How do I implement DMARC with BIMI on multiple subdomains?
Summary
What email marketers say9Marketer opinions
Email marketer from Postmark shares that BIMI relies on DMARC to ensure that only legitimate emails display the brand's logo. DMARC needs to be configured with a policy of quarantine or reject. Each subdomain can have its own DMARC settings, overriding the main domain.
Email marketer from Sendlayer states that it is crucial to start with a monitoring-only DMARC policy (p=none) before moving to stricter enforcement. Subdomains inherit the organizational DMARC policy unless they are explicitly configured otherwise.
Email marketer from EmailSecuritySPF Forum advises starting with a DMARC policy of 'p=none' to monitor email streams and identify any authentication issues. Once confident, move to 'quarantine' and then 'reject'. BIMI should be implemented after DMARC is fully enforced.
Email marketer from Mailjet explains that BIMI is only effective when DMARC is configured with a policy of quarantine or reject. For subdomains, you can create separate DMARC records to define their own authentication requirements and policies.
Email marketer from Mailhardener explains that to enable BIMI, you must configure DMARC with a policy of either `quarantine` or `reject`. You can specify a unique DMARC record on a subdomain to override the overarching policy.
Email marketer from AuthSMTP clarifies that a DMARC policy of quarantine or reject is essential for BIMI to function. This ensures that only authenticated emails are displaying the brand's logo and helps prevent spoofing. You can override DMARC policies on a per-subdomain level to allow for different email strategies across your domains.
Email Marketer from Email Geeks clarifies that while the organizational domain needs to be at quarantine or reject, every other subdomain can have its own policy.
Email marketer from Reddit explains that you can set up individual DMARC records for each subdomain to manage them separately. If a subdomain doesn't have its own DMARC record, it inherits the policy from the main domain.
Email marketer from StackOverflow shares that best practice is to implement DMARC at the top level domain. You can override this on the subdomain by setting the DMARC record for that specific subdomain. Ensure all systems sending mail are correctly configured for SPF/DKIM before enforcing a strict DMARC policy.
What the experts say8Expert opinions
Expert from Email Geeks explains that the DMARC policy at the organizational domain applies to all subdomains that don’t explicitly override it. This means that unauthenticated/unaligned mail will not be delivered.
Expert from Email Geeks, Matt V, states that BIMI works the same as DMARC with the record placed at the organizational domain. Expert from Email Geeks, Steve Atkins (WttW), believes you need enforcing (100pct, quarantine or reject) at the organizational domain to use BIMI and that you can add an overriding `p=none` DMARC record for a subdomain if you're not ready to enforce on it.
Expert from Word to the Wise states that BIMI requires DMARC enforcement at the organizational domain. Subdomains inherit the DMARC policy unless a specific policy is defined for them. He recommends starting with a 'p=none' policy to monitor results.
Expert from Email Geeks advises to always start with a DMARC policy of `p=none` to identify and resolve any issues before enforcing stricter policies.
Expert from Email Geeks clarifies that a DMARC enforcement policy is only strictly required if you want BIMI or AMP.
Expert from Email Geeks, Matt V, states the process for implementing DMARC with BIMI is the same as without: start with `p=none`, find and fix authentication issues, then move to enforcement. Email Marketer, Jennifer Nespola Lantz, recommends a phased rollout plan for DMARC, starting with `p=none` to monitor reports, fixing issues, confirming everything works, preparing BIMI, moving to quarantine and monitoring, and finally rolling out BIMI. She also notes subdomains can have different DMARC policies.
Expert from Email Geeks warns against deploying DMARC on a production system with anything other than `p=none` if the user is unsure about the implications. Going straight to `p=quarantine` is a high-risk move.
Expert from Word to the Wise suggests that deploying DMARC to all subdomains can be handled in a more granular way, allowing each subdomain to implement different levels of authentication, tailored to its individual email sending practices.
What the documentation says5Technical articles
Documentation from dmarcian explains that DMARC policies are inherited by subdomains unless a specific DMARC record is created for that subdomain. This allows for different policies for different subdomains.
Documentation from Google shares that you can create separate DMARC records for each subdomain. If a subdomain does not have its own policy, the parent domains policy will be applied. A TXT record with the DMARC information needs to be added to each subdomains DNS to override the parent policy.
Documentation from DigiCert shares that BIMI requires a DMARC policy to be in place with either a 'quarantine' or 'reject' policy. This ensures that only authenticated emails are displaying your logo. For subdomains, you can create specific DMARC records to override the organizational policy if needed.
Documentation from Valimail explains that to use BIMI, your domain must have a DMARC policy set to either quarantine or reject. This enforcement must be at the organizational domain level and propagated to subdomains.
Documentation from Proofpoint explains that BIMI implementation requires a valid DMARC record with a policy of quarantine or reject. Subdomains without their own DMARC record will inherit the parent domain's policy. If a subdomain requires a different handling, an explicit DMARC record can be added.