How do I implement DMARC with BIMI on multiple subdomains?
Matthew Whittaker
Co-founder & CTO, Suped
Published 29 Jun 2025
Updated 17 Aug 2025
8 min read
Implementing DMARC with BIMI across multiple subdomains can feel like navigating a complex maze. Many organizations use numerous subdomains for various email streams, from transactional emails to marketing campaigns and internal communications. The challenge is ensuring consistent brand representation while maintaining strong email authentication and preventing spoofing.
My goal is to walk you through the process, addressing common concerns about DMARC policy inheritance, BIMI requirements, and the delicate balance of not disrupting your email deliverability. Understanding how these protocols interact at both the organizational domain and subdomain levels is critical for a successful rollout.
This guide will help you understand the nuances, offering practical steps and insights to secure your email ecosystem and display your brand logo confidently. We'll explore how to establish a robust DMARC foundation and then layer BIMI on top, ensuring your brand identity is consistently presented across all your sending domains and subdomains.
When you set up a DMARC record, it's typically published at the organizational (or root) domain level, such as _dmarc.yourdomain.com. By default, this policy applies to all subdomains unless a specific DMARC record is explicitly defined for a particular subdomain. This inheritance is a powerful feature, simplifying DMARC management for domains with many subdomains, but it also carries potential risks if not managed carefully.
You can override the organizational domain's DMARC policy for a specific subdomain by creating a dedicated DMARC record for that subdomain. For instance, if your main domain is example.com and you have marketing.example.com and transactional.example.com, each can have its own DMARC record if needed. This allows for granular control over how unauthenticated emails originating from different subdomains are handled. For more details on this, refer to the Google Workspace Admin Help documentation on DMARC setup. You can also review our guide on whether to add an explicit DMARC record for subdomains.
Alternatively, you can use the sp tag within your organizational DMARC record to define a policy specifically for subdomains. This tag overrides the main policy for subdomains without requiring a separate record for each one. However, most experts recommend explicit subdomain DMARC records for better control, especially for critical sending subdomains. Consult our guide to DMARC tags and their meanings for more on how the sp tag works.
One of the most crucial aspects of implementing BIMI (Brand Indicators for Message Identification) is its strict dependency on DMARC. For BIMI to display your brand logo, your domain's DMARC policy must be at an enforcement level, specifically p=quarantine or p=reject. If your policy is p=none, BIMI will not work. This is a common point of confusion for those new to BIMI.
Moving to an enforcement policy like p=quarantine or p=reject can be risky if your email authentication, including SPF and DKIM, isn't fully aligned and validated across all your sending systems. Incorrectly configured DMARC can lead to legitimate emails being quarantined or rejected by receiving mail servers, impacting your deliverability and potentially causing significant communication issues. Therefore, a phased approach is highly recommended. You can learn more about how to set up DMARC for BIMI and its considerations in our dedicated article.
Begin with p=none (monitoring mode) to gather DMARC reports and identify any authentication failures for your sending sources. Once you're confident that all legitimate email streams are authenticating correctly and passing DMARC alignment checks, you can safely transition to p=quarantine, then eventually to p=reject. This methodical approach minimizes disruption and ensures your email program remains healthy. For a comprehensive overview, review our simple guide to DMARC, SPF, and DKIM.
BIMI enforcement requirement
For BIMI to display your logo, your organizational domain must have a DMARC policy of p=quarantine or p=reject. This is a non-negotiable prerequisite, as BIMI is built on the strong authentication provided by DMARC enforcement. Mailbox providers like Google and Yahoo rely on this strong policy to trust your brand's logo.
Implementing BIMI across multiple subdomains
Just like DMARC, BIMI records are published in DNS, typically as a TXT record in a _bimi subdomain. The BIMI record at the organizational domain can apply to all subdomains, provided those subdomains also meet the DMARC enforcement criteria and pass DMARC alignment. However, there's flexibility here for organizations with multiple brands or different logo requirements for specific email streams.
You can implement BIMI selectors to display different logos for various subdomains or even for different sending purposes from the same domain. This involves creating unique BIMI records for specific subdomains or using the BIMI-Selector header in your email. This offers a high degree of customization for brands managing a complex email presence. The BIMI specification details how multiple sets of BIMI preferences can be published for different use cases. Explore our guides on implementing BIMI for multiple brands with subdomains and how to set up BIMI DNS records for subdomains.
For the highest level of trust and adoption, you'll need a Verified Mark Certificate (VMC) for your logo. A VMC verifies your brand's ownership of the logo and adds another layer of security and authenticity. While a VMC is generally associated with the organizational domain, it can also be used to validate logos for subdomains. Review the BIMI Implementation Guide for more detailed information on this requirement.
BIMI for organizational domain
A single BIMI record published at the root domain.
Inheritance: Applies to all subdomains if their DMARC policy is also enforced.
Simplicity: Easier to manage for uniform branding across subdomains.
BIMI for specific subdomains
Dedicated BIMI records for individual subdomains or using BIMI selectors.
Customization: Allows different logos for different subdomains or email types.
Granular Control: Ideal for complex setups with varied branding needs.
Continuous monitoring and alignment
The implementation of DMARC and BIMI is not a one-time setup, especially for domains with multiple subdomains. Continuous monitoring of your DMARC reports is paramount. These reports (RUA and RUF) provide invaluable insights into your email authentication performance, showing which emails are passing or failing DMARC, and from which sources. This allows you to quickly identify and rectify any issues, preventing legitimate emails from being incorrectly quarantined or blocked. Regularly reviewing these reports is the only way to truly understand your email ecosystem and ensure optimal deliverability.
Pay close attention to DMARC alignment. DMARC requires either SPF or DKIM to align with the From domain in your email headers. DMARC defaults to relaxed alignment, meaning that a subdomain can align with its parent domain. However, you can also specify strict alignment, which requires an exact domain match. Understanding whether your DMARC policy uses relaxed or strict alignment is crucial, as it directly impacts how your subdomains are treated and whether your BIMI logos will display. For more on this, check our article on whether an organizational DMARC policy covers subdomains for BIMI.
Finally, be aware of the impact on email deliverability, particularly regarding blacklists (or blocklists). If DMARC is not correctly implemented, legitimate emails might be incorrectly flagged as spam or outright rejected, which could lead to your IP or domain being added to a blacklist. Regular monitoring helps prevent this and ensures your emails reach the inbox. If you encounter issues, troubleshooting steps might include verifying your DMARC record and alignment for each subdomain, as well as confirming your BIMI record's setup. Discover how to troubleshoot BIMI display on subdomains.
DMARC policy
Impact on subdomains
BIMI compatibility
p=none
Emails failing DMARC are monitored; no impact on delivery. Inherited by subdomains by default unless overridden.
Not compatible. BIMI requires a stronger enforcement policy.
p=quarantine
Emails failing DMARC may be delivered to spam. Inherited by subdomains unless specific records exist.
Compatible. Recommended starting point for BIMI enforcement.
p=reject
Emails failing DMARC are blocked. Inherited by subdomains unless specific records exist.
Compatible. Highest level of protection for BIMI, but requires careful implementation.
Views from the trenches
Best practices
Always start DMARC with a p=none policy to gather reports and identify all legitimate email sending sources before moving to enforcement.
Utilize DMARC reports (RUA and RUF) to gain comprehensive visibility into your email authentication performance across all domains and subdomains.
Ensure SPF and DKIM are properly configured and align with your DMARC policy for both your organizational domain and any subdomains.
Consider explicit DMARC records for subdomains if you need different policies or greater control over specific email streams.
Common pitfalls
Jumping directly to a p=quarantine or p=reject DMARC policy without thorough monitoring, which can lead to legitimate emails being quarantined or rejected.
Overlooking subdomain email traffic, assuming the organizational domain's DMARC policy covers all sending sources correctly.
Not monitoring DMARC reports, leading to undetected authentication failures or misconfigurations that affect deliverability.
Failing to ensure proper SPF and DKIM alignment, which is essential for DMARC to pass and for BIMI to function.
Expert tips
Use DMARC monitoring tools to simplify the analysis of DMARC aggregate reports, making it easier to identify and fix issues.
For complex setups, consider working with a DMARC or email deliverability specialist to ensure a smooth and secure transition to enforcement policies.
Implement BIMI selectors if you need to display different logos for various subdomains or specific email campaigns.
Be patient with DMARC implementation, as it's a gradual process requiring careful monitoring and adjustments over time.
Expert view
Expert from Email Geeks says to always start with p=none so you can fix any issues you identify. This is crucial before moving to stronger policies.
2023-10-25 - Email Geeks
Expert view
Expert from Email Geeks says that unless you specifically set a DMARC record on the subdomain, the organizational domain policy will apply. This simplifies management but requires awareness of inheritance.
2023-10-25 - Email Geeks
Final thoughts
Implementing DMARC with BIMI on multiple subdomains requires a thoughtful and phased approach. While DMARC policies at the organizational level can inherit down to subdomains, it's essential to understand when and how to implement explicit DMARC records for specific subdomains if different policies are needed. This granular control allows you to tailor security based on the sending context of each subdomain.
Remember, BIMI depends on a DMARC policy set to p=quarantine or p=reject. A careful rollout, starting with monitoring and gradually moving to enforcement, is key to preventing deliverability issues and ensuring your brand logo displays correctly across all your email communications. By meticulously configuring DMARC and BIMI, you enhance your email security posture and strengthen your brand's visual presence in the inbox.
Google and Yahoo rely on this strong policy to trust your brand's logo.
