Does BIMI require DMARC at the organizational level, and can it be implemented only at the subdomain level?
Summary
What email marketers say12Marketer opinions
Marketer from Email Geeks explains that DMARC can be on a subdomain, but the organizational domain must also have an enforcing policy (at least quarantine). He provides an example with different policies for the org domain and a subdomain.
Marketer from Email Geeks confirms DMARC needs to be at the organizational domain level and that BIMI requires an enforcing DMARC policy of p=quarantine or p=reject. He also mentions self-asserted BIMI for Yahoo and the requirements for Gmail's BIMI implementation.
Email marketer from SparkPost says that BIMI can be implemented on subdomains, but DMARC needs to be configured at the organizational domain level with a policy of `p=quarantine` or `p=reject`. The subdomain must also pass DMARC authentication to show the BIMI logo.
Marketer from Email Geeks states that a specific policy on a subdomain overrides the organizational domain’s subdomain policy.
Email marketer from Valimail shares that BIMI requires DMARC enforcement to ensure that only legitimate senders can display their logos. The domain in the BIMI record must be DMARC-protected, meaning a policy of either `p=quarantine` or `p=reject` is in place.
Email marketer from Mailjet emphasizes that a DMARC policy is a prerequisite for BIMI. Without DMARC set to `p=quarantine` or `p=reject`, BIMI cannot function. They also mentioned VMC for Gmail.
Marketer from Email Geeks shares that, using "xfinity.com" as an example, BIMI is only used on emails.xfinity.com, not on xfinity.com. However, DMARC now protects xfinity.com (p=), and all subdomains (sp=).
Marketer from Email Geeks mentions that if the BIMI is only on the third-level domain that it wouldn't affect the Corporate email. He then states that BIMI itself can exist just on the subdomain and doesn't have to impact the root domain.
Email marketer from Proofpoint states for BIMI implementation, your sending domain must be secured with DMARC set to `p=quarantine` or `p=reject`. Without this, BIMI won't work, as it's designed to enhance security and trust in email communication.
Email marketer from EmailToolTester mentions that to set up BIMI, it needs a DMARC record set to either `p=quarantine` or `p=reject` which needs to be applied at the organizational domain level. Also, highlights BIMI itself can exist at subdomain level, DMARC compliance is very important.
Email marketer from AuthSMTP explains for BIMI to be effective, the sending domain needs to have DMARC enabled with a policy of either `p=quarantine` or `p=reject`. Also it mentions BIMI can technically be implemented on subdomains, the DMARC requirements are typically organizational.
Email marketer from Reddit shares that BIMI requires a valid DMARC record with a policy of quarantine or reject on the organizational domain, and explains while BIMI can work on subdomains, the DMARC enforcement is crucial for the overall setup.
What the experts say4Expert opinions
Expert from Email Geeks explains BIMI records can be at the organizational level or on subdomains to display at Verizon.
Expert from Email Geeks clarifies that BIMI requires enforcement, so p=quarantine is the minimum level required for DMARC.
Expert from Email Geeks says BIMI should be at the organizational level.
Expert from Word to the Wise explains that BIMI requires DMARC to be configured at the organizational level with a policy set to either `p=quarantine` or `p=reject`. This ensures proper authentication and prevents unauthorized logo usage. While BIMI records themselves might be present on subdomains, the underlying DMARC enforcement must cover the entire domain.
What the documentation says5Technical articles
Documentation from Fastmail states that you need to have a DMARC record published for your domain, set to either `p=quarantine` or `p=reject`, to implement BIMI. The DMARC policy must apply to the domain where you intend to use BIMI.
Documentation from BIMI Group explains that BIMI requires a DMARC policy with either `p=quarantine` or `p=reject` set on the organizational domain. This ensures that only authenticated emails displaying your logo reach inboxes, protecting recipients from fraudulent messages.
Documentation from Entrust explains that to use BIMI with Gmail, a Verified Mark Certificate (VMC) and a DMARC policy set to `p=quarantine` or `p=reject` are required for the sending domain. This assures Gmail that your brand logo is legitimate and safe to display.
Documentation from Global Cyber Alliance mentions BIMI implementation requires a DMARC policy of either `p=quarantine` or `p=reject` on the organizational domain, and specifies while BIMI can be setup on subdomains, the DMARC policy should be at organizational level.
Documentation from dmarcian explains BIMI works alongside DMARC, and requires the domain to have a DMARC policy set to either `p=quarantine` or `p=reject`. This ensures that only authenticated emails get to display the logo. It also highlights that while BIMI can be implemented on subdomains, a DMARC policy must exist on the organizational domain.