How to set up BIMI with a shared IP?

Key findings

• BIMI compatibility: BIMI's requirements are centered around your domain, not your IP address. Therefore, you can successfully implement BIMI even when sending emails from a shared IP, provided the shared IP is correctly included in your SPF record.
• DMARC requirement: A robust DMARC policy set to p=quarantine or p=reject is essential for BIMI. This policy must apply to your organizational domain, not just a mailing subdomain, as DMARC policies are inherited by subdomains unless explicitly overridden.
• Authentication alignment: For BIMI to work, your email authentication (SPF or DKIM) must achieve DMARC alignment. This means the domain used in SPF's Return-Path or DKIM's signing domain must align with your email's From domain.
• BIMI record location: The BIMI TXT record, like DMARC, is generally published on your core organizational domain. It will then be inherited by any subdomains unless you define a specific BIMI record for a subdomain.

Key considerations

• Staged DMARC rollout: It's recommended to gradually deploy DMARC, starting with a p=none policy, then moving to p=quarantine, and finally p=reject. This phased approach, supported by DMARC reports, helps identify and fix authentication issues before enforcing stricter policies.
• DMARC monitoring: Utilizing a DMARC reporting tool is crucial during the DMARC policy rollout to monitor email authentication results and ensure all legitimate mail passes checks. This allows for necessary adjustments before moving to enforcement policies.
• Mailbox provider specifics: While meeting technical BIMI requirements is key, actual logo display also depends on each mailbox provider's (like Gmail, Yahoo Mail) internal reputation algorithms. A shared IP's overall reputation can impact inbox placement and, consequently, BIMI logo visibility.
• VMC necessity: Obtaining a Verified Mark Certificate (VMC) for your logo is generally required for BIMI to display in major email clients. The VMC can be obtained for your organizational domain or a specific subdomain, depending on your setup. You can find more details on the BIMI Group's implementation guide.
• Shared IP deliverability: While BIMI works with shared IPs, understanding how shared IPs affect deliverability is important. A poor reputation on a shared IP can hinder inbox placement, even if BIMI is technically configured correctly.

Key opinions

• Domain vs. IP focus: Many marketers confirm that BIMI and DMARC are primarily domain-based, meaning a shared IP does not inherently block BIMI setup, as long as the domain's authentication is robust.
• Core domain DMARC: A recurring point is the necessity of implementing DMARC on the core organizational domain with a policy of p=quarantine or p=reject for BIMI to function, even if emails are sent from a subdomain.
• BIMI inheritance: Marketers note that BIMI records, like DMARC, can be set at the organizational domain and inherited by subdomains, simplifying management for multiple sending profiles.
• Gradual DMARC enforcement: The consensus is to incrementally move DMARC policy from p=none to p=quarantine or p=reject, allowing time for monitoring and issue resolution.

Key considerations

• Monitoring is key: Before enforcing DMARC policies, it's vital to have a DMARC reporting solution in place to analyze authentication reports and correct any sending issues. This helps ensure legitimate emails are not quarantined or rejected once stricter policies are active.
• Deliverability impacts BIMI: Even with correct BIMI setup, a logo's appearance depends on whether the email actually lands in the inbox. Shared IP reputation, as highlighted in Mailmodo's BIMI guide, can influence this, emphasizing the link between overall deliverability and BIMI visibility.
• SPF and DKIM setup: Correct SPF and DKIM configuration is foundational. Marketers emphasize ensuring these are properly set up for each sending vendor to achieve DMARC alignment. For further reading, check how to set up SPF and DKIM records.
• Vendor specific steps: The process for setting up SPF and DKIM can vary by email service provider (ESP), requiring specific steps from each vendor to ensure proper authentication.

Key opinions

• DMARC on core domain: Experts consistently confirm that DMARC must be set up on the core organizational domain, as it is a fundamental requirement for BIMI. Without this, BIMI will not function.
• Policy inheritance: DMARC policies set on the core domain are inherited by subdomains unless a specific policy is defined for the subdomain. Similarly, a BIMI certificate can be obtained for the organizational domain and inherited if the BIMI record is published there.
• Minimum DMARC policy: While p=reject is the most secure, BIMI can function with a DMARC policy of p=quarantine at 100% adoption rate.
• DMARC alignment: DMARC requires an aligned pass with either SPF (Return-Path domain aligns with From domain) or DKIM (signing domain aligns with From domain). Having both aligned is considered best practice for robust authentication.

Key considerations

• Beyond technical requirements: Meeting the technical specifications for BIMI does not guarantee logo display. Mailbox providers apply their own 'secret sauce' based on sender reputation and inbox placement. A shared IP's overall deliverability can influence logo visibility.
• Shared IP and SPF: BIMI can be implemented on a shared IP, provided that the shared IP is properly included within your SPF record to ensure authentication passes.
• VMC flexibility: While the organizational domain must have a p=quarantine or p=reject DMARC policy, the VMC (Verified Mark Certificate) can be obtained specifically for a subdomain if preferred, allowing for more granular control over brand identity.
• Monitoring is critical: Implementing a DMARC monitoring tool simultaneously with the p=none policy allows you to identify and fix issues early, before transitioning to stricter enforcement policies, as highlighted in this guide on DMARC policy transition.
• BIMI requirements: It's important to understand all BIMI requirements and implementation steps to ensure a smooth setup.

Key findings

• DMARC policy necessity: BIMI requires an enforced DMARC policy (either p=quarantine or p=reject) for the organizational domain. This ensures strong authentication and protection against email spoofing.
• SVG logo and VMC: A BIMI-compliant SVG (Scalable Vector Graphics) file of your logo and a Verified Mark Certificate (VMC) from an accredited certificate authority are typically required for logo display in supporting email clients.
• DNS record publication: The BIMI record, a TXT record, must be published in your domain's DNS. This record points to the location of your SVG logo file and VMC.
• Domain-based standard: BIMI is explicitly a domain-based standard. Its implementation relies on DNS records associated with your domain, making its functionality independent of whether you use a dedicated or shared IP address for sending mail.

Key considerations

• Path to DMARC enforcement: The BIMI Group's official implementation guide outlines a clear progression for DMARC, typically moving from p=none to p=quarantine and then p=reject, relying on DMARC reports to identify and resolve authentication issues.
• Subdomain configuration: While core domain DMARC and BIMI policies are often inherited, documentation confirms that specific DMARC or BIMI records can be created for subdomains if distinct brand identities or sending practices necessitate it.
• DNS record management: Setting up BIMI involves adding a TXT record to your domain's DNS, similar to SPF and DKIM. Instructions from providers like InMotion Hosting Support Center provide practical steps for this process within various control panels, such as Control Web Panel (CWP).
• Public accessibility of logo: The SVG logo file must be publicly accessible via HTTPS. Documentation emphasizes secure hosting to prevent manipulation and ensure consistent display by email clients.