Does BIMI require DMARC at the organizational level, and can it be implemented only at the subdomain level?

Summary

The consensus from experts, marketers, and documentation is that BIMI (Brand Indicators for Message Identification) requires DMARC (Domain-based Message Authentication, Reporting & Conformance) at the *organizational domain level*. A DMARC policy of either `p=quarantine` or `p=reject` is essential for BIMI to function correctly and ensure only authenticated emails display a brand's logo, protecting recipients from fraudulent messages. While BIMI records can be implemented on subdomains, the DMARC policy *must* exist and be enforced at the organizational level. A key point is that a specific DMARC policy on a subdomain will override the organizational DMARC policy for that subdomain. For Gmail, a Verified Mark Certificate (VMC) is also a requirement. If implementing solely on the third-level domain it is possible it may not affect corporate email.

Key findings

  • DMARC Mandatory: BIMI requires DMARC for proper functionality.
  • Enforcement Policy: DMARC policy must be set to either `p=quarantine` or `p=reject`.
  • Organizational Level: DMARC must be configured at the organizational domain level.
  • Subdomain Implementation Possible: BIMI can be implemented on subdomains but is dependent on the DMARC record on the root domain.
  • Gmail Specific Requirement: For Gmail, a VMC is required in addition to DMARC and BIMI.
  • Subdomain Specific DMARC Records: Any subdomain specific DMARC records override top level domain DMARC policies for that subdomain.

Key considerations

  • DMARC Implementation: Prioritize setting up a robust DMARC policy at the organizational level before implementing BIMI.
  • Policy Choice: Carefully consider the implications of choosing `p=quarantine` versus `p=reject` for your DMARC policy.
  • Subdomain Strategy: Understand that while BIMI can be set up on subdomains, it's the *organizational* DMARC policy that provides the foundation and security.
  • Gmail Readiness: If targeting Gmail users, factor in the additional step and cost of obtaining a Verified Mark Certificate (VMC).
  • Security and Authentication: Recognize that BIMI and DMARC are essential for brand protection and preventing email fraud.
  • Subdomain DMARC awareness: Be aware that any DMARC subdomain records will override top level domain policies.

What email marketers say
12Marketer opinions

BIMI (Brand Indicators for Message Identification) requires DMARC (Domain-based Message Authentication, Reporting & Conformance) at the organizational domain level, specifically with a policy of either `p=quarantine` or `p=reject`. This ensures email authentication and prevents unauthorized logo usage. While BIMI can technically be implemented on subdomains, the enforcement of DMARC policies at the organizational level is crucial for proper functionality and security. A specific DMARC policy on a subdomain overrides the organizational domain’s subdomain policy, providing flexibility in managing email authentication. Some sources noted that if BIMI is implemented only at the third-level domain, it might not affect corporate email, allowing for targeted brand representation. Furthermore, Verified Mark Certificates (VMC) are required for BIMI implementation with Gmail.

Key opinions

  • DMARC Requirement: BIMI mandates DMARC with a policy of `p=quarantine` or `p=reject` at the organizational level.
  • Subdomain Implementation: BIMI can be implemented on subdomains, but DMARC enforcement at the organizational level remains essential.
  • Subdomain Override: Specific DMARC policies on subdomains override organizational policies.
  • Third-Level Domains: BIMI on third-level domains may not affect corporate email.
  • VMC Requirement: Gmail requires Verified Mark Certificates (VMC) for BIMI implementation.

Key considerations

  • Organizational DMARC Policy: Ensure a robust DMARC policy is in place at the organizational level before implementing BIMI.
  • Subdomain DMARC Management: Carefully manage DMARC policies on subdomains to avoid unintended consequences.
  • Gmail Requirements: Understand Gmail's specific requirements, including the need for VMCs, when implementing BIMI.
  • Impact on Corporate Email: Assess the impact of BIMI implementation on corporate email, especially if using third-level domains.
  • DMARC Override Policies: Be aware that any DMARC subdomain records will override top level domain policies.
Marketer view

Marketer from Email Geeks explains that DMARC can be on a subdomain, but the organizational domain must also have an enforcing policy (at least quarantine). He provides an example with different policies for the org domain and a subdomain.

September 2023 - Email Geeks
Marketer view

Marketer from Email Geeks confirms DMARC needs to be at the organizational domain level and that BIMI requires an enforcing DMARC policy of p=quarantine or p=reject. He also mentions self-asserted BIMI for Yahoo and the requirements for Gmail's BIMI implementation.

July 2024 - Email Geeks
Marketer view

Email marketer from SparkPost says that BIMI can be implemented on subdomains, but DMARC needs to be configured at the organizational domain level with a policy of `p=quarantine` or `p=reject`. The subdomain must also pass DMARC authentication to show the BIMI logo.

November 2024 - SparkPost
Marketer view

Marketer from Email Geeks states that a specific policy on a subdomain overrides the organizational domain’s subdomain policy.

February 2023 - Email Geeks
Marketer view

Email marketer from Valimail shares that BIMI requires DMARC enforcement to ensure that only legitimate senders can display their logos. The domain in the BIMI record must be DMARC-protected, meaning a policy of either `p=quarantine` or `p=reject` is in place.

April 2021 - Valimail
Marketer view

Email marketer from Mailjet emphasizes that a DMARC policy is a prerequisite for BIMI. Without DMARC set to `p=quarantine` or `p=reject`, BIMI cannot function. They also mentioned VMC for Gmail.

October 2024 - Mailjet
Marketer view

Marketer from Email Geeks shares that, using "xfinity.com" as an example, BIMI is only used on emails.xfinity.com, not on xfinity.com. However, DMARC now protects xfinity.com (p=), and all subdomains (sp=).

July 2023 - Email Geeks
Marketer view

Marketer from Email Geeks mentions that if the BIMI is only on the third-level domain that it wouldn't affect the Corporate email. He then states that BIMI itself can exist just on the subdomain and doesn't have to impact the root domain.

December 2022 - Email Geeks
Marketer view

Email marketer from Proofpoint states for BIMI implementation, your sending domain must be secured with DMARC set to `p=quarantine` or `p=reject`. Without this, BIMI won't work, as it's designed to enhance security and trust in email communication.

July 2024 - Proofpoint
Marketer view

Email marketer from EmailToolTester mentions that to set up BIMI, it needs a DMARC record set to either `p=quarantine` or `p=reject` which needs to be applied at the organizational domain level. Also, highlights BIMI itself can exist at subdomain level, DMARC compliance is very important.

April 2024 - EmailToolTester
Marketer view

Email marketer from AuthSMTP explains for BIMI to be effective, the sending domain needs to have DMARC enabled with a policy of either `p=quarantine` or `p=reject`. Also it mentions BIMI can technically be implemented on subdomains, the DMARC requirements are typically organizational.

March 2024 - AuthSMTP
Marketer view

Email marketer from Reddit shares that BIMI requires a valid DMARC record with a policy of quarantine or reject on the organizational domain, and explains while BIMI can work on subdomains, the DMARC enforcement is crucial for the overall setup.

November 2021 - Reddit

What the experts say
4Expert opinions

The experts agree that BIMI fundamentally requires DMARC enforcement, with a minimum policy of `p=quarantine`. While BIMI records *can* exist at the organizational level or on subdomains (to display at Verizon), DMARC must be configured at the organizational level to ensure proper authentication and prevent unauthorized logo usage. The underlying DMARC enforcement needs to cover the entire domain, even if the BIMI record resides on a subdomain.

Key opinions

  • DMARC is Mandatory: BIMI requires DMARC to be implemented.
  • Enforcement Level: A DMARC policy of at least `p=quarantine` is necessary for BIMI.
  • Organizational vs. Subdomain: While BIMI records can exist on subdomains, DMARC needs to be configured at the organizational level.
  • Verizon Support: BIMI records on subdomains may be relevant for display at Verizon.

Key considerations

  • Prioritize DMARC Setup: Ensure DMARC is correctly configured at the organizational level *before* attempting to implement BIMI.
  • Understand DMARC Policy: Implement a DMARC policy of at least `p=quarantine`; consider the implications of `p=reject`.
  • Verizon Display: If targeting Verizon users, consider placing BIMI records on relevant subdomains in addition to the organizational level.
  • Testing and Validation: Thoroughly test and validate both DMARC and BIMI configurations to ensure they are working as expected.
Expert view

Expert from Email Geeks explains BIMI records can be at the organizational level or on subdomains to display at Verizon.

January 2023 - Email Geeks
Expert view

Expert from Email Geeks clarifies that BIMI requires enforcement, so p=quarantine is the minimum level required for DMARC.

April 2021 - Email Geeks
Expert view

Expert from Email Geeks says BIMI should be at the organizational level.

August 2024 - Email Geeks
Expert view

Expert from Word to the Wise explains that BIMI requires DMARC to be configured at the organizational level with a policy set to either `p=quarantine` or `p=reject`. This ensures proper authentication and prevents unauthorized logo usage. While BIMI records themselves might be present on subdomains, the underlying DMARC enforcement must cover the entire domain.

August 2024 - Word to the Wise

What the documentation says
5Technical articles

The documentation consistently states that BIMI implementation requires a DMARC policy with either `p=quarantine` or `p=reject` set on the organizational domain. This DMARC policy is essential for ensuring only authenticated emails display your logo, protecting recipients from fraudulent messages. While BIMI can be implemented on subdomains, the core DMARC policy must exist at the organizational level. Entrust documentation adds that for Gmail, a Verified Mark Certificate (VMC) is also necessary.

Key findings

  • DMARC Requirement: BIMI necessitates a DMARC policy of `p=quarantine` or `p=reject`.
  • Organizational Domain: The DMARC policy must be set on the organizational domain.
  • Subdomain Implementation: While BIMI can be implemented on subdomains, it doesn't negate the need for organizational DMARC.
  • Authentication: DMARC ensures only authenticated emails display the logo, protecting against fraud.
  • Gmail VMC: For Gmail, a Verified Mark Certificate (VMC) is also a requirement.

Key considerations

  • DMARC Setup: Prioritize setting up a robust DMARC policy at the organizational level before implementing BIMI.
  • Policy Selection: Carefully consider whether to use `p=quarantine` or `p=reject` based on your organization's needs.
  • Subdomain Usage: Understand that while you can set up BIMI on subdomains, the organizational DMARC policy is the foundation.
  • Gmail Compliance: If targeting Gmail users, obtain a Verified Mark Certificate (VMC) in addition to DMARC and BIMI.
  • Fraud Protection: Recognize that DMARC and BIMI are crucial for protecting your brand and recipients from email fraud.
Technical article

Documentation from Fastmail states that you need to have a DMARC record published for your domain, set to either `p=quarantine` or `p=reject`, to implement BIMI. The DMARC policy must apply to the domain where you intend to use BIMI.

October 2021 - Fastmail
Technical article

Documentation from BIMI Group explains that BIMI requires a DMARC policy with either `p=quarantine` or `p=reject` set on the organizational domain. This ensures that only authenticated emails displaying your logo reach inboxes, protecting recipients from fraudulent messages.

February 2024 - BIMI Group
Technical article

Documentation from Entrust explains that to use BIMI with Gmail, a Verified Mark Certificate (VMC) and a DMARC policy set to `p=quarantine` or `p=reject` are required for the sending domain. This assures Gmail that your brand logo is legitimate and safe to display.

May 2023 - Entrust
Technical article

Documentation from Global Cyber Alliance mentions BIMI implementation requires a DMARC policy of either `p=quarantine` or `p=reject` on the organizational domain, and specifies while BIMI can be setup on subdomains, the DMARC policy should be at organizational level.

October 2024 - Global Cyber Alliance
Technical article

Documentation from dmarcian explains BIMI works alongside DMARC, and requires the domain to have a DMARC policy set to either `p=quarantine` or `p=reject`. This ensures that only authenticated emails get to display the logo. It also highlights that while BIMI can be implemented on subdomains, a DMARC policy must exist on the organizational domain.

January 2025 - dmarcian