How to troubleshoot BIMI display on subdomains when the root domain DMARC policy is not enforced?
Matthew Whittaker
Co-founder & CTO, Suped
Published 18 Jun 2025
Updated 18 Aug 2025
8 min read
Many email marketers and deliverability professionals aim to display their brand logo using Brand Indicators for Message Identification (BIMI). It adds a layer of visual trust to your emails, making them stand out in crowded inboxes. However, getting BIMI to display correctly, especially on subdomains, can be tricky.
A common scenario I've encountered is when a Verified Mark Certificate (VMC) is in place for the root domain, but the BIMI implementation is targeted at subdomains. The root domain's DMARC policy might be set to p=none, while the subdomains have a more enforced policy like p=quarantine or p=reject. This setup often leads to the BIMI logo not appearing, particularly in services like Gmail or Apple Mail.
The core issue usually stems from a misunderstanding of how DMARC policies interact with BIMI across root domains and subdomains. Most mailbox providers require the organizational (root) domain's DMARC policy to be enforced, even if you are trying to display BIMI on a subdomain. Let's delve into why this happens and what steps you can take to resolve it.
To understand why your BIMI logo might not be showing on subdomains, even with a strong DMARC policy on the subdomain itself, it is important to first grasp the foundational requirement for BIMI: a DMARC policy set to either p=quarantine or p=reject. This strict enforcement tells receiving servers that your domain is actively protected against spoofing, which is a key trust signal for BIMI.
The critical point is that for major mailbox providers like Google and Yahoo Mail, this DMARC enforcement policy must be in place at the root (organizational) domain level. Even if your subdomain has p=quarantine, if the root domain is at p=none, BIMI will not display. This is a common pitfall. The DMARC policy for the organizational domain must be at p=quarantine or p=reject.
For example, Google Workspace's documentation on setting up BIMI explicitly states that the DMARC policy option (p) must be set to quarantine or reject. It does not support policies set to p=none for BIMI display. This applies whether you're sending from the root domain or a subdomain.
Prerequisites for BIMI display
The first step in troubleshooting is always to verify your DMARC setup. Ensure that your root domain has a DMARC record published with a policy of p=quarantine or p=reject. If it is currently set to p=none, you will need to transition it to an enforcement policy. This usually involves a phased approach, starting with p=none for monitoring, then moving to p=quarantine, and finally to p=reject once you are confident in your email streams. You can learn more about how to safely transition your DMARC policy.
Next, confirm that your BIMI DNS record is correctly published for the specific subdomain. The BIMI record is a TXT record that begins with v=BIMI1; and includes l= (logo URL) and optionally a= (VMC URL). If the subdomain's BIMI record is missing or misconfigured, the logo simply will not display. This is a separate check from the DMARC policy itself.
Additionally, consider the Verified Mark Certificate (VMC) you are using. While you might have a VMC for your root domain, if you are attempting to implement BIMI solely on a subdomain, you might need a VMC specifically issued for that subdomain, or ensure your existing VMC covers the subdomain appropriately. DigiCert, for example, issues VMCs tied to specific organizational domains.
BIMI display requirements
Root DMARC Policy: Must be set to p=quarantine or p=reject for most major mailbox providers, even for subdomains.
Subdomain BIMI Record: A valid BIMI TXT record needs to be published for the specific subdomain.
VMC Validation: Your VMC must be valid and correctly referenced in the BIMI record.
Brand Logo (SVG): The SVG file for your logo must meet all BIMI specifications, including square dimensions and proper formatting.
The impact of a non-enforced root DMARC policy
Let's consider the specific scenarios that often lead to BIMI display issues on subdomains when the root DMARC is not enforced. The main discrepancy arises from how different mailbox providers interpret DMARC policies at various levels.
BIMI display inhibited
The primary reason your BIMI logo won't display is if your root domain's DMARC policy is set to p=none. Most major Mailbox Providers (MBPs), including Google and Apple Mail, require an enforced policy (p=quarantine or p=reject) for the organizational domain.
This requirement ensures that the entire domain, including its subdomains, is protected against email spoofing. If the root domain isn't secured with an enforcement policy, it undermines the trust signal BIMI is meant to provide.
Addressing the issue
The solution involves updating your root domain's DMARC policy. You must move it from p=none to p=quarantine or p=reject. This transition should be done carefully, ideally after a period of DMARC monitoring to ensure legitimate emails are not affected. You can read our guide on how to safely transition your DMARC policy.
Once your root domain's DMARC policy is at an enforcement level, the BIMI logo should begin to appear for emails sent from your compliant subdomains, provided all other BIMI requirements are met. It is worth noting that Yahoo may display the logo even with a subdomain-only enforcement policy, but this is often not the case with other providers like Google.
In essence, while subdomains can have their own DMARC records, the overarching rule for BIMI dictates that the base domain needs to be in an enforced state. This cascading requirement is fundamental to BIMI's security model.
Additional troubleshooting steps
Aside from the root DMARC policy, there are several other factors that can prevent your BIMI logo from displaying. It is crucial to check each of these thoroughly when troubleshooting. Remember that DNS changes can take time to propagate, so patience is key after making updates.
Firstly, ensure your BIMI DNS record is correctly formatted and published for the subdomain. This is typically a TXT record. Here is an example of what a BIMI record might look like:
Example BIMI DNS record for a subdomainDNS
default._bimi.sub.yourdomain.com IN TXT "v=BIMI1; l=https://yourdomain.com/bimi/logo.svg; a=https://yourdomain.com/bimi/vmc.pem;"
Ensure the l= tag points to a publicly accessible SVG file that adheres to BIMI's strict specifications, and the a= tag, if used, points to your valid Verified Mark Certificate (VMC) in PEM format. You can refer to the BIMI Group's FAQ for detailed specifications on SVG formatting and VMC requirements.
Another common area to check is your SPF and DKIM authentication for the subdomain. BIMI relies heavily on these underlying protocols passing authentication and aligning correctly with your DMARC record. If SPF or DKIM fail, your DMARC authentication will also fail, preventing BIMI from displaying. I would recommend using an email deliverability tester to diagnose any SPF or DKIM alignment issues, and you can learn more about DMARC authentication and alignment issues in our guide.
Managing BIMI across subdomains
There are several ways to manage BIMI across your domains and subdomains. If your goal is to have BIMI display on a subdomain, but not necessarily on your root domain (perhaps due to ongoing DMARC policy changes on the root, or different branding), the key is still to ensure the root DMARC is enforced.
To explicitly control BIMI display on subdomains, you can publish individual BIMI records for each subdomain where you want the logo to appear. This allows for granular control, especially if different subdomains represent different brands or departments. It is also important to understand how DMARC records on subdomains override root policies for a comprehensive approach to email authentication.
If you do not want BIMI on certain subdomains, simply do not publish a BIMI record for them. This provides flexibility for managing your brand's presence across various email sending contexts. This also applies to preventing BIMI and Apple Branded Mail logos from displaying on specific subdomains.
Conclusion
When the root domain DMARC policy is not enforced, it creates a foundational hurdle for BIMI display on subdomains. My main takeaway is that you must elevate your root domain's DMARC policy to p=quarantine or p=reject before you can expect consistent BIMI display on your subdomains, especially with major providers like Outlook, Gmail and Apple Mail. This is a non-negotiable step for full BIMI adoption.
Views from the trenches
Best practices
Ensure your root domain's DMARC policy is set to 'quarantine' or 'reject' for reliable BIMI display across all subdomains.
Verify that each subdomain intended for BIMI has its own correctly formatted BIMI TXT record published in DNS.
Always use a valid, publicly accessible SVG file for your logo and ensure it meets BIMI specifications.
Confirm that your VMC is current, valid, and correctly referenced in your BIMI DNS record, especially for subdomains.
Common pitfalls
Setting your root domain's DMARC policy to 'p=none' will prevent BIMI logos from displaying, even if subdomains are enforced.
Forgetting to publish or incorrectly formatting the BIMI TXT record for a specific subdomain is a common oversight.
Using a brand logo that does not meet the strict SVG profile requirements can lead to BIMI display failures.
Not accounting for DNS propagation time after making changes can lead to premature conclusions about BIMI not working.
Expert tips
Start with DMARC 'p=none' to monitor reports, then gradually move to 'quarantine' and 'reject' for your root domain.
If your VMC covers only the root domain, confirm with your VMC provider if it automatically extends to subdomains or if separate VMCs are needed.
Consider using a DMARC analysis tool to monitor reports and identify any authentication failures before enforcing policies.
Be aware that some mailbox providers, like Yahoo, may have slightly different BIMI display requirements for subdomains.
Expert view
Expert from Email Geeks says the root domain must be in enforcement, even if BIMI is only being applied on the subdomain.
2024-03-15 - Email Geeks
Marketer view
Marketer from Email Geeks says checking if SPF, DKIM, and DMARC pass for the subdomain is crucial when troubleshooting.
Gmail or 
Apple Mail.
Google and 
Yahoo Mail, this DMARC enforcement policy must be in place at the root (organizational) domain level. Even if your subdomain has p=quarantine, if the root domain is at p=none, BIMI will not display. This is a common pitfall. The DMARC policy for the organizational domain must be at p=quarantine or p=reject.
Apple Mail, require an enforced policy (p=quarantine or p=reject) for the organizational domain.
Yahoo may display the logo even with a subdomain-only enforcement policy, but this is often not the case with other providers like Google.
Outlook, Gmail and Apple Mail. This is a non-negotiable step for full BIMI adoption.
