Can I use one VMC for multiple subdomains?

A single Verified Mark Certificate (VMC) for your parent (organizational) domain is typically sufficient to support BIMI across multiple subdomains. You do not need a separate VMC for each subdomain, as long as the parent domain is included in the VMC's Subject Alternative Name (SAN) list. The key is to publish the BIMI DNS record at the specific subdomain level.

How do I ensure BIMI only shows on subdomains?

To ensure BIMI only shows on subdomains and not the parent domain, simply do not publish a BIMI DNS TXT record for your parent domain. BIMI records are explicitly defined at the host level, so if no record exists for the parent domain, no logo will be displayed for emails sent from it. You only publish records for the specific subdomains where you want the logo to appear.

What is the key prerequisite for BIMI to work?

The primary prerequisite for BIMI to work is an enforced DMARC policy for the sending domain (or subdomain). Your DMARC policy must be set to either p=quarantine or p=reject . Additionally, SPF and DKIM must be properly configured and aligned with DMARC for authentication to pass.

How long does BIMI DNS propagation take?

DNS propagation times can vary, but generally, it can take anywhere from a few minutes to 48 hours for new BIMI DNS records to fully propagate across the internet. After publishing your records, it's essential to allow sufficient time for these changes to update globally before expecting your BIMI logo to appear in inboxes.

How to set up BIMI records for multiple subdomains while excluding the parent domain? - Technical - Email deliverability - Knowledge base

Setting up Brand Indicators for Message Identification (BIMI) can enhance your email's visual presence, displaying your brand's logo directly in the recipient's inbox. While the default behavior often involves setting up BIMI on your parent (organizational) domain to trickle down to subdomains, there are scenarios where you might need more granular control.

One common question that arises is how to implement BIMI for multiple subdomains while intentionally excluding the parent domain. This approach might be necessary if your parent domain isn't used for sending email or if you prefer a different brand identity for your primary domain versus your marketing or transactional subdomains. It's a precise configuration that ensures your logo appears exactly where you want it.

Understanding BIMI basics and components

BIMI acts as a trust signal, allowing participating email clients to display your logo next to your sender name. For BIMI to work, your domain must have robust email authentication protocols in place, specifically DMARC, SPF, and DKIM, with DMARC enforced at a policy of quarantine or reject. Without this foundational authentication, BIMI cannot function.

The core components of BIMI include a DNS TXT record, which points to your logo file (an SVG), and optionally a Verified Mark Certificate (VMC). The VMC is a digital certificate that verifies your ownership of the logo, providing an extra layer of trust and enabling display in more stringent email clients. The BIMI record contains specific tags that tell receiving servers where to find your logo and, if applicable, your VMC.

Subdomains typically inherit DMARC policies from the parent domain unless explicitly overridden. This is a crucial point when considering BIMI implementation, as proper DMARC alignment is a non-negotiable requirement. While a DMARC record on the parent domain can cover subdomains, BIMI records are published on a per-domain or per-subdomain basis.

The role of the VMC in subdomain BIMI

A common point of confusion is whether each subdomain requires its own Verified Mark Certificate (VMC) or if a single VMC for the parent domain suffices. Fortunately, the latter is often the case. A VMC issued for your organizational (root) domain can be leveraged by its subdomains for BIMI display, provided the necessary authentication and DNS records are correctly set up.

The key is that the organizational domain (or root domain) listed in the Subject Alternative Name (SAN) field of your VMC is sufficient. You do not need to list every single subdomain on the VMC itself. This simplifies the VMC acquisition process, as you only need one certificate for your primary domain, which then supports BIMI for its subdomains.

This setup allows for flexibility. You can hold one VMC for your brand's main domain and then apply BIMI to specific subdomains that actively send email, while leaving other subdomains or the parent domain without a visible logo. It's about where you publish the BIMI DNS TXT record, not necessarily how many VMCs you possess.

Misconception

VMC requirement: Each subdomain requiring BIMI must be explicitly listed as a Subject Alternative Name (SAN) on the VMC.
Complexity: Managing separate VMCs or SAN entries for numerous subdomains would be time-consuming and costly.

Reality

VMC scope: A VMC for the parent (organizational) domain is sufficient to support BIMI on its subdomains.
Simplified management: You only need to maintain one VMC for your primary domain, with BIMI records placed at the subdomain level.

Implementing BIMI records for specific subdomains

The strategy for enabling BIMI on specific subdomains, while excluding the parent domain, relies on the precise placement of your BIMI DNS TXT records. Each subdomain for which you want BIMI to display will need its own dedicated BIMI record.

To apply BIMI to a specific subdomain, you'll publish a TXT record at default._bimi.subdomain.yourdomain.com. This contrasts with publishing it at default._bimi.yourdomain.com, which would apply to the parent domain and potentially all its subdomains unless explicitly overridden by a subdomain's own record. This allows you to control BIMI display at a granular level.

The BIMI TXT record itself includes the BIMI version (usually v=BIMI1), the URL to your SVG logo file, and if you have a VMC, the URL to your Public Key Infrastructure (PKI) for the certificate chain. Be sure your SVG logo is properly formatted and accessible via HTTPS.

Example BIMI record for a subdomainDNS TXT

v=BIMI1; l=https://cdn.yourbrand.com/bimi/yourlogo.svg; a=https://cdn.yourbrand.com/bimi/yourvmc.pem;

This setup allows for precise branding. For instance, you can have different logos for marketing emails (e.g., marketing.yourdomain.com) versus transactional emails (e.g., transactional.yourdomain.com), simply by publishing different BIMI records on those specific subdomains. This also means that if you choose not to publish a BIMI record on your parent domain, no logo will display for emails sent from it, fulfilling the exclusion requirement.

Excluding the parent domain from BIMI

The most straightforward way to exclude your parent domain from BIMI display is to simply not publish a BIMI DNS TXT record for it. Unlike DMARC, which can have an organizational policy that applies to subdomains, BIMI records are explicitly defined at the host level where they are intended to be active. If no default._bimi TXT record exists for your main domain, no logo will be sought or displayed.

This approach ensures that your brand's logo only appears where you actively configure it, providing full control over your email's visual identity. It's particularly useful for organizations that use their parent domain for internal communications or non-marketing purposes and prefer to reserve BIMI for specific, high-visibility sending subdomains.

Remember that BIMI relies heavily on strong email authentication. Ensuring that your DMARC policy is at p=quarantine or p=reject for the subdomains you wish to implement BIMI on is essential. If your parent domain's DMARC policy covers these subdomains, you're good to go. If not, consider a specific DMARC record for the subdomain, or update your main DMARC record to cover subdomains through the sp tag.

BIMI testing best practice

Before deploying BIMI across all your intended subdomains, especially in a complex setup, it's highly recommended to test your BIMI implementation on a non-critical subdomain first. This allows you to verify DNS propagation, logo display, and DMARC alignment without impacting your main email sending operations. Tools are available to help validate your BIMI setup.

Views from the trenches

Best practices

Ensure that your DMARC policy for the relevant subdomains is set to at least 'quarantine' or 'reject', as this is a fundamental prerequisite for BIMI.

Always use a canonical URL for your SVG logo and VMC, hosted on a domain with a valid SSL certificate.

Implement BIMI on a test subdomain first to verify correct configuration and appearance before rolling it out to all sending subdomains.

Common pitfalls

Failing to meet DMARC enforcement requirements means your BIMI logo will not display, regardless of your DNS setup.

Incorrectly formatted SVG logos or inaccessible hosting can prevent BIMI display and lead to troubleshooting headaches.

Not accounting for DNS propagation delays can lead to premature conclusions about BIMI setup failures.

Expert tips

Use separate BIMI selectors if you need to manage multiple logos or VMCs for different subdomains.

Consider hosting your SVG and VMC on a robust Content Delivery Network (CDN) for optimal performance and accessibility.

Regularly check your BIMI records to ensure they remain accurate and haven't been inadvertently altered.

Expert view

Expert from Email Geeks says a Verified Mark Certificate (VMC) for the parent domain can cover subdomains, provided the BIMI records are published specifically at the subdomain level.

2024-03-20 - Email Geeks

Marketer view

Marketer from Email Geeks notes a common misunderstanding about Verified Mark Certificates (VMCs), questioning whether a root domain certificate is sufficient for subdomains without separate Subject Alternative Name (SAN) entries.

2024-03-20 - Email Geeks

Achieving selective BIMI display for your brand

Implementing BIMI for multiple subdomains while intentionally excluding the parent domain is a highly achievable goal. It hinges on a clear understanding of how BIMI records function at different levels of your domain structure and the role of the Verified Mark Certificate.

By ensuring your organizational domain is covered by a VMC and then publishing specific BIMI TXT records only on the desired subdomains, you gain precise control over your brand's appearance in the inbox. Remember to maintain strong DMARC enforcement and account for DNS propagation times to ensure a smooth and successful BIMI rollout.