How do I implement DMARC with BIMI on multiple subdomains?

Summary

Implementing DMARC with BIMI on multiple subdomains requires a phased approach. BIMI needs DMARC enforcement (quarantine or reject) at the organizational level. However, this is only strictly needed when utilizing BIMI or AMP. Subdomains inherit the org policy but can have custom DMARC records to override this. A 'p=none' policy initially is vital to monitor & fix auth issues before strict enforcement. Ensure SPF/DKIM are correctly set up before moving to 'quarantine' or 'reject'. Granular control can be achieved by deploying separate DMARC policies at the subdomain level, tailoring authentication for each subdomain's email sending practices. Remember to add TXT records to each subdomain's DNS when implementing custom policies.

Key findings

  • BIMI Needs Enforcement: For BIMI to work, DMARC needs to be enforced at the organizational domain with 'quarantine' or 'reject' policies, unless you don't intend to use BIMI or AMP.
  • Subdomain Inheritance: Subdomains inherit the DMARC policy of the organizational domain by default.
  • Subdomain Override: Individual DMARC records for subdomains can override the organizational policy.

Key considerations

  • Start with p=none: Begin with a 'p=none' DMARC policy to monitor email streams, identify and fix any authentication issues.
  • Gradual Policy Change: Move to stricter policies ('quarantine', then 'reject') gradually after monitoring and addressing any authentication problems.
  • SPF/DKIM Configuration: Ensure systems sending mail from subdomains are correctly configured with SPF and DKIM before setting up a strict DMARC policy.
  • DNS record: Remember to update the DNS records for your subdomains.

What email marketers say
9Marketer opinions

To implement DMARC with BIMI on multiple subdomains, it's essential to have a DMARC policy of 'quarantine' or 'reject' at the organizational domain level for BIMI to function correctly. Each subdomain can have its own DMARC record to override the main domain's policy, allowing for customized authentication requirements. It's strongly recommended to start with a 'p=none' policy to monitor email streams and address authentication issues before enforcing stricter policies.

Key opinions

  • BIMI Requirement: BIMI requires a DMARC policy of 'quarantine' or 'reject' at the organizational domain.
  • Subdomain Override: Subdomains can have individual DMARC records that override the main domain's policy.
  • DMARC Inheritance: If a subdomain lacks a DMARC record, it inherits the policy from the organizational domain.

Key considerations

  • Start with Monitoring: Begin with a 'p=none' DMARC policy to monitor email streams and identify authentication problems.
  • Authentication Configuration: Ensure all systems sending mail are correctly configured for SPF/DKIM before enforcing a strict DMARC policy.
  • Gradual Enforcement: Move to stricter DMARC policies ('quarantine', then 'reject') gradually after monitoring and resolving any authentication issues.
Marketer view

Email marketer from Postmark shares that BIMI relies on DMARC to ensure that only legitimate emails display the brand's logo. DMARC needs to be configured with a policy of quarantine or reject. Each subdomain can have its own DMARC settings, overriding the main domain.

December 2024 - Postmark
Marketer view

Email marketer from Sendlayer states that it is crucial to start with a monitoring-only DMARC policy (p=none) before moving to stricter enforcement. Subdomains inherit the organizational DMARC policy unless they are explicitly configured otherwise.

October 2023 - Sendlayer
Marketer view

Email marketer from EmailSecuritySPF Forum advises starting with a DMARC policy of 'p=none' to monitor email streams and identify any authentication issues. Once confident, move to 'quarantine' and then 'reject'. BIMI should be implemented after DMARC is fully enforced.

June 2023 - EmailSecuritySPF Forum
Marketer view

Email marketer from Mailjet explains that BIMI is only effective when DMARC is configured with a policy of quarantine or reject. For subdomains, you can create separate DMARC records to define their own authentication requirements and policies.

January 2025 - Mailjet
Marketer view

Email marketer from Mailhardener explains that to enable BIMI, you must configure DMARC with a policy of either `quarantine` or `reject`. You can specify a unique DMARC record on a subdomain to override the overarching policy.

April 2021 - Mailhardener
Marketer view

Email marketer from AuthSMTP clarifies that a DMARC policy of quarantine or reject is essential for BIMI to function. This ensures that only authenticated emails are displaying the brand's logo and helps prevent spoofing. You can override DMARC policies on a per-subdomain level to allow for different email strategies across your domains.

August 2021 - AuthSMTP
Marketer view

Email Marketer from Email Geeks clarifies that while the organizational domain needs to be at quarantine or reject, every other subdomain can have its own policy.

October 2022 - Email Geeks
Marketer view

Email marketer from Reddit explains that you can set up individual DMARC records for each subdomain to manage them separately. If a subdomain doesn't have its own DMARC record, it inherits the policy from the main domain.

July 2024 - Reddit
Marketer view

Email marketer from StackOverflow shares that best practice is to implement DMARC at the top level domain. You can override this on the subdomain by setting the DMARC record for that specific subdomain. Ensure all systems sending mail are correctly configured for SPF/DKIM before enforcing a strict DMARC policy.

February 2024 - StackOverflow

What the experts say
8Expert opinions

Implementing DMARC with BIMI across multiple subdomains involves careful planning and a phased approach. BIMI requires DMARC enforcement (quarantine or reject) at the organizational domain level, though this is only a hard requirement if you intend to use BIMI or AMP. Subdomains inherit the organizational DMARC policy unless explicitly overridden with their own DMARC records. The consensus is to begin with a `p=none` policy to monitor email streams, identify authentication issues, and avoid disruptions before gradually enforcing stricter policies. Granular control over subdomain authentication is possible, tailoring DMARC policies to individual subdomain needs.

Key opinions

  • BIMI and DMARC Enforcement: BIMI necessitates DMARC enforcement (quarantine or reject) at the organizational domain, unless you do not intend to use BIMI or AMP.
  • Subdomain Policy Inheritance: Subdomains inherit the organizational DMARC policy unless explicitly overridden.
  • Granular Subdomain Control: DMARC policies can be tailored to individual subdomains for customized authentication.

Key considerations

  • Start with p=none: Initiate with a `p=none` policy to monitor and resolve authentication issues before enforcement.
  • Phased Rollout: Adopt a phased rollout: monitor, fix, confirm, prepare BIMI, quarantine, monitor, and then BIMI.
  • High-Risk Quarantine: Avoid immediately implementing `p=quarantine` as it poses a high risk without proper understanding and preparation.
Expert view

Expert from Email Geeks explains that the DMARC policy at the organizational domain applies to all subdomains that don’t explicitly override it. This means that unauthenticated/unaligned mail will not be delivered.

July 2024 - Email Geeks
Expert view

Expert from Email Geeks, Matt V, states that BIMI works the same as DMARC with the record placed at the organizational domain. Expert from Email Geeks, Steve Atkins (WttW), believes you need enforcing (100pct, quarantine or reject) at the organizational domain to use BIMI and that you can add an overriding `p=none` DMARC record for a subdomain if you're not ready to enforce on it.

February 2023 - Email Geeks
Expert view

Expert from Word to the Wise states that BIMI requires DMARC enforcement at the organizational domain. Subdomains inherit the DMARC policy unless a specific policy is defined for them. He recommends starting with a 'p=none' policy to monitor results.

May 2023 - Word to the Wise
Expert view

Expert from Email Geeks advises to always start with a DMARC policy of `p=none` to identify and resolve any issues before enforcing stricter policies.

February 2022 - Email Geeks
Expert view

Expert from Email Geeks clarifies that a DMARC enforcement policy is only strictly required if you want BIMI or AMP.

July 2021 - Email Geeks
Expert view

Expert from Email Geeks, Matt V, states the process for implementing DMARC with BIMI is the same as without: start with `p=none`, find and fix authentication issues, then move to enforcement. Email Marketer, Jennifer Nespola Lantz, recommends a phased rollout plan for DMARC, starting with `p=none` to monitor reports, fixing issues, confirming everything works, preparing BIMI, moving to quarantine and monitoring, and finally rolling out BIMI. She also notes subdomains can have different DMARC policies.

May 2022 - Email Geeks
Expert view

Expert from Email Geeks warns against deploying DMARC on a production system with anything other than `p=none` if the user is unsure about the implications. Going straight to `p=quarantine` is a high-risk move.

November 2024 - Email Geeks
Expert view

Expert from Word to the Wise suggests that deploying DMARC to all subdomains can be handled in a more granular way, allowing each subdomain to implement different levels of authentication, tailored to its individual email sending practices.

January 2023 - Word to the Wise

What the documentation says
5Technical articles

To implement DMARC with BIMI across multiple subdomains, it's essential to enforce a DMARC policy of either 'quarantine' or 'reject' at the organizational domain level to meet BIMI requirements. Subdomains inherit this policy by default. To implement different DMARC policies for specific subdomains, you need to create individual DMARC records for those subdomains. These records override the organizational policy, allowing for customized handling. The configuration involves adding a TXT record with the DMARC information to each subdomain's DNS settings.

Key findings

  • BIMI Requires Enforcement: BIMI implementation mandates a DMARC policy of either 'quarantine' or 'reject'.
  • Policy Inheritance: Subdomains inherit the DMARC policy from the organizational domain unless overridden.
  • Subdomain Specificity: Individual DMARC records can be created for subdomains to implement unique policies.

Key considerations

  • DNS Configuration: A TXT record must be added to each subdomain's DNS settings to override the parent policy.
  • Authentication: Authenticated emails are required to display your logo.
  • Valid DMARC: Ensure a valid DMARC record is implemented.
Technical article

Documentation from dmarcian explains that DMARC policies are inherited by subdomains unless a specific DMARC record is created for that subdomain. This allows for different policies for different subdomains.

April 2022 - dmarcian
Technical article

Documentation from Google shares that you can create separate DMARC records for each subdomain. If a subdomain does not have its own policy, the parent domains policy will be applied. A TXT record with the DMARC information needs to be added to each subdomains DNS to override the parent policy.

August 2024 - Google
Technical article

Documentation from DigiCert shares that BIMI requires a DMARC policy to be in place with either a 'quarantine' or 'reject' policy. This ensures that only authenticated emails are displaying your logo. For subdomains, you can create specific DMARC records to override the organizational policy if needed.

August 2023 - DigiCert
Technical article

Documentation from Valimail explains that to use BIMI, your domain must have a DMARC policy set to either quarantine or reject. This enforcement must be at the organizational domain level and propagated to subdomains.

May 2022 - Valimail
Technical article

Documentation from Proofpoint explains that BIMI implementation requires a valid DMARC record with a policy of quarantine or reject. Subdomains without their own DMARC record will inherit the parent domain's policy. If a subdomain requires a different handling, an explicit DMARC record can be added.

July 2022 - Proofpoint