Do DMARC and BIMI require p=reject to be present on the organizational domain?

Summary

While DMARC and BIMI technically support both `p=quarantine` and `p=reject` policies at the organizational domain, there's a strong consensus that `p=reject` offers superior protection against spoofing and phishing, ultimately enhancing brand security and deliverability. For BIMI compliance, a DMARC policy is mandatory, alongside SPF and DKIM. However, small senders and those with complex email setups should exercise caution with `p=reject`, as misconfigurations can lead to legitimate emails being blocked. Alternatives like `p=none` or `p=quarantine` may be more suitable in such cases, emphasizing the importance of aligning the DMARC policy with the organization's risk tolerance and monitoring capabilities. A strict policy at the organizational domain is crucial, particularly when using subdomains.

Key findings

  • BIMI & DMARC Requirement: BIMI requires a DMARC policy with either `p=quarantine` or `p=reject`.
  • Stronger Security: `p=reject` offers superior protection against spoofing and phishing compared to `p=quarantine`.
  • Authentication Matters: SPF and DKIM authentication are critical for both DMARC and BIMI implementation.
  • Small Sender Exception: `p=reject` may not be ideal for small senders due to potential misconfiguration and blocked emails.
  • Organizational Domain Importance: A DMARC policy at the organizational domain is crucial, particularly when using subdomains and must be as strict as or stricter than subdomain policies.

Key considerations

  • Risk Tolerance: Assess your organization's risk tolerance and monitoring capabilities before implementing `p=reject`.
  • Implementation Complexity: DMARC setup, especially with `p=reject`, requires careful configuration and expertise.
  • Legitimate Email Impact: Understand the potential for `p=reject` to block legitimate emails if authentication isn't correctly configured.
  • Policy Alternatives: Consider `p=none` or `p=quarantine` as alternatives for small businesses or complex email setups.
  • Proactive Responsibility: Your DMARC policy demonstrates your commitment to responsible email sending practices and managing your sending reputation.

What email marketers say
5Marketer opinions

While a DMARC policy with `p=reject` is not strictly mandatory for BIMI, it is highly recommended and considered best practice for optimal effectiveness and brand protection. BIMI can function with a `p=quarantine` policy, but `p=reject` offers the strongest security posture and increases the likelihood of BIMI compliance and logo display. The choice between `p=quarantine` and `p=reject` often depends on the organization's risk tolerance, monitoring capabilities, and specific needs.

Key opinions

  • BIMI Compatibility: BIMI requires a DMARC policy of either `p=quarantine` or `p=reject`.
  • Preferred Policy: `p=reject` is generally preferred for stronger security and BIMI effectiveness.
  • Alternative Policy: `p=quarantine` can be a suitable starting point or alternative based on risk appetite.
  • Security Commitment: `p=reject` signals a stronger commitment to email security.

Key considerations

  • Risk Tolerance: Evaluate the organization's risk tolerance when choosing between `p=quarantine` and `p=reject`.
  • Monitoring Capabilities: Assess monitoring capabilities to handle potential issues with a `p=reject` policy.
  • Implementation Strategy: Consider a phased approach, starting with `p=quarantine` before transitioning to `p=reject`.
  • Brand Protection: Recognize that `p=reject` provides the strongest brand protection against email spoofing.
Marketer view

Email marketer from GlockApps suggests to implement BIMI successfully, your domain must have a DMARC policy with `p=quarantine` or `p=reject`. Having one of these two settings is mandatory. They suggest considering the risk of implementing `p=reject` before going straight to this option.

March 2022 - GlockApps
Marketer view

Email marketer from EasyDMARC shares that while a `p=reject` policy isn't strictly mandatory for BIMI, it's highly recommended. A `p=quarantine` policy can work, but `p=reject` offers the strongest protection for your brand and is seen as the best practice for ensuring BIMI is fully effective.

May 2022 - EasyDMARC
Marketer view

Email marketer from EmailAuth shares that for optimal BIMI implementation, a DMARC policy of `p=reject` is generally preferred. While `p=quarantine` can be used, `p=reject` signals a stronger commitment to email security, increasing the likelihood of BIMI compliance and logo display.

March 2024 - EmailAuth
Marketer view

Email marketer from Red Sift states that to use BIMI, you'll need DMARC set to either `p=quarantine` or `p=reject`. They recommend using a `p=reject` policy for maximum protection but acknowledge that `p=quarantine` can be a suitable starting point, depending on your specific needs and risk appetite.

November 2024 - Red Sift
Marketer view

Email marketer from Proofpoint answers that to implement BIMI, your domain must have a DMARC policy enabled with either 'quarantine' or 'reject'. SPF and DKIM are also crucial. The choice between 'quarantine' and 'reject' often depends on the organization's risk tolerance and monitoring capabilities.

July 2021 - Proofpoint

What the experts say
5Expert opinions

While opinions vary, DMARC policy implementation, specifically the `p=reject` option, is not a straightforward decision. Having a DMARC policy at the organizational domain level is crucial, especially if subdomains are used. Although BIMI might function with `p=quarantine`, the `p=reject` policy bolsters domain protection and indirectly enhances deliverability by mitigating spoofing risks. However, small senders should approach `p=reject` cautiously due to the potential for legitimate emails being blocked if authentication is misconfigured. Alternative policies like `p=none` or `p=quarantine` might be more appropriate for low-volume senders.

Key opinions

  • Domain Level Policy: A DMARC policy at the organizational domain level is essential, particularly with subdomains.
  • BIMI Flexibility: BIMI may function with `p=quarantine`, although `p=reject` is often implied for best results.
  • Anti-Spoofing: `p=reject` helps protect against domain spoofing, indirectly improving deliverability.
  • Small Sender Caution: `p=reject` may not be ideal for small senders due to potential misconfiguration issues.

Key considerations

  • Implementation Complexity: Setting up DMARC, especially `p=reject`, is not for beginners and requires careful configuration.
  • Legitimate Email Blocking: `p=reject` can block legitimate emails if authentication is not properly configured.
  • Alternative Policies: Small businesses using multiple ESPs should consider `p=none` or `p=quarantine` as alternatives.
  • Organizational Domain Importance: The DMARC policy at the organizational domain level must be as strict as, or stricter than, those at the subdomain level.
Expert view

Expert from Word to the Wise (Laura Atkins) addresses the difficulties for small senders using DMARC, in that `p=reject` is not usually the best choice for low volume senders. If you use a `p=reject` policy all emails not correctly authenticating are rejected, including legitimate emails that haven't been correctly configured. If you're a small business that uses multiple ESPs, its much better to have either p=none and or p=quarantine set up.

September 2024 - Word to the Wise
Expert view

Expert from Email Geeks explains that if you don't have a DMARC policy at the organizational domain level that's at least as strict as the one on the subdomain you're using, there's little point in doing DMARC at all.

September 2021 - Email Geeks
Expert view

Expert from Email Geeks shares that it wouldn’t be surprising if BIMI requires p=reject at the domain level.

November 2024 - Email Geeks
Expert view

Expert from Spam Resource (John Levine) explains that while DMARC itself doesn't directly improve deliverability, implementing a `p=reject` policy helps protect your domain from spoofing, which, in turn, prevents malicious actors from harming your sending reputation, indirectly improving deliverability. It notes that DMARC 'reject' does have negative impact, it only prevents others from forging messages using your domain. It also notes setting up DMARC isn't for beginners.

May 2024 - Spam Resource
Expert view

Expert from Email Geeks shares that BIMI would also be happy with a p=quarantine at the org level.

February 2024 - Email Geeks

What the documentation says
5Technical articles

BIMI requires a DMARC policy set to either `p=quarantine` or `p=reject`, along with SPF and DKIM authentication. While both policies technically satisfy BIMI's requirements, `p=reject` offers stronger protection against spoofing and phishing. The `quarantine` tag advises mail systems to treat failing messages as suspicious (e.g., placing them in spam), while `reject` instructs mail systems to reject the message outright, though they may sometimes silently drop it.

Key findings

  • DMARC Requirement: BIMI mandates a DMARC policy of either `p=quarantine` or `p=reject`.
  • Authentication: SPF and DKIM authentication are essential for BIMI compliance.
  • Stronger Protection: `p=reject` provides the strongest defense against spoofing and phishing.
  • Quarantine Action: The `quarantine` tag advises placing suspicious emails in spam/junk folders.
  • Reject Action: The `reject` tag advises rejecting emails outright.

Key considerations

  • Email Practices: Your DMARC policy should reflect a commitment to responsible email practices.
  • Sending Reputation: Implementing these technologies ensures you actively manage your email sending reputation.
  • Goal of DMARC/BIMI: The ultimate goal is to protect against email spoofing and phishing attacks.
  • Silent Dropping: Be aware that mail systems may silently drop rejected messages.
Technical article

Documentation from RFC 7489 (which defines DMARC) answers that the 'quarantine' tag advises mail systems to treat messages that fail the DMARC check as suspicious. Depending on the capabilities of the mail system, this can mean placing the message into spam or junk folder.

April 2021 - ietf.org
Technical article

Documentation from DMARC.org explains that while BIMI technically works with both `p=quarantine` and `p=reject`, using `p=reject` provides the strongest protection against email spoofing and phishing attacks, which is the ultimate goal of implementing DMARC and BIMI.

February 2022 - DMARC.org
Technical article

Documentation from BIMI Group specifies that to use BIMI, you must authenticate your emails with SPF and DKIM, and you must have a DMARC policy set to either 'quarantine' or 'reject'. This ensures that you're actively managing your email sending reputation.

April 2024 - BIMI Group
Technical article

Documentation from Valimail explains that BIMI (Brand Indicators for Message Identification) technically requires a DMARC policy with `p=quarantine` or `p=reject`. It does not necessarily have to be `p=reject`, but it does require a policy that is strict enough to ensure the sender is taking responsibility for their email practices.

July 2021 - Valimail
Technical article

Documentation from RFC 7489 answers that the 'reject' tag advises mail systems to reject the message outright. In practice, mail systems may silently drop the message rather than issuing a bounce message.

May 2024 - ietf.org