Will BIMI work on multiple levels of subdomains?

Key findings

• Explicit record placement: BIMI records are not inherited by default. A BIMI record must be published at the specific subdomain where email is being sent from (the RFC5322.From domain) or at the organizational domain to cover all subdomains.
• VMC coverage is key: The Verified Mark Certificate (VMC) must include all domains and subdomains where the logo is intended to appear. One VMC can cover multiple domains and subdomains, but these must be explicitly listed within the certificate's Subject Alternative Name (SAN) field.
• Organizational domain fallback: If a BIMI record is published at the organizational domain, it can apply to all subdomains, assuming the VMC covers them. This is often the most practical approach for complex domain structures.
• No automatic inheritance: A BIMI record at xyz.sample.com will not automatically extend to email.xyz.sample.com unless xyz.sample.com is the organizational domain of email.xyz.sample.com, or the deeper subdomain is explicitly included in the VMC. You can find more details in the BIMI Group FAQs.

Key considerations

• DMARC policy requirement: BIMI mandates a DMARC policy of p=quarantine or p=reject at the domain level. This means that if you're sending from a subdomain, its DMARC policy must meet this requirement. Learn more about how DMARC policies apply to subdomains.
• VMC certificate structure: When purchasing a VMC, ensure that all necessary subdomains are explicitly included in the certificate's SAN field. This is critical for activating BIMI across your desired sending infrastructure.
• DNS record management: You must publish a BIMI TXT record for each specific subdomain (or the organizational domain) that you want to display a logo. For example, to implement BIMI for multiple brands with subdomains, you need careful planning.
• Troubleshooting: If your BIMI logo is not displaying, double-check the DMARC policy, the BIMI DNS record placement, and the VMC's domain coverage. Refer to our guide on BIMI requirements and implementation steps.

Key opinions

• Direct record placement: Many marketers believe the BIMI record needs to be placed directly on the specific subdomain from which emails are being sent, rather than expecting it to roll down from a higher-level subdomain.
• Organizational domain preference: For broader coverage and simpler management, some marketers prefer placing the BIMI record at the organizational (root) domain, as it can then apply to qualifying subdomains if the VMC is correctly configured.
• VMC implications: Marketers recognize that the domains listed in the VMC's SAN field are critical. If a subdomain is not covered by the VMC, BIMI won't work for it, regardless of DNS record placement.
• DMARC alignment: The necessity of a strict DMARC policy (p=quarantine or p=reject) at the sending domain level is a common point of discussion, especially for marketers managing complex DMARC setups across many subdomains. This is detailed in our guide on BIMI and DMARC organizational requirements.

Key considerations

• Complexity with multiple brands: Marketers managing multiple brands, each with their own subdomains, find the process of obtaining and managing VMCs for each can be complex. However, a single VMC can be used across subdomains as long as they share the same logo and are listed in the SAN. You can explore strategies for different logos across subdomains.
• DNS record management for agencies: Vendors or agencies often face challenges in getting clients to publish BIMI records at the correct level, especially within large corporate structures that may have strict DNS management protocols.
• Brand consistency: The primary goal for marketers is ensuring brand consistency and visibility across all email touchpoints, making proper BIMI implementation across subdomains a high priority for brand recognition.
• Impact on deliverability: While BIMI itself doesn't directly improve deliverability, its reliance on DMARC, SPF, and DKIM, which do impact deliverability, means it's part of a broader email authentication strategy. Learn more about whether BIMI impacts email deliverability.

Key opinions

• Specific domain requirement: The BIMI record must be published at the exact domain from which the email is sent (the RFC5322.From domain) or at its organizational domain for it to be recognized. It does not automatically apply to deeper subdomains from an intermediate subdomain.
• Organizational domain coverage: Publishing the BIMI record at the top-level organizational domain (e.g., sample.com) can enable BIMI for all subdomains (e.g., email.xyz.sample.com), provided the VMC includes all such subdomains. This is the common approach for broad coverage.
• VMC Subject Alternative Names (SANs): The critical factor for multi-level subdomain support lies in the VMC's SAN field. All domains and subdomains for which the logo is intended to appear must be explicitly listed in the VMC. Without this, the BIMI record, even if properly placed, will not result in logo display.
• DMARC alignment enforcement: BIMI requires successful DMARC alignment, meaning SPF and DKIM must pass authentication checks and align with the From domain. This is non-negotiable for BIMI to function, regardless of subdomain level. Learn about DMARC, SPF, and DKIM basics.

Key considerations

• Verification process: The verification process for a VMC is rigorous and checks the legitimacy of the brand and the ownership of the domains/subdomains. This ensures that only authorized entities can display logos, reinforcing trust.
• DNS visibility: BIMI records are public DNS records. Experts can readily inspect these records to troubleshoot setup issues or verify domain coverage within a VMC. This transparency is part of the security model.
• Brand reputation impact: Successful BIMI implementation across all sending domains and subdomains contributes significantly to brand reputation and trust indicators, leading to better email engagement.
• BIMI selectors: For complex setups, especially when different logos are desired for various subdomains or sending providers, BIMI selectors can be used. This allows for multiple BIMI records under the same domain. The BIMI Group provides an introduction to selectors. Consider how to implement BIMI for multiple brands with subdomains.

Key findings

• RFC5322.From domain focus: BIMI lookups are performed on the domain found in the RFC5322.From header of the email, or its organizational domain. This means that a record must be directly associated with the domain sending the email.
• Organizational domain search: If a BIMI record is not found at the immediate sending subdomain, mail receivers are instructed to search for a BIMI record at the organizational (root) domain. If found there, that record and its associated VMC can apply to the subdomain.
• VMC validity across domains: A single Validated Mark Certificate (VMC) is designed to support multiple domains and subdomains. However, all these domains and subdomains must be explicitly listed in the VMC's Subject Alternative Name (SAN) field to be valid for BIMI display.
• DMARC policy prerequisite: BIMI functionality is strictly dependent on the presence of a DMARC policy with a p=quarantine or p=reject enforcement policy on the domain from which the email is sent.

Key considerations

• BIMI selector usage: For advanced configurations, such as distinct logos for different subdomains or email streams, BIMI supports the use of selectors. These allow for multiple BIMI records to exist under the same domain, each pointing to a different logo SVG. Learn more about BIMI selectors.
• DNS record format: The BIMI record is a TXT record that specifies the version of BIMI and the URL of the SVG logo file. This record must be correctly formatted and published in the DNS for the relevant domain or subdomain. Our guide on BIMI implementation provides further details.
• SVG file security: The SVG logo file must be hosted securely over HTTPS and adhere to specific formatting requirements to prevent security vulnerabilities and ensure proper rendering across mail clients.
• Certificate authority requirements: VMCs can only be issued by trusted Certificate Authorities (CAs) that are approved by the BIMI Group. This ensures the authenticity and integrity of the displayed brand logo.