Does BIMI require DMARC enforcement on the apex domain for subdomains to display a logo?

Yes, for BIMI to work on any domain or subdomain, your apex (organizational) domain must have a DMARC policy set to either p=quarantine or p=reject . This is a fundamental prerequisite for BIMI functionality.

Will BIMI automatically apply to subdomains if only the apex domain has a record?

If a subdomain does not have its own specific BIMI DNS TXT record, it will inherit the BIMI record from its apex domain. This means the logo configured for the apex domain will display for emails sent from that subdomain. You can choose to set explicit records for subdomains if you want different logos or no logo.

How do I set up a unique BIMI record for a specific subdomain?

To set up BIMI for a specific subdomain, you'll create a TXT record with the host name including the subdomain, such as default._bimi.subdomain.yourdomain.com . The value will contain the logo and VMC URLs specific to that subdomain.

Is a Verified Mark Certificate (VMC) required for BIMI to work on subdomains?

A Verified Mark Certificate (VMC) is strongly recommended for BIMI, especially for major mailbox providers. While BIMI might sometimes display without a VMC, a VMC offers enhanced trust and is often required for broader adoption and consistent logo display, particularly by providers like Yahoo Mail .

How to set up BIMI DNS records for subdomains and apex domains? - Technical - Email deliverability - Knowledge base

Getting your brand logo to display next to your email in recipients' inboxes can significantly boost trust and recognition. That's the power of BIMI, or Brand Indicators for Message Identification. It's a relatively new standard, but its impact on email deliverability and brand presence is undeniable.

The core of BIMI relies on a DNS TXT record that points to your verified brand logo. While setting this up for a single apex domain might seem straightforward, questions often arise when dealing with multiple subdomains, or even deciding if a subdomain needs its own record. I've helped many organizations navigate this, and there are specific considerations for both apex domains and subdomains that I want to walk you through.

The key is understanding how DNS records function for email authentication and how email clients, like

Gmail, interpret these records. Let's dive into the specifics of setting up BIMI DNS records effectively for your entire domain structure.

Understanding BIMI and DNS

BIMI (Brand Indicators for Message Identification) allows you to display your brand logo alongside your emails in supported inboxes. This visual cue helps recipients instantly recognize legitimate emails from your domain, enhancing trust and engagement. To implement BIMI, you need to publish a specific DNS TXT record for your domain.

This TXT record, often found at the default._bimi selector, provides two crucial pieces of information: the version of BIMI being used and the URL of your brand's SVG logo file. Optionally, it can also include the URL to your Verified Mark Certificate (VMC), which provides an extra layer of authentication and is increasingly required by major mailbox providers. Learn more about the requirements and implementation steps for BIMI.

Before you can even think about publishing a BIMI record, you must have a DMARC policy in place at an enforcement policy, either p=quarantine or p=reject. Without DMARC enforcement, BIMI will not display. This is because BIMI leverages DMARC to ensure the legitimacy of the sending domain and prevent brand impersonation. If your DMARC policy is set to p=none, your BIMI logo will not appear.

The DMARC enforcement requirement

A crucial prerequisite for BIMI is an enforcing DMARC policy. This means your DMARC record must be set to either p=quarantine or p=reject. If your policy is p=none, your logo will not appear in inboxes.

Setting up BIMI for apex domains

For your primary domain, also known as your apex or root domain (e.g., yourdomain.com), you'll set up a single TXT record directly at the domain level. This record will apply to all emails sent from your apex domain. Here's a typical format you'd use:

BIMI DNS TXT Record for an Apex DomainDNS

Host: default._bimi.yourdomain.com
Value: v=BIMI1;l=https://cdn.yourdomain.com/logo.svg;a=https://cdn.yourdomain.com/vmc.pem;

Let's break down the components of this record. The v=BIMI1 indicates the BIMI version. The l= tag specifies the HTTPS URL where your SVG logo file is hosted. Crucially, this logo must be in SVG Tiny 1.2format and hosted securely. The optional a= tag points to your Verified Mark Certificate (VMC), if you have one. A VMC is essential for displaying your logo with

Yahoo and other strict email clients, and it's becoming a standard requirement for broader BIMI adoption.

Once this record is published, supported email clients will fetch your DMARC policy, verify it's at enforcement, then retrieve your BIMI record to display your logo. This process works seamlessly for your primary domain, giving your brand a consistent visual identity across all outgoing emails.

Before BIMI

Generic avatars: Emails often display a default letter or placeholder icon, making them less distinct in the inbox.
Lower recognition: Without a visual identifier, recipients rely solely on the sender name, which can be less impactful.
Increased phishing risk: It's harder for users to distinguish legitimate emails from impersonation attempts.

After BIMI

Prominent logo display: Your official brand logo appears directly in the recipient's inbox, enhancing visibility.
Enhanced brand trust: Visual confirmation of sender identity builds confidence and encourages opens.
Reduced impersonation: BIMI makes it much harder for phishers to spoof your brand effectively, protecting your customers.

Implementing BIMI for subdomains

When it comes to subdomains, you have two primary options for BIMI implementation: inheritance or specific subdomain records. Understanding the difference is crucial for effective deployment.

By default, if a subdomain (e.g., news.yourdomain.com) does not have its own explicit BIMI record, it will inherit the BIMI record from its apex domain (e.g., yourdomain.com). This means the same logo and VMC (if applicable) configured for the apex domain will display for emails sent from the subdomain. This is the simplest approach if you want a consistent brand appearance across your entire domain structure. For more information on this, refer to how BIMI trickles down to subdomains. However, if you want a different logo or no logo at all for specific subdomains, you'll need to create a dedicated BIMI record for that subdomain.

To set up a BIMI record for a specific subdomain, the process is similar to an apex domain, but the host name will include the subdomain. For example, if you want a unique BIMI logo for marketing.yourdomain.com, your DNS record would look like this:

BIMI DNS TXT Record for a Specific SubdomainDNS

Host: default._bimi.marketing.yourdomain.com
Value: v=BIMI1;l=https://cdn.yourdomain.com/marketing_logo.svg;a=https://cdn.yourdomain.com/marketing_vmc.pem;

It's important to remember that even if you're setting BIMI on a subdomain, the apex domain must have an enforcing DMARC policy. This is a fundamental requirement for BIMI to work on any part of your domain. You can configure your DMARC records for subdomains using the sp tag within your DMARC record to set a policy for subdomains separately if needed, but the foundational DMARC policy on the apex domain is non-negotiable for BIMI. Consider implementing BIMI for multiple brands with subdomains if this applies to your setup.

Aspect	Apex domain setup	Subdomain setup (explicit)
Host Name	default._bimi.yourdomain.com	default._bimi.subdomain.yourdomain.com
DMARC Requirement	Enforcing policy (p=quarantine or p=reject) on yourdomain.com	Enforcing policy on yourdomain.com, even if the subdomain has its own BIMI record.
Logo Path	Points to logo for the primary brand.	Points to a unique logo for the specific subdomain.
Inheritance	Subdomains will inherit this record if they don't have their own.	Overrides apex domain's BIMI for that specific subdomain.

Validation and troubleshooting tips

After publishing your BIMI DNS records, it's crucial to validate them to ensure everything is configured correctly. A misconfigured record, an invalid SVG logo, or an incorrect VMC link can prevent your logo from appearing. You can use online BIMI validators to check your setup.

Common issues include incorrect TXT record syntax, the SVG logo not being publicly accessible via HTTPS, or the DMARC policy not being at an enforcing level on the apex domain. Even if your BIMI record is on a subdomain, the DMARC policy for the root domain needs to be enforced. If you encounter issues, systematically check each step of the BIMI implementation process, including your DNS entries, logo formatting, and DMARC status. Remember, changes to DNS records can take some time to propagate across the internet, so patience is key. BIMI also will not appear if your emails are going to a blacklist (or blocklist).

Common BIMI pitfalls

DMARC not enforced: Your DMARC policy must be at p=quarantine or p=reject for BIMI to work, even on subdomains.
Incorrect SVG format: The logo must be SVG Tiny 1.2 and accessible via HTTPS.
DNS record errors: Typos in the host or value, or incorrect record type, can cause failure.
VMC issues: If using a VMC, ensure it is valid, publicly accessible, and correctly linked.

Views from the trenches

Best practices

Ensure your DMARC policy for the organizational domain is enforced (p=quarantine or p=reject) before attempting BIMI.

Use a BIMI validator tool to check your DNS record syntax and logo URL accessibility immediately after publishing.

Host your SVG logo on a secure, publicly accessible HTTPS server with proper CORS headers.

Common pitfalls

Forgetting DMARC enforcement: BIMI won't display if your DMARC policy is set to p=none, even with correct BIMI records.

Incorrect SVG format: BIMI requires SVG Tiny 1.2, not a standard SVG. This is a common conversion error.

Inaccessible logo or VMC: Ensure your logo and VMC URLs are publicly available via HTTPS.

Expert tips

If your subdomains need different logos, create unique BIMI records for each one instead of relying on inheritance.

Monitor DMARC reports closely to ensure proper alignment and authentication before expecting BIMI to appear.

When testing, consider major mailbox providers like Gmail and Yahoo, as they have strict BIMI requirements.

Expert view

Expert from Email Geeks says: You can have a BIMI record solely on a subdomain, but it's crucial for the apex domain to maintain an enforcing DMARC record for it to be recognized by providers.

2024-06-25 - Email Geeks

Marketer view

Marketer from Email Geeks says: Initially, I thought a root domain BIMI record was always needed, but I've found that if you send exclusively from a subdomain with its own BIMI record, it can display without a root record, provided the root's DMARC is enforced.

2024-06-26 - Email Geeks

Key takeaways for successful BIMI deployment

Setting up BIMI DNS records for both apex domains and subdomains is a powerful step towards enhancing your brand's presence and email security. The process is clear-cut: ensure your DMARC is enforced at the apex, prepare your SVG logo, and then publish the appropriate TXT records. Whether you choose to inherit BIMI from your apex domain or set up individual records for specific subdomains depends on your branding and sending strategy.

By carefully following these steps and regularly validating your BIMI setup, you can ensure your brand logo consistently appears in recipient inboxes, fostering greater trust and improving your overall email deliverability. Remember, BIMI is more than just a logo, it's a commitment to strong email authentication that benefits both your brand and your recipients.