Suped

Does BIMI require a reject policy on the top level domain if subdomains have it?

8 Marketer opinions2 Expert opinions3 Technical articles4 Resources

Summary

BIMI requires a DMARC policy set to either 'quarantine' or 'reject' for both the top-level organizational domain and all subdomains sending email. Strict enforcement of this DMARC policy is a necessity for BIMI implementation. A 'none' policy or a quarantine policy below 100% is insufficient for BIMI compliance.

Key findings

  • DMARC Prerequisite: Implementation of a DMARC policy is a mandatory requirement for utilizing BIMI.
  • Acceptable DMARC Policies: The DMARC policy must be configured as either 'quarantine' or 'reject' to satisfy BIMI standards.
  • Scope of DMARC Coverage: The DMARC configuration applies to the top-level organizational domain and all subdomains used for sending emails.

Key considerations

  • Policy Enforcement: DMARC policies must be strictly enforced across the entire email ecosystem, including all subdomains.
  • Impact of 'Reject' Policy: Carefully evaluate the potential consequences of implementing a 'reject' policy before making the transition.
  • Monitoring and Analysis: Establish systems to monitor and analyze DMARC reports to ensure proper policy function and identify potential issues.

What email marketers say
8Marketer opinions

To implement BIMI successfully, a DMARC policy must be in place and enforced on both the organizational domain and all sending subdomains. The required DMARC policy level is either 'quarantine' or 'reject' (p=quarantine or p=reject). A policy of 'none' or a quarantine policy set below 100% is insufficient for BIMI compliance.

Key opinions

  • DMARC Requirement: BIMI mandates a DMARC policy to be implemented.
  • Policy Level: The DMARC policy must be either 'quarantine' or 'reject'.
  • Domain Scope: The DMARC policy must cover both the top-level organizational domain and all sending subdomains.

Key considerations

  • Policy Enforcement: Ensure that the DMARC policy is actively enforced to comply with BIMI requirements.
  • Gradual Rollout: Carefully consider the impact of a 'reject' policy before implementing it, and potentially start with a 'quarantine' policy for observation.
  • Subdomain Coverage: Verify that all subdomains used for sending emails are included in the DMARC policy.
Marketer view

Email marketer from EmailonAcid shares that a DMARC policy set to either 'quarantine' or 'reject' is needed for both the organizational domain and its subdomains.

July 2022 - EmailonAcid.com
Marketer view

Email marketer from Reddit explains that for BIMI to work, you need DMARC set to quarantine or reject on your sending domain, including subdomains.

January 2025 - Reddit
Marketer view

Email marketer from Email Geeks shares that the minimum DMARC policy for BIMI to work is quarantine p=100, anything below that (none or quarantine at <100%) and BIMI won’t work. *(results at individual MBPs may vary)

July 2024 - Email Geeks
Marketer view

Email marketer from OnlyMyEmail explains that to use BIMI, your sending domain and subdomains need DMARC protection set to either 'quarantine' or 'reject'.

February 2022 - onlymyemail.com
Marketer view

Email marketer from EmailToolTester details that one requirement is DMARC set to either Quarantine or Reject, which must be active for both the main domain and any subdomains used for sending.

January 2024 - EmailToolTester.com
Marketer view

Email marketer from SocketLabs notes that for BIMI implementation, DMARC needs to be set to either quarantine or reject on both the organizational domain and any sending subdomains.

September 2021 - SocketLabs.com
Marketer view

Email marketer from Mailjet explains that BIMI requires a DMARC policy to be set to either 'quarantine' or 'reject'. This needs to cover not only the domain, but also any subdomains that send emails.

May 2022 - Mailjet.com
Marketer view

Email marketer from ZeroBounce explains that BIMI necessitates a DMARC policy set to either quarantine or reject on both the top-level domain and all subdomains that send email.

January 2025 - ZeroBounce.net

What the experts say
2Expert opinions

BIMI requires a DMARC policy with either "reject" or "quarantine" for the top-level organizational domain and all sending subdomains. Strict enforcement of this DMARC policy is essential for BIMI compliance.

Key opinions

  • DMARC Requirement: BIMI necessitates a DMARC record.
  • Acceptable Policies: The DMARC policy must be either 'reject' or 'quarantine'.
  • Scope of Enforcement: DMARC policy enforcement applies to both the top-level domain and all subdomains used for sending emails.

Key considerations

  • Enforcement is Key: Ensure DMARC policies are strictly enforced across all domains and subdomains.
  • Impact Assessment: Carefully assess the impact of implementing a 'reject' policy before making the change.
Expert view

Expert from Word to the Wise explains that BIMI requires strict enforcement. All sending domains, including subdomains, must have a DMARC record with a policy of either “quarantine” or “reject”.

May 2021 - Word to the Wise
Expert view

Expert from Email Geeks explains that BIMI requires that the registered top-level Organizational Domain and all subdomains be covered by a DMARC “reject” (or 100% “quarantine”) policy.

May 2024 - Email Geeks

What the documentation says
3Technical articles

BIMI implementation mandates a DMARC policy of either 'quarantine' or 'reject' for both the organizational domain and all subdomains that send mail. This policy needs to be enforced at the organizational level to ensure proper BIMI compliance.

Key findings

  • DMARC Requirement: A DMARC policy is a prerequisite for BIMI adoption.
  • Policy Options: The DMARC policy must be set to either 'quarantine' or 'reject'.
  • Domain Scope: The DMARC policy applies to the main organizational domain and all its sending subdomains.

Key considerations

  • Enforcement: DMARC must be actively enforced at the organizational level.
  • Policy Choice: Carefully consider whether to use 'quarantine' or 'reject' based on your organization's risk tolerance and monitoring capabilities.
Technical article

Documentation from dmarcian outlines that for BIMI, a DMARC policy of either quarantine or reject must be in place and enforced at the organizational level, impacting all sending domains and subdomains.

October 2024 - dmarcian.com
Technical article

Documentation from BIMI Group explains that BIMI requires a DMARC policy with either 'reject' (p=reject) or 'quarantine' (p=quarantine) set for the organizational domain and any subdomains sending mail.

September 2023 - bimigroup.org
Technical article

Documentation from Valimail describes how BIMI requires a DMARC policy set to either quarantine or reject, and this policy must apply to both the organizational domain and any subdomains used for sending email.

November 2023 - Valimail.com

Related resources
4Resources

How DMARC works with subdomains and the sp tag - Valimail
How DMARC works with subdomains and the sp tag - Valimail

Learn how DMARC works with your subdomains and the sp tag to bring DMARC to enforcement and protect your business from impersonation.

Valimail -
Understanding BIMI | Kickbox University
Understanding BIMI | Kickbox University

Part 5 of our email authentication series covers BIMI: what it is, its implementation & benefits. BIMI allows senders to display their logo in the inbox

Kickbox Blog
Learn more about DMARC
Learn more about DMARC

Find out about DMARC records, aggregate DMARC reports, forensic reports, how DMARC protects subdomains, and much more.

Red Sift
Implementation guidance: email domain protection (ITSP.40.065 v1 ...
Implementation guidance: email domain protection (ITSP.40.065 v1 ...

Implementation guidance: email domain protection (ITSP.40.065 v1.1)

Canadian Centre for Cyber Security

Related questions