, for DMARC to pass authentication, either SPF or DKIM (or both) must align with your From: header domain. This alignment is what DMARC checks. If your SPF or DKIM records are not correctly set up, or if your sending sources aren't aligning, DMARC will fail, and your emails could be subjected to stricter handling by recipient mail servers. This is a common pitfall I've seen, where organizations believe SPF and DKIM are set up, but alignment issues prevent DMARC from passing.
You also need to ensure that SPF and DKIM are deployed across all your mail streams. This includes not just your primary marketing emails, but also transactional emails, corporate emails, and any third-party services (like HR or payroll systems) that send email on behalf of your domain. Many domains have overlooked mail streams, which can cause significant issues when DMARC moves to an enforcement policy. For a deeper dive into these protocols, consider reviewing a simple guide to DMARC, SPF, and DKIM.
Implementing DMARC with a monitoring policy (p=none)
Once SPF and DKIM are established, the next crucial step is to deploy your DMARC record. The initial, and safest, approach is to start with a DMARC policy of p=none. This policy tells receiving mail servers to collect data and send DMARC reports (XML reports, often referred to as RUA and RUF reports) without taking any enforcement action against emails that fail DMARC authentication.
These reports are invaluable. They provide a comprehensive overview of all email streams originating from your domain, showing which emails are passing or failing SPF and DKIM authentication, and more importantly, why. This is how you identify any missed mail streams that aren't properly authenticated. You'll need to analyze these reports over an extended period, typically at least three months, to gain a clear picture of your email ecosystem and ensure all legitimate senders are authenticating correctly. This continuous monitoring is a critical part of the DMARC journey, and you can learn more about understanding and troubleshooting DMARC reports.
During this monitoring phase, you should focus on resolving any authentication failures. This might involve adjusting SPF records, generating new DKIM keys for specific sending services, or configuring third-party senders to align with your domain. The goal is to achieve near 100% legitimate email authentication before moving to a stricter DMARC policy. This process of iteratively refining your authentication setup based on report data is paramount for DMARC, and subsequently BIMI, success.
Advancing to enforcement and BIMI requirements
After a thorough monitoring period and once you're confident that all your legitimate email streams are passing DMARC authentication, you can gradually escalate your DMARC policy to p=quarantine or p=reject. This is a critical step because BIMI specifically requires your DMARC policy to be at an enforcement level. A p=none policy is not sufficient for BIMI to display your logo.
The pct tag (percentage of messages to which the DMARC policy applies) is another important consideration. For BIMI to work, the pct value must be 100. This ensures that the DMARC policy is applied to all emails sent from your domain, giving receivers full confidence in your authentication. If you are still in a phased rollout of DMARC, increasing the pct gradually is a good strategy, but remember that BIMI won't activate until it reaches 100. You can review more about DMARC requirements for BIMI and the pct tag.
Once your DMARC policy is at enforcement (p=quarantine or p=reject with pct=100), you can proceed with the other BIMI requirements. These typically include having a trademarked logo in an SVG Tiny 1.2 format, hosting it at a secure URL (HTTPS), and obtaining a Verified Mark Certificate (VMC) or a Certified Mark Certificate (CMC) from a trusted certificate authority. The VMC links your trademarked logo to your authenticated domain, providing an extra layer of trust for mailbox providers.
Key considerations for a robust DMARC for BIMI setup
Setting up DMARC for BIMI involves several critical considerations that extend beyond simply publishing a DNS record. These factors can significantly impact your success and email deliverability.
DNS record syntax
The DMARC record itself is a TXT record added to your domain's DNS. It defines your policy for handling unauthenticated emails and specifies where to send aggregate (RUA) and forensic (RUF) reports. Make sure to use the correct syntax and include all necessary tags like v=DMARC1, p, rua, and ruf (if desired). Incorrect syntax can lead to your DMARC record not being read or processed correctly by recipient mail servers.
For example, a basic DMARC record might look like this:
Transitioning your DMARC policy from p=none to p=quarantine or p=reject is a significant step. If legitimate emails fail DMARC authentication after this transition, they could be quarantined (sent to spam or junk folders) or rejected outright. This directly impacts your email deliverability and could lead to your domain being put on a blocklist (or blacklist). I cannot stress enough the importance of thoroughly analyzing DMARC reports during the p=none phase to prevent any unintended disruptions. Understanding what happens when your domain is on an email blacklist is crucial here.
Subdomains and organizational domains
BIMI requirements often extend to the organizational domain (your root domain) as well as the specific subdomain you are sending from. For example, if you send from emails.yourdomain.com, your root domain yourdomain.com might also need a DMARC policy at enforcement for BIMI to function correctly. This is an important detail that is sometimes overlooked, particularly for larger organizations with complex email infrastructures.
Views from the trenches
Best practices
Start with DMARC p=none and monitor reports for a minimum of 3 months to identify all email sending sources.
Ensure all legitimate email streams achieve DMARC alignment through SPF or DKIM before moving to enforcement.
Gradually increase the DMARC pct tag, allowing time to monitor for unexpected deliverability issues.
Obtain a Verified Mark Certificate (VMC) for your trademarked logo to satisfy strict BIMI requirements from major providers.
Keep your DMARC record and BIMI record updated in your DNS, and regularly check their validity.
Common pitfalls
Moving DMARC to p=quarantine or p=reject too soon, leading to legitimate emails being quarantined or rejected.
Missing unauthenticated mail streams (e.g., HR, payroll, older systems) during the DMARC monitoring phase.
Not aligning SPF or DKIM with the From: header domain, causing DMARC authentication failures.
Using a logo that isn't trademarked or not in the required SVG Tiny 1.2 format for BIMI.
Forgetting that both the subdomain and the organizational domain may need DMARC enforcement for BIMI.
Expert tips
Use DMARC reports to uncover hidden email senders that you didn't know were sending on your behalf.
Implement DMARC for every domain you own, even parked domains, to prevent unauthorized use.
Consider a DMARC management platform to simplify report analysis and policy enforcement.
Regularly check your domain's reputation and any blocklist (or blacklist) listings to proactively address issues.
Engage with your IT and marketing teams early to ensure a holistic approach to email authentication.
Expert view
Expert from Email Geeks says to deploy SPF and DKIM, ensuring both are aligned with the From: address being used, across all mailstreams before DMARC deployment.
2020-03-27 - Email Geeks
Expert view
Expert from Email Geeks says to deploy DMARC in p=none mode and monitor feedback reports for at least three months to identify any missed mail streams and fix authentication issues.
2020-03-27 - Email Geeks
Putting it all together for BIMI success
Setting up DMARC for BIMI isn't a quick fix, but a strategic investment in your email deliverability and brand presence. It demands a phased approach, starting with a robust foundation of SPF and DKIM, followed by careful DMARC monitoring at p=none, and then a gradual, informed transition to enforcement policies.
The key considerations boil down to meticulous authentication setup, thorough report analysis, and understanding that BIMI requires a DMARC policy of p=quarantine or p=reject with pct=100. By carefully navigating these steps, you not only unlock the visual branding benefits of BIMI but also significantly enhance your email security, protect your brand from phishing, and improve overall email deliverability. This proactive approach ensures your emails consistently reach the inbox, building stronger trust with your audience.
