How to apply BIMI to a specific subdomain instead of the entire domain?

Key findings

• Subdomain specificity: BIMI records can be published directly on a subdomain. If a BIMI record is found at the subdomain level, mailbox providers will use it, even if a record is not present or desired at the organizational domain level.
• Overriding default behavior: Although BIMI can cascade from a parent domain, a specific BIMI record on a subdomain will override any inherited settings, ensuring only the desired logo is displayed for emails sent from that subdomain. You can learn more about this in our guide on how to implement BIMI on a subdomain.
• DMARC prerequisite: For BIMI to function on a subdomain, a DMARC policy must be enforced (set to quarantine or reject) for that specific subdomain. This is a non-negotiable requirement for BIMI adoption. For details, see BIMI Group's FAQs.

Key considerations

• DNS record placement: To apply BIMI only to a subdomain, the BIMI TXT record must be placed directly at the subdomain level (e.g., default._bimi.subdomain.yourdomain.com) rather than the main domain. This is critical for targeted application.
• Authentication alignment: Ensure that SPF, DKIM, and DMARC are all correctly configured and aligned for the specific subdomain. A misconfiguration in any of these will prevent BIMI from displaying. For more help, check out how to set up DMARC for BIMI.
• VMC certificate validation: If using a Verified Mark Certificate (VMC), ensure the certificate covers the specific subdomain. Moving the BIMI record to the subdomain should not inherently break a valid VMC that covers the relevant domain scope.
• Single BIMI record: At the end of the setup, there should only be one BIMI record in your DNS for the desired subdomain, formatted correctly.

Key opinions

• Complexity challenges: Marketers frequently report that BIMI implementation, particularly for subdomain-specific application, is more complicated than initially assumed, often requiring significant technical team involvement.
• Main domain conflicts: Initial attempts to implement BIMI on a main domain can lead to unforeseen issues, prompting a shift towards subdomain-only application to mitigate broader impacts, for instance, related to personal avatars.
• Selective branding: There's a strong desire among marketers to apply BIMI selectively to subdomains to manage distinct brand identities or different types of email communications (e.g., marketing versus transactional emails) without affecting the parent domain.
• Validation and troubleshooting: Concerns arise when subdomain BIMI setups initially fail, leading marketers to seek confirmation on whether partial functionality is possible or how to achieve full validation. Tools like email deliverability testers can help.

Key considerations

• Dedicated subdomain record: Marketers should ensure the BIMI DNS TXT record is explicitly defined for the subdomain (e.g., default._bimi.subdomain.example.com) and that no conflicting records exist on the main domain if the intent is subdomain-only application.
• DMARC enforcement at subdomain: It is crucial to have a DMARC policy at an enforcement level (quarantine or reject) for the specific subdomain. This is a foundational requirement for BIMI to display. Consider our free DMARC record generator tool.
• Logo hosting and VMC: The SVG logo file must be publicly accessible via HTTPS, and if a VMC is used, it needs to be correctly linked and cover the subdomain in question. This often involves coordination with IT teams and Certificate Authorities.
• Testing and monitoring: After implementing, thorough testing across various mailbox providers is essential to ensure the BIMI logo displays correctly. Ongoing monitoring of DMARC reports can also help identify any issues.

Key opinions

• Default trickle-down behavior: Experts confirm that BIMI, by default, applies to subdomains from the apex (top) level if a record exists there, which can sometimes lead to unintended broad application. However, BIMI can also be set up at the subdomain level. We discuss this in does a parent domain need BIMI.
• Subdomain record placement: To achieve subdomain-only BIMI, experts advise moving the BIMI DNS record to the specific subdomain level. This targeted placement ensures the logo only appears for emails originating from that subdomain.
• VMC compatibility: It has been affirmed that placing the BIMI record on a subdomain does not break a Verified Mark Certificate (VMC), provided the VMC's scope covers the domain and its subdomains correctly.
• Future enhancements: There is anticipation for future options that would allow domain administrators to define explicit preferences for BIMI application across different levels of their domain hierarchy, offering more control.

Key considerations

• Single active record: For subdomain-specific BIMI, only one BIMI record should exist in the DNS for the targeted subdomain (e.g., default._bimi.sub.domain.com). Having multiple or conflicting records can lead to issues.
• DMARC enforcement: Crucially, the DMARC policy for the subdomain must be set to an enforcement policy (quarantine or reject) for BIMI to display. This is a foundational requirement for all BIMI implementations, whether for main domains or subdomains. For further reading, check out whether BIMI requires DMARC at organizational level.
• DNS propagation and caching: Changes to DNS records require time to propagate across the internet. Experts caution patience and suggest using DNS lookup tools to verify the record has updated globally.
• Ongoing alignment: Maintaining proper SPF, DKIM, and DMARC alignment for the subdomain is vital. Any changes to sending infrastructure or email service providers require a review of these records to ensure continued BIMI compliance.

Key findings

• Subdomain publishing: BIMI documentation explicitly states that domain administrators can publish a BIMI record on a subdomain. Mailbox providers will prioritize and use this subdomain-specific record.
• DMARC enforcement: A DMARC policy at an enforcement level (quarantine or reject) is a mandatory requirement for the subdomain where BIMI is being implemented. Without this, BIMI will not display.
• DNS record structure: The BIMI record is a TXT record that must be placed at default._bimi.subdomain.yourdomain.com to apply to a specific subdomain.
• VMC considerations: If a Verified Mark Certificate (VMC) is used, it must be properly linked in the BIMI record and validated to cover the specific subdomain. The SSL Store highlights this necessity.

Key considerations

• Authentication alignment: Comprehensive alignment of SPF and DKIM with the DMARC policy for the subdomain is crucial. Mailgun's documentation emphasizes this foundational step.
• Logo format and hosting: The logo must be in SVG format and hosted on a secure (HTTPS) server, with the URL included in the BIMI TXT record. This ensures accessibility and security.
• Excluding organizational domain: Documentation confirms that you can publish BIMI solely on a subdomain if you do not want the organizational domain to display a logo or if you wish to restrict which subdomains display one. Kickbox provides insights on understanding BIMI.
• DNS zone integration: The created BIMI record must be correctly integrated into the subdomain's DNS zone as a TXT record, ensuring proper syntax and no conflicting entries.