When I first started exploring Brand Indicators for Message Identification (BIMI), one common question that came up was about its behavior across different levels of subdomains. It's a valid concern for organizations with complex domain structures, such as example.com, marketing.example.com, and email.marketing.example.com. Many expect a BIMI record set at a higher level to automatically apply everywhere. However, the reality of how BIMI interacts with multi-level subdomains is a bit more nuanced than simple inheritance.
Specifically, the question often boils down to whether a BIMI record published on a first-level subdomain, like xyz.sample.com, will extend its influence to a second-level subdomain, such as email.xyz.sample.com. Understanding this inheritance model is crucial for effective email branding and ensuring your logo displays as intended across all your sending domains.
How BIMI subdomain inheritance works
BIMI relies on strict email authentication protocols, primarily DMARC, to display your brand's logo in the recipient's inbox. The core principle is that the BIMI record must be published at the domain from which the email is actually sent, or at its organizational domain. This is tied directly to the RFC5322.From domain, which is the "friendly from" address seen by recipients.
For instance, if you're sending email from email.marketing.example.com, the BIMI record should ideally be configured for email.marketing.example.com itself. If a BIMI record is only present at marketing.example.com, it will not automatically "trickle down" to email.marketing.example.com because BIMI's lookup process doesn't inherently search deeper into sub-subdomains for a record if it's not present at the direct sending domain. This is a critical distinction when planning your BIMI deployment strategy.
However, there's a common misconception about how organizational domains work with BIMI. While a BIMI record set at the organizational domain (e.g., example.com) can indeed apply to its first-level subdomains (like marketing.example.com), it does not automatically extend to deeper levels (e.g., email.marketing.example.com) unless that organizational domain is included in the Verified Mark Certificate (VMC) and specific BIMI selectors are configured to point to it. This differs from DMARC's sp tag behavior, which explicitly dictates policy for all subdomains.
Therefore, for a second-level subdomain like email.xyz.sample.com to display a BIMI logo, the record must either be published directly on email.xyz.sample.com, or the organizational domain sample.com must have the BIMI record and a VMC that covers all desired subdomains. This clarifies whether a parent domain needs BIMI for subdomain BIMI to work effectively.
The role of the VMC and DMARC in subdomain display
A Verified Mark Certificate (VMC) is essential for BIMI display with many major mailbox providers, including Google and Yahoo. The VMC verifies your brand's logo as a registered trademark. The critical aspect for subdomains is that the VMC must explicitly list the domains and subdomains for which the logo is intended to be displayed. While one VMC can technically cover multiple subdomains if they share the same logo, this coverage is dependent on the domains being listed in the certificate's Subject Alternative Name (SAN) field.
Another non-negotiable requirement for BIMI to work at any level, including multi-level subdomains, is a robust DMARC policy. Your domain must have a DMARC policy set to either p=quarantine or p=reject. A p=none policy, while useful for initial monitoring, will not enable BIMI logo display. This DMARC enforcement needs to be in place for the specific sending domain or its organizational domain to which the BIMI record applies. I've often seen issues arise because of DMARC not being fully enforced.
DMARC policy requirements for BIMI
Enforced policy: BIMI requires your DMARC policy to be set to p=quarantine or p=reject. A p=none policy will prevent your logo from appearing.
Subdomain policy: The DMARC policy for the subdomain you are trying to enable BIMI on must also be enforced. This often means ensuring your organizational domain DMARC policy (or a specific subdomain policy) covers the sending subdomain. More information is available on Amazon SES regarding BIMI and its requirements.
Consider this scenario: if your sample.com has a DMARC policy of p=quarantine, this policy, by default, also applies to subdomains unless overridden. However, the BIMI record itself must be present at the specific subdomain level (email.xyz.sample.com) or the organizational domain (sample.com) if that organizational domain also has a VMC that covers the sending subdomain. This distinction is crucial for understanding how to properly implement BIMI for multiple brands with subdomains.
Implementing BIMI for complex domain structures
Implementing BIMI across various levels of subdomains requires careful planning. If you wish to display a logo for email.xyz.sample.com, the most straightforward approach is to publish a distinct BIMI TXT record directly on that subdomain. This ensures the record is found precisely where expected by mail receivers.
Example BIMI DNS TXT record for a subdomaindns
default._bimi.email.xyz.sample.com. IN TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem;"
Organizational domain BIMI (example.com)
Coverage: A VMC for the organizational domain can potentially cover all first-level subdomains if properly included in the certificate. It simplifies management for a single, consistent logo across the board.
Inheritance: BIMI lookup may apply this record to subdomains (e.g., marketing.example.com) if the VMC and DMARC are correctly configured for inheritance. However, it does not typically extend to deeper levels automatically.
Complexity: Less complex for consistent branding, but requires careful VMC setup and DMARC policy alignment to ensure subdomain coverage. Check how DigiCert discusses the number of VMCs needed for different scenarios.
Direct subdomain BIMI (email.xyz.example.com)
Coverage: Requires a dedicated BIMI TXT record for each specific subdomain where you want the logo to appear. This provides granular control.
Inheritance: No direct inheritance from higher-level subdomains occurs. Each subdomain needs its own record, although the VMC might be shared if it lists all relevant domains in its SAN field.
Complexity: Can become complex to manage with many subdomains, as each requires a separate DNS entry. It’s ideal when you need to apply BIMI to a specific subdomain.
For organizations with multiple subdomains or distinct brands, BIMI selectors offer flexibility. A BIMI selector allows you to specify different logos for various use cases or subdomains. For instance, you could have marketing._bimi.example.com and support._bimi.example.com, each pointing to a different logo. This approach helps manage distinct brand identities within a single organizational domain structure, a practice detailed by the BIMI Group themselves.
Troubleshooting and best practices for multi-level BIMI
When your BIMI logo isn't appearing on a multi-level subdomain, there are several troubleshooting steps I recommend. First, always verify that the DMARC policy for the specific sending subdomain is in enforcement mode (p=quarantine or p=reject) and that both SPF and DKIM are aligning with DMARC. Without proper DMARC enforcement and alignment, BIMI will not work.
Next, check the BIMI DNS TXT record for the precise subdomain. Ensure it is correctly formatted and accessible via public DNS queries. Small errors in the record, or issues with DNS propagation, can prevent the logo from displaying. I always use a DNS checker to confirm the record is visible globally.
Publish your BIMI record at the organizational domain if you want it to apply broadly to first-level subdomains.
Ensure your Verified Mark Certificate (VMC) explicitly lists all desired subdomains in its SAN field for logo display.
Always maintain a DMARC policy of 'quarantine' or 'reject' for the domains and subdomains where BIMI is deployed.
Utilize BIMI selectors when you need to display different logos for various subdomains or sending purposes.
Common pitfalls
Expecting BIMI to automatically 'trickle down' to second or third-level subdomains from a first-level subdomain record.
Having a DMARC policy set to 'p=none' which prevents BIMI logo display, even if other settings are correct.
Not including all necessary subdomains in the Verified Mark Certificate's Subject Alternative Name (SAN) field.
Incorrectly formatting BIMI DNS TXT records or having DNS propagation delays.
Expert tips
Double-check your DMARC alignment and aggregate reports for insights into your sending domains.
Regularly monitor your BIMI records for any changes or issues that might affect logo display.
Review the BIMI specification document for the most accurate and up-to-date implementation guidelines.
Consider using a DMARC reporting service to easily track authentication and BIMI compliance.
Expert view
Expert from Email Geeks says the BIMI record either needs to be published at the RFC5322.From domain or the organizational domain of the From domain.
March 21, 2024 - Email Geeks
Expert view
Expert from Email Geeks says that a BIMI record on a second-level subdomain will not inherit from a first-level subdomain, but will inherit from the organizational domain if the BIMI is published there.
March 21, 2024 - Email Geeks
Ensuring your brand's visual identity
Successfully implementing BIMI on multi-level subdomains is entirely achievable, provided you adhere to the technical specifications and best practices. It's not a matter of automatic "trickle-down" from an intermediate subdomain, but rather a deliberate configuration at either the specific sending subdomain or the top-level organizational domain.
The key takeaways are to ensure robust DMARC enforcement, a VMC that covers all desired domains and subdomains, and precise DNS record publication. By understanding these nuances, you can confidently display your brand's logo across all your legitimate email sending channels, enhancing trust and recognition for recipients. Implementing BIMI can greatly improve email deliverability and overall brand perception, leading to better engagement.
Google and 
Yahoo. The VMC verifies your brand's logo as a registered trademark. The critical aspect for subdomains is that the VMC must explicitly list the domains and subdomains for which the logo is intended to be displayed. While one VMC can technically cover multiple subdomains if they share the same logo, this coverage is dependent on the domains being listed in the certificate's Subject Alternative Name (SAN) field.
