What DMARC policy settings are required for BIMI and how do I determine the best setting for sp=?

Key findings

• BIMI requirements: For BIMI to display your logo, your DMARC record's organizational policy (p=) and subdomain policy (sp=) must be set to either quarantine or reject. This enforces strict email authentication.
• Authentication dependency: DMARC compliance primarily relies on proper SPF authentication and alignment, and/or DKIM authentication and alignment. MX records and sender reputation do not directly impact DMARC compliance.
• Subdomain policy importance: The sp= tag is crucial as it dictates the DMARC policy for subdomains. If set to none, subdomains are not protected by the main domain's enforcement policy, which prevents BIMI adoption.

Key considerations

• Gradual policy transition: Transitioning your DMARC policy from p=none to quarantine or reject should be done cautiously. Monitor your DMARC reports closely to identify any legitimate email streams that might fail authentication. More information on when to use DMARC policies can be found here.
• Subdomain inventory: Before changing your sp= policy, comprehensively identify all subdomains that send email. Ensure that DMARC is correctly configured for each sending subdomain to prevent legitimate emails from being rejected or quarantined. This includes understanding how the DMARC sp tag affects subdomains.
• BIMI readiness: Confirm that all other BIMI requirements (like a Verified Mark Certificate and SVG logo format) are in place before moving to an enforcement policy for BIMI.

Key opinions

• BIMI enforcement: Many marketers understand that BIMI requires DMARC policies for both the main domain (p=) and subdomains (sp=) to be at an enforcement level (quarantine or reject).
• Delegating technical decisions: Marketers often rely on their DevOps or IT teams to determine whether to implement sp=quarantine or sp=reject, acknowledging the complexity of these decisions.
• Subdomain management challenges: Some marketers admit to not following best practices, such as sending both marketing and transactional emails from similar domains, which complicates DMARC and BIMI implementation across subdomains.

Key considerations

• Policy choice: While quarantine or reject are acceptable for BIMI, reject offers the highest level of protection against spoofing. The choice often depends on the organization's confidence in their authentication setup. Review our guide on setting DMARC p=reject for more.
• SPF DNS lookups: Marketers must address SPF records that exceed the 10 DNS lookup limit, as this can hinder DMARC authentication and subsequently BIMI adoption.
• Subdomain consolidation: Streamlining subdomain usage and implementing dedicated subdomains for different email types (e.g., transactional vs. marketing) can simplify DMARC management and help ensure proper email authentication.

Key opinions

• Enforcement is a must: BIMI strictly requires DMARC's p= and sp= policies to be at quarantine or reject for a brand's logo to appear.
• Focus on authentication: Experts stress that DMARC compliance is solely dependent on SPF and DKIM authentication and alignment, not on MX records or general sender reputation.
• Subdomain impact: It's important to remember that the sp= policy affects email with a visible From header as subdomains, and not the return path.
• Gradual approach: When making DMARC policy changes, particularly for sp=, experts advise that slow is fast, meaning a careful, monitored approach prevents issues.

Key considerations

• DMARC report analysis: Utilizing a tool to parse DMARC Aggregate (RUA) reports is essential for gaining certainty about your authentication practices. This data helps assess readiness to move to enforcement policies, whether safely transitioning to quarantine or reject.
• Subdomain mapping: Before changing the sp= policy, organizations should confirm with their development or IT teams which subdomains send mail and how they are configured in DNS to avoid unintended disruptions.
• Authentication completeness: While the goal is often to set sp=reject to match a p=reject policy, it is paramount to ensure all legitimate email authenticates correctly before applying such a strict policy.

Key findings

• DMARC enforcement level: BIMI standards require the DMARC policy (the p tag) for the organizational domain, and the policy for subdomains (the sp tag), to be set to either quarantine or reject.
• Alignment requirement: For DMARC to pass, at least one of SPF or DKIM must pass authentication and be in alignment with the From header domain. This is fundamental for enforcing policies and enabling BIMI.
• Subdomain policy precedence: The sp tag in a DMARC record specifies the policy for subdomains that do not have their own DMARC record. If omitted, subdomains inherit the organizational domain's p= policy, unless explicitly overridden by sp= or a dedicated subdomain DMARC record.

Key considerations

• Implementation strategy: Documentation recommends a phased DMARC implementation, starting with a p=none policy to collect reports and identify all legitimate sending sources before moving to enforcement. This process ensures all authorized emails are authenticated before applying stricter policies.
• Domain and subdomain coverage: Organizations must ensure that all email sending domains and subdomains are properly covered by a DMARC policy, either explicitly with their own record or through the main domain's sp= tag, to achieve comprehensive protection and BIMI readiness. A simple guide to DMARC, SPF, and DKIM provides further details.
• BIMI specific requirements: Beyond DMARC policies, BIMI requires a Verified Mark Certificate (VMC) issued by an accredited Certificate Authority and an SVG file of the brand logo, amongst other technical specifications. These elements are detailed in the BIMI RFC (RFC 9461).