Do DMARC and BIMI require p=reject to be present on the organizational domain?
Summary
What email marketers say5Marketer opinions
Email marketer from GlockApps suggests to implement BIMI successfully, your domain must have a DMARC policy with `p=quarantine` or `p=reject`. Having one of these two settings is mandatory. They suggest considering the risk of implementing `p=reject` before going straight to this option.
Email marketer from EasyDMARC shares that while a `p=reject` policy isn't strictly mandatory for BIMI, it's highly recommended. A `p=quarantine` policy can work, but `p=reject` offers the strongest protection for your brand and is seen as the best practice for ensuring BIMI is fully effective.
Email marketer from EmailAuth shares that for optimal BIMI implementation, a DMARC policy of `p=reject` is generally preferred. While `p=quarantine` can be used, `p=reject` signals a stronger commitment to email security, increasing the likelihood of BIMI compliance and logo display.
Email marketer from Red Sift states that to use BIMI, you'll need DMARC set to either `p=quarantine` or `p=reject`. They recommend using a `p=reject` policy for maximum protection but acknowledge that `p=quarantine` can be a suitable starting point, depending on your specific needs and risk appetite.
Email marketer from Proofpoint answers that to implement BIMI, your domain must have a DMARC policy enabled with either 'quarantine' or 'reject'. SPF and DKIM are also crucial. The choice between 'quarantine' and 'reject' often depends on the organization's risk tolerance and monitoring capabilities.
What the experts say5Expert opinions
Expert from Word to the Wise (Laura Atkins) addresses the difficulties for small senders using DMARC, in that `p=reject` is not usually the best choice for low volume senders. If you use a `p=reject` policy all emails not correctly authenticating are rejected, including legitimate emails that haven't been correctly configured. If you're a small business that uses multiple ESPs, its much better to have either p=none and or p=quarantine set up.
Expert from Email Geeks explains that if you don't have a DMARC policy at the organizational domain level that's at least as strict as the one on the subdomain you're using, there's little point in doing DMARC at all.
Expert from Email Geeks shares that it wouldn’t be surprising if BIMI requires p=reject at the domain level.
Expert from Spam Resource (John Levine) explains that while DMARC itself doesn't directly improve deliverability, implementing a `p=reject` policy helps protect your domain from spoofing, which, in turn, prevents malicious actors from harming your sending reputation, indirectly improving deliverability. It notes that DMARC 'reject' does have negative impact, it only prevents others from forging messages using your domain. It also notes setting up DMARC isn't for beginners.
Expert from Email Geeks shares that BIMI would also be happy with a p=quarantine at the org level.
What the documentation says5Technical articles
Documentation from RFC 7489 (which defines DMARC) answers that the 'quarantine' tag advises mail systems to treat messages that fail the DMARC check as suspicious. Depending on the capabilities of the mail system, this can mean placing the message into spam or junk folder.
Documentation from DMARC.org explains that while BIMI technically works with both `p=quarantine` and `p=reject`, using `p=reject` provides the strongest protection against email spoofing and phishing attacks, which is the ultimate goal of implementing DMARC and BIMI.
Documentation from BIMI Group specifies that to use BIMI, you must authenticate your emails with SPF and DKIM, and you must have a DMARC policy set to either 'quarantine' or 'reject'. This ensures that you're actively managing your email sending reputation.
Documentation from Valimail explains that BIMI (Brand Indicators for Message Identification) technically requires a DMARC policy with `p=quarantine` or `p=reject`. It does not necessarily have to be `p=reject`, but it does require a policy that is strict enough to ensure the sender is taking responsibility for their email practices.
Documentation from RFC 7489 answers that the 'reject' tag advises mail systems to reject the message outright. In practice, mail systems may silently drop the message rather than issuing a bounce message.