Does BIMI configured on the main domain automatically apply to all subdomains?

No, BIMI does not automatically trickle down to subdomains. Each subdomain requires its own BIMI DNS TXT record to display a logo, even if the parent domain has one. This allows for granular control over which subdomains show your brand logo. You can learn more about how to apply BIMI to a specific subdomain .

Can I use a VMC issued for my main domain for a BIMI record on a subdomain?

A Verified Mark Certificate (VMC) can be issued for a main domain and still be used for a BIMI record published on a subdomain, provided the VMC's Subject Alternative Name (SAN) field includes the subdomain or a wildcard that covers it. The VMC validates your logo's authenticity, but the BIMI DNS record determines where it's displayed.

If I move BIMI to a subdomain, will I lose the logo on transactional emails from the main domain?

If you move your BIMI record from the main domain to a subdomain, transactional emails sent from the main domain will no longer display the BIMI logo. To show the logo on transactional emails, you would need to implement a separate BIMI record on the specific domain or subdomain used for those emails.

How can I prevent BIMI from replacing employee profile pictures in email clients?

To prevent BIMI from replacing employee profile pictures, avoid publishing a BIMI record on the domain or subdomain used for internal or personal employee emails. BIMI is domain-specific; if you only implement it on a dedicated marketing subdomain, it will not affect other parts of your email infrastructure.

Does a parent domain need BIMI for subdomain BIMI to work?

No, a parent domain does not explicitly need BIMI for a subdomain BIMI to work. Each domain or subdomain must independently satisfy BIMI's prerequisites, primarily a DMARC policy set to p=quarantine or p=reject . However, the DMARC policy of the main domain often influences subdomains.

How to implement BIMI on a subdomain without affecting the main domain or transactional emails? - Technical - Email deliverability - Knowledge base

Implementing Brand Indicators for Message Identification (BIMI) is a powerful way to boost brand recognition and trust in the inbox. However, many organizations struggle with how to deploy BIMI on a subdomain, specifically for marketing emails, without inadvertently affecting their main domain or critical transactional email streams. It's a common concern that the corporate logo might replace individual employee profile pictures in email clients like Gmail, or that a single BIMI record might apply where it's not intended. I often hear questions about managing this delicate balance.

The key lies in understanding how BIMI interacts with your Domain Name System (DNS) and email authentication protocols. Unlike some other email standards, BIMI's visibility is tied directly to the domain or subdomain from which an email is authenticated and sent, not just the organizational domain. This means that with careful configuration, you can achieve precise control over where your brand logo appears.

The role of subdomains in BIMI strategy

When we talk about implementing BIMI on a subdomain without affecting the main domain, we're primarily leveraging the inherent separation that subdomains offer in email sending. Subdomains are crucial for maintaining sender reputation. By segmenting your email traffic, such as sending marketing emails from marketing.yourdomain.com and transactional emails from transactional.yourdomain.com, you isolate their sending reputations. This means a deliverability issue (like a blocklist placement) on your marketing subdomain won't necessarily impact your crucial transactional emails.

This principle extends to BIMI. BIMI is designed to work with domains that have strong email authentication, specifically DMARC with an enforced policy of p=quarantine or p=reject. Each domain or subdomain you wish to enable BIMI for must meet these DMARC requirements independently. Therefore, if you only want BIMI on a specific subdomain, you configure the BIMI record on that subdomain.

The Brand Indicators for Message Identification (BIMI) protocol itself does not inherently specify which email addresses within a domain or subdomain should display the logo, as stated by the BIMI Group FAQs. It functions based on the authenticated domain. So, if your marketing emails are sent from marketing.yourdomain.com and you configure BIMI there, only emails authenticated for that subdomain will show the logo. This keeps your main domain, yourdomain.com, unaffected, allowing employees' profile pictures to display as usual or for transactional emails to operate with their own logo or no logo.

Understanding BIMI records versus VMC scope

A common point of confusion arises with the Verified Mark Certificate (VMC). While the VMC itself validates your logo for a specific domain (or domains, if it's a wildcard VMC), it doesn't dictate where your BIMI logo will appear. The VMC is linked within your BIMI DNS TXT record. This BIMI record is the actual instruction that mailboxes providers follow to display your logo. If you acquire a VMC for your main domain, yourdomain.com, you can still use that VMC in a BIMI record published only on a subdomain, say marketing.yourdomain.com.

The critical step is ensuring that the BIMI DNS record points specifically to the subdomain where you want the logo to appear. This is how you control the display without affecting your main domain or other subdomains. For instance, if your internal communications use the main domain, their profile pictures will remain. If your transactional emails use a separate subdomain, you can choose to apply BIMI there too, or not, as per your brand strategy. Understanding how BIMI VMC certificates function with subdomains is crucial here.

The challenge typically comes if a single VMC is issued for the main domain and then BIMI is configured for the main domain. If your BIMI record is on the organizational domain level, it will apply to all emails sent from that domain and any subdomains that inherit its DMARC policy, which can lead to unintended logo displays. The goal is to ensure the BIMI record lives solely on the intended subdomain.

Step-by-step BIMI implementation for subdomains

The first step for any BIMI implementation, whether on a main domain or subdomain, is to ensure robust email authentication. This includes properly configured SPF, DKIM, and DMARC. For BIMI, your DMARC policy for the specific sending domain or subdomain must be at an enforcement level, p=quarantine or p=reject. If it's at p=none, BIMI will not display.

To apply BIMI only to a subdomain, you must ensure that this subdomain has its own DMARC record that meets the enforcement requirement. While DMARC is often set at the organizational level, it can also be configured specifically for subdomains. You should review your DMARC reports to confirm that the subdomain you intend to use for BIMI is consistently passing authentication checks and has sufficient volume before moving to an enforced policy. You can learn more about how to safely transition your DMARC policy.

Once your DMARC for the subdomain is at enforcement, you can create your BIMI TXT record. This record should be published directly under the subdomain you want to display the logo. For example, if your marketing emails are sent from marketing.yourdomain.com, your BIMI record would be placed at default._bimi.marketing.yourdomain.com.

Example BIMI TXT record for a subdomain

default._bimi.marketing.yourdomain.com. IN TXT "v=BIMI1;l=https://marketing.yourdomain.com/bimi/logo.svg;a=https://marketing.yourdomain.com/bimi/vmc.pem"

This configuration ensures that only emails properly authenticated and sent from marketing.yourdomain.com will display the BIMI logo, leaving your main domain and other transactional subdomains unaffected.

Maintaining main domain and transactional email integrity

One of the primary reasons for using subdomains is to segment email types, which is a key email deliverability best practice. This isolation helps manage domain reputation and prevents one email stream (e.g., promotional blasts) from negatively impacting another (e.g., password resets). When you implement BIMI on a specific subdomain, you maintain this separation. Your main domain and any subdomains not configured with a BIMI record will continue to function as they did before, without displaying the logo.

If your transactional emails are sent from your main domain or a different subdomain, and you also want BIMI for those, you would need to implement a separate BIMI record for that specific sending domain or subdomain, ensuring its DMARC policy is also enforced. This allows for flexibility in your branding strategy across different email types. I recommend exploring our guide on using subdomains to protect reputation.

Be mindful of how email clients, such as

Gmail and

Yahoo Mail, handle BIMI logos versus individual user profile pictures. Typically, if a domain has a valid BIMI record and the email meets all authentication requirements, the BIMI logo will take precedence over a user's personal profile picture for that specific email. However, by isolating BIMI to a marketing subdomain, you ensure that this behavior does not affect internal email communication where personal profile pictures are preferred.

Marketing emails

Purpose: Sent from marketing.yourdomain.com, intended to display brand logo via BIMI.
BIMI record: Published directly on marketing.yourdomain.com (e.g., default._bimi.marketing.yourdomain.com).
DMARC policy: Must be enforced (p=quarantine or p=reject) for the marketing subdomain.
VMC: Can be for the main domain if it covers the subdomain.

Transactional emails

Purpose: Sent from main domain yourdomain.com or transactional.yourdomain.com.
BIMI record: No BIMI record on yourdomain.com if BIMI not desired there. If desired for transactional, publish a separate BIMI record on transactional.yourdomain.com.
DMARC policy: Must be enforced on the respective transactional domain/subdomain.
Outcome: Employee profile pictures or no logo (if no BIMI) for internal emails; transactional emails display logo if configured on their dedicated subdomain.

Strategic separation for optimal results

To effectively implement BIMI on a subdomain without impacting your main domain or transactional emails, you need a clear strategy and careful DNS management. Here's a table summarizing the strategic approach:

Aspect	Main domain / transactional emails	Marketing subdomain with BIMI
Sending domain	yourdomain.com or transactional.yourdomain.com	marketing.yourdomain.com
DMARC policy	Should be at p=quarantine or p=reject.	Must be at p=quarantine or p=reject.
BIMI TXT record	No BIMI record, or a separate one if BIMI is desired for transactional email with its own distinct logo or VMC.	Publish the BIMI record on this specific subdomain only.
Logo display	Retains employee profile pictures (if any) or no brand logo if BIMI isn't configured.	Displays the brand logo in Gmail, Yahoo Mail, and other supported clients.

This compartmentalized approach helps ensure that your email ecosystem remains robust, with each component serving its intended purpose without unintended side effects. Using a dedicated subdomain for marketing emails, with its own BIMI configuration, is a strategic move for brands that want to maximize brand visibility without compromising the integrity or reputation of their core communication channels.

Views from the trenches

Best practices

Ensure your DMARC policy for the subdomain is at 'quarantine' or 'reject' before publishing BIMI.

Use a subdomain specifically for marketing emails to isolate BIMI implementation and reputation.

Confirm that your Verified Mark Certificate (VMC) covers the exact domain or subdomain where the BIMI record is published.

Test BIMI display across different email clients to ensure consistent brand logo visibility.

Regularly monitor your DMARC reports for the BIMI-enabled subdomain to ensure proper authentication alignment.

Common pitfalls

Publishing the BIMI record on the organizational (main) domain instead of the desired subdomain.

Using a DMARC policy of 'p=none' for the BIMI-enabled domain or subdomain, which prevents logo display.

Expectations that a BIMI logo will override user profile pictures for all email addresses under the main domain.

Assuming a VMC for the main domain automatically applies BIMI to all subdomains without proper DNS records.

Neglecting to align your SVG logo and VMC according to BIMI specifications, leading to validation failures.

Expert tips

If your VMC is for the main domain, ensure your BIMI TXT record on the subdomain correctly references it for validation.

Consider how BIMI selectors can differentiate logos for various subdomains or campaigns under a single VMC.

Remember that the BIMI record's placement in DNS dictates where the logo is attempted to be displayed, not the VMC.

If transactional emails also require a logo, create a separate subdomain for them and implement BIMI accordingly.

For very specific control, some mailboxes allow a profile picture to override a BIMI logo, but this is client-dependent.

Marketer view

Marketer from Email Geeks says that initially, BIMI was reported to replace employee profile pictures in Gmail, but that behavior seems to have been updated.

2022-05-06 - Email Geeks

Expert view

Expert from Email Geeks says that the BIMI protocol does not specify which addresses should get logos; it applies to any mail authenticated by the domain.

2022-05-06 - Email Geeks

Achieving precise brand control

Implementing BIMI on a subdomain without affecting your main domain or transactional emails is entirely achievable with careful planning and precise DNS configuration. By understanding the distinction between your VMC and your BIMI DNS record, and by leveraging the power of subdomains for email segmentation, you can ensure your brand logo appears exactly where you intend it to. This approach not only enhances brand visibility for your marketing efforts but also safeguards the deliverability and professional appearance of your essential transactional communications.

Always prioritize strong email authentication for all your sending domains and subdomains, and regularly monitor your DMARC reports to ensure compliance and optimal performance. This proactive management will prevent potential blocklist issues (or blacklist issues) and help maintain a positive sender reputation across your entire email sending infrastructure.