How to implement BIMI on a subdomain without affecting the main domain or transactional emails?

Key findings

• Domain specificity: BIMI is inherently tied to the sending domain. For a logo to appear, the BIMI record must be published on the specific domain or subdomain from which emails are sent.
• VMC scope: A Verified Mark Certificate (VMC) is typically issued for an organizational domain, but its validity can extend to subdomains if specified during the certificate issuance process. The BIMI record then points to this VMC.
• Separation capability: It is possible to apply BIMI to a subdomain (e.g., marketing.example.com) without affecting the main domain (example.com) or other subdomains by correctly placing the BIMI DNS TXT record at the desired subdomain level.
• Transactional email impact: If a BIMI record is moved from the root domain to a subdomain, any emails sent directly from the root domain (including transactional emails) will no longer display the BIMI logo. This highlights the need for a deliberate strategy for each email stream.
• Reputation isolation: Utilizing subdomains for email sending allows for separate reputation management, ensuring that issues with marketing emails on a subdomain do not negatively affect transactional or primary domain emails.

Key considerations

• DNS management: The critical step is to publish the BIMI TXT record (e.g., default._bimi.subdomain.example.com) for the specific subdomain intended for BIMI display, rather than at the root.
• VMC compatibility: Ensure that your VMC either includes the specific subdomain in its Subject Alternative Name (SAN) or is issued for the organizational domain that covers all relevant subdomains. Consult your Certificate Authority for proper VMC configuration.
• Email stream segmentation: Clearly define which email types (marketing, transactional, internal) will be sent from which domains or subdomains. This segmentation dictates where BIMI should be applied.
• DMARC enforcement: BIMI requires a DMARC policy of quarantine or reject at the domain level where BIMI is asserted. Review DMARC setup for BIMI.
• Testing and validation: After making DNS changes, it's crucial to test across various email clients to confirm the logo appears as intended and does not unintentionally affect other email flows. The BIMI Group website provides valuable resources for understanding the standard and validating your setup.

Key opinions

• Unintended application: Many marketers initially observed BIMI logos appearing on employee email addresses or other unintended mail streams when the record was set at the organizational domain level.
• Protocol limitations: The BIMI protocol itself does not provide a mechanism to specify which email addresses within an authenticated domain should display the logo; it applies broadly to all authenticated mail from that domain.
• Subdomain configuration: It is generally agreed that placing the BIMI record on a specific subdomain allows for the intended logo display without affecting the primary domain or other subdomains.
• Impact on root domain: If the BIMI record is moved from the root domain to a subdomain, any emails originating from the root domain will cease to display the logo, which can be problematic for transactional emails.
• Segmentation benefits: Using subdomains for different email types (e.g., marketing, transactional) helps manage sender reputation and allows for isolated BIMI implementation.

Key considerations

• Strategic placement: Marketers should decide precisely which email streams require BIMI and place the record accordingly to avoid unintended consequences.
• VMC versus BIMI record: Understand that the VMC certifies the logo for the overall brand, while the BIMI DNS record directs mailbox providers to apply that logo to specific sending domains. This distinction is crucial for targeted implementation.
• Dedicated subdomains: For transactional emails that need a BIMI logo, consider setting up a dedicated subdomain for them, separate from marketing emails, or manage the logo as a profile picture for specific addresses (though this offers less universal support).
• Brand consistency: Evaluate the trade-offs of not having a logo on certain email types if BIMI is moved. Marketers should weigh the importance of segmenting sending domains against maintaining a consistent brand logo across all communications.
• DNS provider experience: The specific steps for setting up BIMI on a subdomain's TXT record will depend on your DNS provider. Referencing guides like the one from Email on Acid's implementation guide can be helpful.

Key opinions

• VMC versus BIMI record: Experts clarify that the VMC serves as a certificate to verify the logo's validity, while the BIMI record itself is a DNS entry that dictates which domain or subdomain should display the logo.
• Subdomain-specific BIMI: The consensus among experts is that to apply BIMI only to a subdomain, the BIMI Assertion Record (DNS TXT record) must be published specifically at the subdomain level (e.g., selector._bimi.subdomain.example.com).
• VMC SAN requirements: For the BIMI assertion to validate, the VMC's Subject Alternative Name (SAN) must contain either the organizational domain or the specific subdomain where the BIMI record is published. DKIM setup on subdomains also follows similar principles for domain alignment.
• Avoiding root domain impact: To prevent the BIMI logo from appearing on the main domain's email addresses, experts recommend ensuring no BIMI record exists at the root domain while placing it on the desired subdomain.
• DMARC prerequisite: A robust DMARC policy, especially one set to quarantine or reject, is consistently highlighted as a non-negotiable requirement for BIMI to function. Setting up DMARC records for subdomains is a key step.

Key considerations

• DNS accuracy: Double-check the precise placement of the BIMI TXT record in your DNS, ensuring it is at the desired subdomain level and not accidentally at the root.
• VMC coverage: Before purchasing or renewing a VMC, confirm with your Certificate Authority that it will cover the specific subdomains where you intend to implement BIMI.
• Separate email streams: If both transactional and marketing emails require a BIMI logo but are sent from different domains/subdomains, each will need its own correctly configured BIMI record and potentially a VMC that covers it.
• Monitoring and troubleshooting: After implementation, continuously monitor DMARC reports to ensure BIMI alignment and proper logo display. If issues arise, a common cause is incorrect DNS setup for either the BIMI record or the VMC. Refer to authoritative sources like Word to the Wise or SpamResource for expert advice.

Key findings

• Subdomain support: The BIMI Group's FAQs confirm that a domain administrator can publish a BIMI record on a subdomain, and mailbox providers will use it, even if a record is not present on the main domain.
• DMARC prerequisite: Documentation consistently states that BIMI requires a DMARC policy of quarantine or reject for the domain in question. This is a fundamental requirement for the logo to display.
• DNS record format: The BIMI record is a TXT record published at a specific location, typically default._bimi.yourdomain.com, containing the BIMI version and the URL to your VMC and SVG logo.
• VMC and domain validation: The VMC certifies the authenticity of the logo and must include the sending domain (or subdomain) in its Subject Alternative Name (SAN) for validation.

Key considerations

• Precise record placement: To implement BIMI only on a subdomain, ensure the BIMI TXT record is correctly placed at that specific subdomain's DNS entry (e.g., default._bimi.marketing.example.com). This controls where the logo appears.
• DMARC policy for subdomains: Verify that the DMARC policy for the subdomain you're applying BIMI to is at an enforcement level. BIMI's DMARC requirement means you cannot skip this step.
• VMC issuance: If you intend to use BIMI on a subdomain, your VMC should explicitly include that subdomain (or a wildcard covering it) in its SAN. This is critical for the VMC to validate the logo at the subdomain level.
• Compliance with standards: Adhere to the exact specifications outlined by the BIMI Group and relevant RFCs for creating the SVG logo and the BIMI TXT record. Understanding BIMI requirements is key.
• Email flow impact: Before implementing, map out your email sending flows to identify which domains/subdomains are used for marketing, transactional, and internal emails. This ensures BIMI is applied strategically and avoids unintended effects on critical communications, as highlighted by Scaleway Documentation.