Summary
Implementing DMARC with BIMI on multiple subdomains requires a phased approach. BIMI needs DMARC enforcement (quarantine or reject) at the organizational level. However, this is only strictly needed when utilizing BIMI or AMP. Subdomains inherit the org policy but can have custom DMARC records to override this. A 'p=none' policy initially is vital to monitor & fix auth issues before strict enforcement. Ensure SPF/DKIM are correctly set up before moving to 'quarantine' or 'reject'. Granular control can be achieved by deploying separate DMARC policies at the subdomain level, tailoring authentication for each subdomain's email sending practices. Remember to add TXT records to each subdomain's DNS when implementing custom policies.
Key findings
- BIMI Needs Enforcement: For BIMI to work, DMARC needs to be enforced at the organizational domain with 'quarantine' or 'reject' policies, unless you don't intend to use BIMI or AMP.
- Subdomain Inheritance: Subdomains inherit the DMARC policy of the organizational domain by default.
- Subdomain Override: Individual DMARC records for subdomains can override the organizational policy.
Key considerations
- Start with p=none: Begin with a 'p=none' DMARC policy to monitor email streams, identify and fix any authentication issues.
- Gradual Policy Change: Move to stricter policies ('quarantine', then 'reject') gradually after monitoring and addressing any authentication problems.
- SPF/DKIM Configuration: Ensure systems sending mail from subdomains are correctly configured with SPF and DKIM before setting up a strict DMARC policy.
- DNS record: Remember to update the DNS records for your subdomains.
What email marketers say
9 marketer opinions
To implement DMARC with BIMI on multiple subdomains, it's essential to have a DMARC policy of 'quarantine' or 'reject' at the organizational domain level for BIMI to function correctly. Each subdomain can have its own DMARC record to override the main domain's policy, allowing for customized authentication requirements. It's strongly recommended to start with a 'p=none' policy to monitor email streams and address authentication issues before enforcing stricter policies.
Key opinions
- BIMI Requirement: BIMI requires a DMARC policy of 'quarantine' or 'reject' at the organizational domain.
- Subdomain Override: Subdomains can have individual DMARC records that override the main domain's policy.
- DMARC Inheritance: If a subdomain lacks a DMARC record, it inherits the policy from the organizational domain.
Key considerations
- Start with Monitoring: Begin with a 'p=none' DMARC policy to monitor email streams and identify authentication problems.
- Authentication Configuration: Ensure all systems sending mail are correctly configured for SPF/DKIM before enforcing a strict DMARC policy.
- Gradual Enforcement: Move to stricter DMARC policies ('quarantine', then 'reject') gradually after monitoring and resolving any authentication issues.
Marketer view
Email marketer from Postmark shares that BIMI relies on DMARC to ensure that only legitimate emails display the brand's logo. DMARC needs to be configured with a policy of quarantine or reject. Each subdomain can have its own DMARC settings, overriding the main domain.
22 Jan 2023 - Postmark
Marketer view
Email marketer from Sendlayer states that it is crucial to start with a monitoring-only DMARC policy (p=none) before moving to stricter enforcement. Subdomains inherit the organizational DMARC policy unless they are explicitly configured otherwise.
17 Jan 2024 - Sendlayer
What the experts say
8 expert opinions
Implementing DMARC with BIMI across multiple subdomains involves careful planning and a phased approach. BIMI requires DMARC enforcement (quarantine or reject) at the organizational domain level, though this is only a hard requirement if you intend to use BIMI or AMP. Subdomains inherit the organizational DMARC policy unless explicitly overridden with their own DMARC records. The consensus is to begin with a `p=none` policy to monitor email streams, identify authentication issues, and avoid disruptions before gradually enforcing stricter policies. Granular control over subdomain authentication is possible, tailoring DMARC policies to individual subdomain needs.
Key opinions
- BIMI and DMARC Enforcement: BIMI necessitates DMARC enforcement (quarantine or reject) at the organizational domain, unless you do not intend to use BIMI or AMP.
- Subdomain Policy Inheritance: Subdomains inherit the organizational DMARC policy unless explicitly overridden.
- Granular Subdomain Control: DMARC policies can be tailored to individual subdomains for customized authentication.
Key considerations
- Start with p=none: Initiate with a `p=none` policy to monitor and resolve authentication issues before enforcement.
- Phased Rollout: Adopt a phased rollout: monitor, fix, confirm, prepare BIMI, quarantine, monitor, and then BIMI.
- High-Risk Quarantine: Avoid immediately implementing `p=quarantine` as it poses a high risk without proper understanding and preparation.
Expert view
Expert from Email Geeks explains that the DMARC policy at the organizational domain applies to all subdomains that don’t explicitly override it. This means that unauthenticated/unaligned mail will not be delivered.
8 Dec 2022 - Email Geeks
Expert view
Expert from Email Geeks, Matt V, states that BIMI works the same as DMARC with the record placed at the organizational domain. Expert from Email Geeks, Steve Atkins (WttW), believes you need enforcing (100pct, quarantine or reject) at the organizational domain to use BIMI and that you can add an overriding `p=none` DMARC record for a subdomain if you're not ready to enforce on it.
17 May 2025 - Email Geeks
What the documentation says
5 technical articles
To implement DMARC with BIMI across multiple subdomains, it's essential to enforce a DMARC policy of either 'quarantine' or 'reject' at the organizational domain level to meet BIMI requirements. Subdomains inherit this policy by default. To implement different DMARC policies for specific subdomains, you need to create individual DMARC records for those subdomains. These records override the organizational policy, allowing for customized handling. The configuration involves adding a TXT record with the DMARC information to each subdomain's DNS settings.
Key findings
- BIMI Requires Enforcement: BIMI implementation mandates a DMARC policy of either 'quarantine' or 'reject'.
- Policy Inheritance: Subdomains inherit the DMARC policy from the organizational domain unless overridden.
- Subdomain Specificity: Individual DMARC records can be created for subdomains to implement unique policies.
Key considerations
- DNS Configuration: A TXT record must be added to each subdomain's DNS settings to override the parent policy.
- Authentication: Authenticated emails are required to display your logo.
- Valid DMARC: Ensure a valid DMARC record is implemented.
Technical article
Documentation from dmarcian explains that DMARC policies are inherited by subdomains unless a specific DMARC record is created for that subdomain. This allows for different policies for different subdomains.
5 Jul 2023 - dmarcian
Technical article
Documentation from Google shares that you can create separate DMARC records for each subdomain. If a subdomain does not have its own policy, the parent domains policy will be applied. A TXT record with the DMARC information needs to be added to each subdomains DNS to override the parent policy.
26 Nov 2023 - Google
Does BIMI require DMARC at the organizational level, and can it be implemented only at the subdomain level?
Do I need to set up DMARC for subdomains?
How to set up BIMI records for multiple subdomains while excluding the parent domain?
How do I set up DMARC records for subdomains?
Do subdomains need their own DMARC records if the main domain has one?
How do I implement BIMI for multiple brands with subdomains?
Does BIMI trickle down to subdomains and how to control subdomain BIMI display?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do I implement BIMI and get my logo to show in Gmail and Yahoo Mail?
