Summary
Setting up BIMI (Brand Indicators for Message Identification) for multiple subdomains while intentionally excluding the parent domain is a common scenario for organizations managing diverse email sending streams. The core principle revolves around how the Verified Mark Certificate (VMC) interacts with the BIMI DNS records published at the subdomain level. While the VMC typically contains the organizational (parent) domain as a Subject Alternative Name (SAN), the actual BIMI TXT records are placed on the specific subdomains where the logo should appear. This allows for granular control, enabling brand logo display on designated subdomains without requiring or displaying it on the parent domain.
Key findings
- VMC scope: The Verified Mark Certificate (VMC) typically needs to include the organizational (parent) domain as a Subject Alternative Name (SAN). This single VMC can then authorize brand logos for multiple subdomains under that parent domain.
- Subdomain records: To display a logo on specific subdomains and not the parent, BIMI TXT records should be published individually at the subdomain level, for example, default._bimi.sub.yourdomain.com.
- Excluding parent: To exclude the parent domain from displaying a BIMI logo, simply do not publish a BIMI TXT record for the organizational domain itself. Mailbox providers will look for a subdomain-specific record first.
- Authentication foundation: BIMI relies heavily on strong email authentication, specifically DMARC with a policy of p=quarantine or p=reject, and proper alignment of SPF and DKIM for each sending subdomain.
- Inheritance vs. explicit records: While some authentication policies like DMARC can be inherited by subdomains, BIMI records are typically explicitly published per subdomain for desired display, allowing for exclusion of the parent. Learn more about whether a parent domain needs BIMI for subdomain BIMI.
Key considerations
- DNS propagation time: After publishing new BIMI DNS records, it can take time for changes to propagate globally. Patience is often required before the logo appears across all mailbox providers.
- VMC requirements: Ensure your VMC explicitly covers the organizational domain. This is critical for any subdomains to leverage the VMC for BIMI, even if the BIMI record itself is on the subdomain. Refer to the IETF Datatracker for VMC validation specifics.
- DMARC policy for subdomains: Verify that your DMARC policy for subdomains (sp tag) is set to quarantine or reject for BIMI to function correctly. This is a prerequisite. Consider how to implement DMARC with BIMI on multiple subdomains.
- Checker discrepancies: Some online BIMI checkers may not always accurately reflect the status of subdomain BIMI implementations due to their specific logic or caching, even if logos are showing up in actual email clients.
What email marketers say
Email marketers often navigate the complexities of BIMI implementation for various sending scenarios, including managing multiple subdomains. A common question arises when seeking to display a brand logo on specific subdomains without it appearing on the primary or parent domain. Their discussions highlight practical challenges like DNS propagation delays and the sometimes-confusing behavior of online validation tools, even when the setup is technically correct and the logo is visibly rendering in mailboxes.
Key opinions
- Parent VMC for subdomains: Many marketers believe that having the parent domain in the VMC is sufficient for publishing BIMI records at the subdomain level, simplifying certificate management.
- SAN requirements confusion: There can be initial confusion about whether each individual subdomain needs to be a Subject Alternative Name (SAN) in the VMC, or if the root domain SAN is enough.
- DNS propagation patience: Marketers often experience delays with DNS propagation, leading to uncertainty about whether their BIMI setup is correct or if it just needs more time to update.
- Checker inconsistencies: It is noted that some online BIMI checkers might report issues (e.g., domain mismatch) even when the logo is displaying correctly in actual email clients, highlighting limitations of these tools.
Key considerations
- Strategic domain choice: The decision to use a subdomain for sending and BIMI display (versus the main domain) should consider its impact on email deliverability and branding strategy. Read about selecting a sending domain or subdomain.
- DNS record publishing: Ensure BIMI records are published specifically at the subdomain level, which is a different step from merely having the parent domain in the VMC. Also consider how to implement BIMI on a subdomain.
- DMARC for subdomains: Proper DMARC configuration, including its interaction with subdomains, is a prerequisite for BIMI. Verify that DMARC policies are correctly applied and aligned with your sending practices for each subdomain.
- Brand consistency: Decide whether a consistent logo across all sending subdomains is desired, and configure BIMI accordingly to maintain a unified brand presence. For more on this, see how to implement BIMI for multiple brands.
Marketer view
Marketer from Email Geeks notes that their initial understanding of BIMI for subdomains was that each one would need to be explicitly named on the Verified Mark Certificate (VMC) if not inheriting from the parent. They questioned if a VMC tied solely to the root domain would be sufficient if BIMI records were exclusively at the subdomain level.They sought clarification on how to apply BIMI broadly to subdomains while intentionally bypassing the parent domain.
Marketer view
Marketer from Email Geeks shares their experience, stating that they were trying to confirm whether their setup was correct. They observed that the logo began appearing in Gmail tests, despite a third-party checker (Valimail) still indicating a mismatch between the BIMI domain and the certificate.This suggests that DNS propagation or checker accuracy can sometimes lag behind actual display.
What the experts say
Email deliverability experts offer detailed guidance on the technical requirements for implementing BIMI across subdomains while maintaining control over the parent domain's brand display. Their insights often focus on the precise interplay between DNS records (SPF, DKIM, DMARC, BIMI TXT) and the Verified Mark Certificate (VMC). They stress the importance of understanding inheritance rules versus explicit record placement to ensure successful logo display and proper email authentication for all sending identities.
Key opinions
- DMARC policy inheritance: Experts confirm that subdomains inherit the parent domain's DMARC policy by default, unless an explicit DMARC record is published at the subdomain level. This is critical for BIMI alignment.
- Explicit subdomain authentication: For comprehensive email authentication (SPF, DKIM, DMARC), it's often advised to create separate records for subdomains, as they don't always inherit from the parent automatically.
- VMC and organizational domain: The organizational domain listed in the VMC is generally sufficient to cover subdomains, allowing BIMI records to be placed specifically on the subdomains without needing a VMC for each.
- Foundational authentication: Strong SPF, DKIM, and DMARC with proper alignment are prerequisites for any successful BIMI implementation, regardless of whether it's on a parent or subdomain.
Key considerations
- DMARC policy for BIMI: BIMI mandates a DMARC policy of at least p=quarantine or p=reject for the sending domain (or subdomain) to display the logo. Consider how to safely transition your DMARC policy.
- DNS hierarchy: Understand how DNS resolves records for subdomains. A BIMI record at default._bimi.sub.domain.com will be checked before falling back to the parent if no subdomain record is found for DMARC. Find out more about DMARC record placement for subdomains.
- Alignment for authentication: Ensure the From: domain in your email headers aligns with the domain used for SPF and DKIM. This alignment is what enables DMARC to pass, which in turn enables BIMI. For more information, read Mailgun's BIMI email specification tips.
- Monitoring and troubleshooting: Regular monitoring of DMARC reports is crucial to identify any authentication failures that could prevent BIMI logos from displaying. This helps in diagnosing and fixing issues promptly.
Expert view
Expert from SpamResource clarifies that while DMARC policies can be set for individual subdomains, any subdomain without an explicit policy will automatically inherit the DMARC policy of its parent domain. This default behavior simplifies setup for many senders.However, it requires careful consideration for specific subdomain needs, particularly if different policies are required.
Expert view
Expert from WordtotheWise emphasizes that subdomains generally do not automatically inherit authentication policies like SPF, DKIM, or DMARC from their parent domain. To ensure comprehensive protection and proper email authentication for all sending streams, separate records should be created for each subdomain.This ensures that each sending identity is properly validated and minimizes the risk of deliverability issues.
What the documentation says
Official documentation and technical specifications provide the definitive guidelines for BIMI implementation, particularly concerning subdomains and VMCs. These documents clarify that while the VMC validates the organizational domain, the actual BIMI record must reside on the specific subdomain that is sending the email. They emphasize that proper DMARC enforcement and alignment are non-negotiable prerequisites for BIMI logo display, detailing how mailbox providers discover and validate these records in the DNS hierarchy.
Key findings
- Subdomain BIMI records: The BIMI Group FAQ states that a BIMI record can be published directly on a subdomain and will be used by mailbox providers, even if no record exists at the organizational domain.
- VMC and organizational domain: The IETF Datatracker specifies that the organizational domain (e.g., example.com) needs to be a Subject Alternative Name (SAN) in the VMC. This certification at the root level is sufficient to validate subdomains sending with BIMI records.
- DMARC prerequisite: BIMI explicitly requires a DMARC policy of p=quarantine or p=reject for the sending domain (or subdomain) to be considered for BIMI display.
- DNS discovery process: Mailbox providers perform a specific DNS lookup sequence, starting with the _bimi subdomain for the BIMI record. This hierarchy allows for granular control at the subdomain level.
Key considerations
- No inheritance for BIMI: Unlike DMARC, BIMI records are not inherited by subdomains from the parent. Each subdomain intended to display a logo must have its own BIMI TXT record explicitly published. This aligns with Sparkle.io's point that subdomains don't inherit parent authentication policies.
- DMARC policy for subdomains (sp): If the parent domain's DMARC record has an sp tag, it applies to subdomains unless overridden by a specific subdomain DMARC record. This sp policy must meet BIMI's enforcement requirements. More details can be found in the Campaign Refinery guide on DMARC setup.
- BIMI assertion record syntax: The BIMI record syntax must be correct, including the v=BIMI1; tag, the l= tag for the SVG logo URL, and the a= tag for the VMC URL (if applicable). This is outlined in the BIMI Group FAQs.
Technical article
BIMI Group documentation states that a domain administrator has the flexibility to publish a BIMI record on a subdomain. This record, if discovered at the subdomain, can be utilized by mailbox providers for displaying the brand logo.Crucially, this can occur even if no BIMI record is found at the organizational (parent) domain, offering granular control over brand display.
Technical article
IETF Datatracker documentation explains that for a Verified Mark Certificate (VMC) to be valid in the context of BIMI, the organizational domain must be included in the domain-set (as a Subject Alternative Name, or SAN) within the VMC.This organizational domain linkage is sufficient to enable BIMI functionality across its subdomains, provided the individual BIMI records are published correctly at those subdomain levels.
Related resources
10 resources
Related pages
What is the best practice for DMARC record placement for subdomains?
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Does BIMI require DMARC at the organizational level, and can it be implemented only at the subdomain level?
How do I implement BIMI for multiple brands with subdomains?
How to implement BIMI on a subdomain without affecting the main domain or transactional emails?
Does a parent domain need BIMI for subdomain BIMI to work?
How do I implement DMARC with BIMI on multiple subdomains?
A simple guide to DMARC, SPF, and DKIM
A guide to validating your BIMI SVG and certificate
Which email clients actually support BIMI?
