What are the DMARC requirements for BIMI and how does pct affect the policies?

Key findings

• Enforcing policy required: For BIMI, your DMARC record must specify a policy of either p=quarantine or p=reject for both the organizational domain and the specific RFC5322.From domain used in the email. This ensures that unauthenticated emails are either quarantined or rejected, preventing brand spoofing.
• Subdomain pct requirement: When a DMARC policy is set to p=quarantine for a subdomain, the pct tag must be set to pct=100. This means 100% of emails failing DMARC authentication from that subdomain will be quarantined, ensuring full policy enforcement for BIMI compatibility.
• Organizational domain pct flexibility: If the organizational domain uses p=reject and a pct tag less than 100 (e.g., pct=70), the remaining percentage (30% in this example) defaults to p=quarantine. Since no emails are treated as p=none, this setup can still be sufficient for BIMI.
• Impact of subdomain explicit policies: If an organizational domain has a p=reject policy but one of its subdomains has an explicit p=none policy, this specific subdomain will not be BIMI-capable, but it does not affect the BIMI capability of the organizational domain or other subdomains.

Key considerations

• Trust the official specification: Always refer to the latest BIMI specification (currently an IETF draft) for the most accurate and up-to-date requirements, as website content may sometimes lag behind.
• DMARC policy rollout: When initially implementing DMARC or transitioning to an enforcing policy, it is common practice to start with a lower pct value (e.g., pct=5) for monitoring before moving to pct=100. However, for BIMI readiness, the policy must eventually reach full enforcement for relevant domains.
• Long-term DMARC changes: Be aware of potential future changes in DMARC, such as DMARCbis, which may remove the pct tag. While this is not immediate, staying informed about protocol evolutions is essential for long-term email deliverability strategy.
• Alignment requirements: Ensure your SPF and DKIM records are correctly configured and aligned with your DMARC policy. Proper alignment is fundamental for passing DMARC authentication and subsequently enabling BIMI display. For more details, consult guides on DMARC, SPF, and DKIM.
• Subdomain policy management: Be mindful that explicit DMARC policies on subdomains (e.g., p=none) override the organizational domain's policy for that specific subdomain. This can impact its BIMI eligibility, so consistent policy application across all sending domains is recommended for BIMI adoption.

Key opinions

• Confusion over pct specifics: Many marketers seek clarification on why the pct requirement is 100% for p=quarantine but not explicitly stated for p=reject in some BIMI documentation, indicating a need for clearer guidance.
• Subdomain impact: Marketers are concerned about whether a subdomain with a p=none policy might negatively affect the BIMI eligibility of the main organizational domain or other subdomains.
• Phased rollout preference: Many prefer a gradual DMARC rollout, starting with p=none and slowly increasing the pct value, which can conflict with immediate BIMI pct=100 requirements for quarantine policies.

Key considerations

• DMARC record setup: Ensure your DMARC records are correctly published and reflect the required policies for BIMI. Misconfigurations can lead to authentication failures and prevent logo display.
• Understanding BIMI compatibility: It is vital for marketers to understand that a p=none policy on any sending domain (or subdomain acting as an RFC5322.From domain) will prevent BIMI logo display for emails sent from that domain. Guidance on BIMI requirements and implementation steps is critical.
• Monitoring DMARC reports: Regularly review DMARC aggregate and forensic reports to identify any legitimate email streams that might be failing authentication under stronger policies. This helps in adjusting configurations before moving to pct=100.
• DMARC policy best practices: While BIMI requires an enforcing policy, marketers should still adhere to best practices for DMARC implementation. This includes careful planning when using p=reject as outlined in discussions about best practices for setting DMARC policy.

Key opinions

• Spec over website: Experts advise relying on the official BIMI specification over potentially outdated website content for precise requirements, especially concerning DMARC policies.
• RFC5322.From domain focus: The validation process for DMARC/BIMI primarily focuses on the DMARC policies of the RFC5322.From domain and the organizational domain, if it differs.
• Understanding pct mechanics: When pct is less than 100 for a p=reject policy, the remainder is treated as p=quarantine, which is acceptable for BIMI as no mail falls back to p=none.
• DMARCbis timeline: The evolution of DMARC (e.g., DMARCbis) is progressing but will take considerable time before becoming a standard and being widely implemented, including changes like removing the pct tag.

Key considerations

• Strict adherence to BIMI spec: Implementers must prioritize the BIMI specification, particularly the requirement for DMARC policies of quarantine or reject, and the pct=100 for quarantine policies.
• Policy clarity: While the DMARC pct tag allows for gradual enforcement, for BIMI, the effective policy must eventually reach full enforcement (100% quarantine or reject coverage) for the sending domain.
• Anticipating DMARC evolution: Organizations should be aware that the DMARC standard is evolving, with discussions around DMARCbis possibly deprecating the pct tag. This forward-looking approach helps in future-proofing DMARC implementations. For more on DMARC tags, refer to our guide to DMARC tags.
• Subdomain policy independence: It is important to understand that an explicit p=none policy on a subdomain will prevent BIMI for that specific subdomain, irrespective of the organizational domain's stricter policy. This highlights the importance of consistent policy application across all relevant sending domains. Learn more about DMARC and BIMI at the organizational level.

Key findings

• Mandatory strong DMARC policy: The BIMI specification clearly states that domain owners MUST have a strong DMARC policy (quarantine or reject) on both the organizational domain and the RFC5322.From domain.
• Strict pct for quarantine: For quarantine policies, the pct tag MUST NOT be less than pct=100.
• Full enforcement for BIMI: The Canadian Centre for Cyber Security's guidance explicitly states that to participate in BIMI, a domain must have fully implemented DMARC with a policy of reject, indicating the highest level of enforcement.
• No p=none for BIMI-enabled domains: Any domain or subdomain that is intended to display a BIMI logo cannot have a DMARC policy of p=none, as this would not meet the enforcement criteria.

Key considerations

• Adherence to current standards: While DMARC (and BIMI) standards evolve, current implementation should strictly follow the existing official specifications, ensuring all emails pass DMARC authentication for brand logo display. Consider our article on best practices for setting DMARC policy.
• Policy choice implications: Choosing between p=quarantine and p=reject has different impacts on unauthenticated mail. For BIMI, both are acceptable, but p=quarantine requires pct=100. Our guide on when to use DMARC policies can provide further insights.
• Universal application: The DMARC policy requirements for BIMI apply to both the main organizational domain and any subdomains used for sending, necessitating a consistent and strong authentication posture across all relevant sending identities.
• Staying informed: Regularly consult the BIMI Group's Implementation Guide and other authoritative sources to stay updated on any changes or clarifications to the BIMI and DMARC specifications. This proactive approach helps maintain compliance and optimal performance.