What DMARC policy settings are required for BIMI and how do I determine the best setting for sp=?
Matthew Whittaker
Co-founder & CTO, Suped
Published 25 Jul 2025
Updated 19 Aug 2025
8 min read
Brand Indicators for Message Identification (BIMI) offers a powerful way to display your brand's logo next to your authenticated emails in supported inboxes. It's a significant step towards enhancing brand recognition and trust. However, enabling BIMI isn't as simple as uploading a logo. It hinges critically on having robust email authentication, specifically an enforced DMARC policy. Many organizations, while eager for the visual benefits of BIMI, often stumble when configuring the necessary DMARC settings, particularly the p= (policy) and sp= (subdomain policy) tags.
Getting these settings right is paramount, not just for BIMI display, but also for overall email security and deliverability. Misconfigurations can lead to legitimate emails being blocked or marked as spam. Let's delve into the specific DMARC policy requirements for BIMI and how you can determine the optimal sp= setting for your domain's needs.
BIMI requires that your domain's DMARC policy be set to an enforcement mode, meaning either p=quarantine or p=reject. The p=none policy, which is often used during the initial monitoring phase of DMARC implementation, does not meet BIMI's requirements. This is clearly stated in the BIMI Group's implementation guide and by leading email providers like Google Workspace. The enforcement policy is crucial because BIMI relies on the trust established through DMARC, ensuring that only authenticated emails from your domain display your logo.
The primary DMARC policy tag, p=, dictates the action taken by receiving mail servers when an email fails DMARC authentication for your organizational domain (e.g., yourdomain.com).
A policy of p=quarantine instructs receiving servers to treat non-compliant emails suspiciously. This often means placing them in the spam folder or subjecting them to further scrutiny. With p=reject, unauthenticated emails are outright rejected, meaning they will not be delivered to the recipient's inbox at all. For BIMI, either of these policies is acceptable as they both signify a strong commitment to DMARC enforcement.
The role of the sp= tag for subdomains
While the p= tag handles the policy for your organizational domain, the sp= tag specifies the policy for subdomains (e.g., news.yourdomain.com). This is particularly important for organizations that use various subdomains for different email sending purposes, such as marketing, transactional, or support emails. If you send email from any subdomains, and you want BIMI to display for those subdomains, their DMARC policy (governed by sp=) must also be set to quarantine or reject. If sp= is set to none, BIMI will not function for those subdomains. It's also worth noting that the sp= tag only applies if a specific DMARC record for the subdomain does not exist. If a subdomain has its own DMARC record, that record's policy will take precedence.
Example DMARC record with enforced subdomain policyDNS
When both p= and sp= are set to an enforcement policy (quarantine or reject), you achieve full DMARC protection across your entire domain space, including all subdomains. This comprehensive enforcement is what mailboxes like Mailgun (often mentioned by email deliverability experts) and other major providers look for when validating your BIMI setup. It signals that you have a strong grasp of your email sending infrastructure and are actively preventing unauthorized use of your domain.
Before you change your sp= policy from none to quarantine or reject, a thorough understanding of all your email sending sources, including subdomains, is essential. Any email sent from a subdomain that isn't properly authenticated (via SPF or DKIM) will be affected by your chosen sp= policy. This means legitimate emails could end up in spam folders or be blocked entirely, impacting your business communications.
Determining the best setting for sp=
The decision between sp=quarantine and sp=reject largely depends on your confidence in your DMARC implementation and the completeness of your email authentication. If you're 100% certain that all legitimate emails sent from your domain and its subdomains are properly authenticated with SPF and DKIM, then sp=reject offers the strongest protection against spoofing and phishing, actively preventing unauthenticated emails from reaching recipients.
However, if there's any uncertainty, or if you're still in the process of identifying all your sending sources, sp=quarantine is a safer initial step. This allows you to monitor DMARC reports for any unexpected failures without immediately blocking legitimate traffic. It provides a transitional phase, giving you time to rectify any authentication issues before moving to the stricter reject policy. Remember, moving slowly often leads to faster, more successful implementation.
sp=quarantine
Impact: Unauthenticated emails are directed to spam or flagged for review, not outright blocked.
Monitoring: Provides a safety net to catch legitimate but unauthenticated emails during DMARC rollout.
Risk: Lower risk of inadvertently blocking legitimate emails.
BIMI Status: Supports BIMI display, but with less strict enforcement than reject.
sp=reject
Impact: Unauthenticated emails are not delivered at all.
Security: Offers the highest level of protection against domain abuse (spoofing, phishing).
Risk: Higher risk of blocking legitimate emails if any sending sources are not fully authenticated.
BIMI Status: Fully supports BIMI display with the strongest enforcement.
Ultimately, the sp= setting you choose should mirror your organizational domain policy (p=) as you progress to an enforced state. A good strategy is to start with p=none (and sp=none) while you gather DMARC reports. Once you're confident that all legitimate traffic is authenticating correctly, you can move to p=quarantine (and sp=quarantine). Only then, after continued monitoring, consider the transition to p=reject (and sp=reject). This phased approach minimizes the risk of mail disruption.
Key considerations for DMARC enforcement
Implementing BIMI means not only having a DMARC policy in enforcement mode but also ensuring all your legitimate email passes DMARC authentication. This involves correctly configuring SPF and DKIM for all sending sources, including any third-party senders. An often-overlooked aspect is the SPF DNS lookup limit. If you exceed the 10-lookup limit, SPF will fail, potentially causing DMARC failures and hindering BIMI display. Regular monitoring of your DMARC reports is critical to identify and resolve these issues.
Before you enforce your DMARC policy, especially for subdomains using the sp= tag, you must have a clear understanding of all the services and platforms that send email on behalf of your domain. This includes marketing automation platforms, transactional email services, customer support systems, and any other internal or external tools. Each of these must be properly authenticated (SPF and DKIM aligned) to avoid legitimate emails being quarantined or rejected once your DMARC policy moves to enforcement.
Before moving to enforcement
Audit all sending sources: Identify every system sending email from your domain and subdomains.
Ensure authentication: Verify SPF and DKIM are correctly configured for all sources.Email authentication is essential.
Monitor DMARC reports: Analyze aggregate and forensic reports to identify failures.
After moving to enforcement
Continuous monitoring: Regularly review DMARC reports for new or recurring issues.
Maintain DNS records: Keep SPF, DKIM, and DMARC records updated and error-free.
Address unauthenticated sources: Quickly configure or cease sending from any unauthenticated source.
Remember, email authentication is an ongoing process. As your email sending infrastructure evolves, so too should your DMARC configuration. A proactive approach to monitoring and maintenance ensures your emails remain deliverable and your brand's BIMI logo continues to display prominently.
Views from the trenches
Best practices
Maintain an up-to-date inventory of all domains and subdomains that send email.
Consistently review DMARC aggregate reports to detect legitimate email streams not authenticating.
Prioritize fixing SPF and DKIM alignment for all sending sources before moving to reject policies.
Implement a phased approach for DMARC policy enforcement, starting with quarantine.
Ensure DNS records are correctly published and do not exceed the SPF 10-lookup limit.
Common pitfalls
Moving to an enforced DMARC policy (quarantine or reject) too quickly, without proper monitoring.
Failing to account for all subdomains or third-party senders when setting DMARC policies.
Overlooking SPF DNS lookup limit issues, which can cause legitimate emails to fail authentication.
Not regularly checking DMARC reports for anomalies or unauthenticated legitimate traffic.
Assuming MX records or sender reputation directly impact DMARC compliance (they don't).
Expert tips
Use DMARC reporting tools to gain visibility into your email ecosystem and sending behavior.
If using third-party email providers, ensure they support SPF and DKIM alignment.
Consider segmenting email types (e.g., transactional vs. marketing) to different subdomains with tailored DMARC policies.
Document all your email sending sources and their authentication configurations.
Communicate DMARC policy changes internally to relevant teams (IT, marketing, support) to avoid disruptions.
Expert view
Expert from Email Geeks says the required DMARC policy for BIMI, for both the organizational domain and subdomains, is either quarantine or reject.
2024-02-06 - Email Geeks
Marketer view
Marketer from Email Geeks says that SPF authentication and alignment, and/or DKIM authentication and alignment are what truly matter for DMARC compliance.
2024-02-06 - Email Geeks
Final thoughts on DMARC and BIMI
Activating BIMI for your domain is an excellent step towards bolstering your brand's presence and email security. However, it's contingent upon having a DMARC policy set to enforcement, meaning either p=quarantine or p=reject. Crucially, this enforcement also extends to your subdomains, requiring sp= to be similarly set if you intend for BIMI to display on those sending channels. The choice between quarantine and reject for sp= should be a measured decision, guided by diligent DMARC reporting and a complete understanding of your email sending ecosystem.
By meticulously auditing your email sources, ensuring all legitimate traffic is authenticated, and gradually transitioning your DMARC policies, you can successfully implement BIMI and reap its benefits for brand trust and recognition. This approach minimizes disruption while maximizing your email security posture. Remember to monitor your email blacklists (or blocklists) as well, to ensure your sending reputation remains strong.
Mailgun (often mentioned by email deliverability experts) and other major providers look for when validating your BIMI setup. It signals that you have a strong grasp of your email sending infrastructure and are actively preventing unauthorized use of your domain.
