How do I set up DMARC for BIMI and what are the key considerations?

Summary

Setting up DMARC for BIMI involves multiple steps and considerations. It begins with deploying SPF and DKIM, ensuring they align with the From address and cover all mail streams. Implementing DMARC in 'p=none' mode allows for monitoring and identifying missed mail streams, with subsequent SPF and DKIM deployment. Gradual escalation to stricter DMARC policies (quarantine or reject) is necessary, with correct authentication being critical. The domain must be DMARC enforced, and a Validated Mark Certificate (VMC) is essential for logo ownership. BIMI displays brand logos in supporting inboxes, enhancing visibility and trust. Monitoring DMARC reports aids in email security maintenance. A BIMI DNS record must be published. A VMC authenticates the logo, preventing spoofing. DMARC policy options include 'none' (monitoring), 'quarantine' (spam), and 'reject' (block). A valid SSL certificate is required for the logo URL. BIMI's cost is primarily the VMC. Some email programs may not yet support BIMI. Some may already have processes via MXToolbox

Key findings

  • DMARC/SPF/DKIM Alignment: Proper deployment and alignment of SPF and DKIM are crucial for DMARC functionality.
  • DMARC Enforcement: Domain must be DMARC enforced to leverage BIMI.
  • VMC Necessity: A Validated Mark Certificate (VMC) is essential for proving logo ownership and authenticity.
  • Brand Enhancement: BIMI enhances brand visibility, trust, and engagement through logo display.
  • Security Improvement: DMARC and BIMI together improve email security by preventing spoofing and ensuring authentication.

Key considerations

  • Gradual DMARC Escalation: Start with 'p=none' and gradually escalate DMARC policies based on monitoring and assessment.
  • Authentication Accuracy: Ensure correct authentication for SPF, DKIM, and DMARC to prevent deliverability issues.
  • Monitoring Importance: Regularly monitor DMARC reports to identify and address authentication failures or malicious activity.
  • VMC Procurement: Factor in the cost and process of obtaining a Validated Mark Certificate (VMC) for your logo.
  • BIMI Support Limitations: Be aware that not all email programs currently support BIMI, which may limit its reach.
  • Assess Mail Streams: Assess mail streams to determine the correct SPF and DKIM settings.

What email marketers say
9Marketer opinions

Setting up DMARC for BIMI involves several key steps and considerations. Initially, your domain must have DMARC enforcement enabled to leverage BIMI, and someone within your organization may already be utilizing tools like MXToolbox to process DMARC reports. The implementation includes ensuring DMARC is correctly configured, obtaining a Validated Mark Certificate (VMC) for your logo, and publishing the BIMI DNS record. BIMI enhances brand visibility, improves email security, and increases brand trust and customer engagement. It requires a correctly configured DMARC policy (starting with 'p=none' for monitoring before stricter enforcement), a VMC to authenticate the logo, and the BIMI DNS record. BIMI encourages strong email authentication practices and ensures the displayed logo is authentic, preventing spoofing. The process includes DMARC implementation, SSL certificate enablement for your logo URL, and publishing the BIMI record in DNS. While BIMI is largely free, the VMC does incur a cost.

Key opinions

  • DMARC Enforcement: Your domain needs DMARC enforcement to use BIMI.
  • VMC Requirement: A Validated Mark Certificate (VMC) is essential for logo authentication.
  • BIMI DNS Record: Publishing the BIMI DNS record is a crucial step in the setup.
  • Brand Visibility: BIMI increases brand visibility and trust in email inboxes.
  • Security Enhancement: BIMI improves email security through DMARC and logo authentication.

Key considerations

  • DMARC Configuration: Ensure DMARC is correctly configured, starting with a 'p=none' policy to monitor email streams before enforcing stricter policies.
  • Cost of VMC: Budget for the cost of obtaining a Validated Mark Certificate (VMC) for your logo.
  • Monitoring Reports: Regularly monitor DMARC reports to maintain email security and identify potential issues.
  • SSL Certificate: Enable a valid SSL certificate for your logo URL to ensure it is securely accessible.
  • Process Overview: The implementation process includes DMARC setup, VMC procurement, BIMI DNS record publication, and ongoing monitoring of email streams.
Marketer view

Email marketer from ZeroBounce shares that BIMI requires a Validated Mark Certificate (VMC) to ensure the logo displayed is authentic and owned by the sender. This helps prevent spoofing and increases trust.

April 2021 - ZeroBounce
Marketer view

Email marketer from Mailhardener talks about BIMI being largely free except for the cost of a VMC. They encourage marketers to setup DMARC first to ensure BIMI works.

April 2024 - Mailhardener
Marketer view

Marketer from Email Geeks explains that DMARC reports are different than feedback loops and are sent by mailbox providers to the domain owner or a service provider like MxToolbox. These reports provide SPF and DKIM authentication results on all mailstreams, including marketing and corporate email.

April 2023 - Email Geeks
Marketer view

Email marketer from EasyDMARC shares that implementing BIMI involves ensuring DMARC is set up correctly, obtaining a VMC for your logo, and publishing the BIMI DNS record. They emphasize the importance of monitoring DMARC reports to maintain email security.

August 2023 - EasyDMARC
Marketer view

Email marketer from SparkPost runs through the process of: ensuring DMARC is implemented; ensuring a valid SSL certificate is enabled for your logo URL and finally publishing the BIMI record in DNS.

November 2021 - SparkPost
Marketer view

Email marketer from Litmus shares that BIMI helps brands showcase their logo in recipient inboxes, increasing brand recognition and trust. It also encourages senders to implement strong email authentication practices like DMARC.

January 2024 - Litmus
Marketer view

Email marketer from Red Sift explains that BIMI helps increase brand visibility in email inboxes and improves email security by leveraging DMARC. They discuss BIMI's benefits in enhancing brand trust and customer engagement.

June 2022 - Red Sift
Marketer view

Email marketer from Mailjet explains that setting up BIMI requires a correctly configured DMARC policy, a VMC, and a BIMI DNS record. They advise starting with a 'p=none' DMARC policy to monitor email streams before enforcing stricter policies.

April 2024 - Mailjet
Marketer view

Marketer from Email Geeks explains that the organization's domain will need to be at DMARC enforcement to leverage BIMI. Mentions that someone in the organization is using MXToolbox to process DMARC reports.

November 2024 - Email Geeks

What the experts say
2Expert opinions

Setting up DMARC for BIMI involves deploying SPF and DKIM, ensuring they align with the From address, and deploying on all mail streams. Start with DMARC in p=none mode, monitoring feedback reports to identify missed mail streams and deploy aligned SPF and DKIM on those, repeating the process for at least three months before escalating to enforcing policies and ultimately BIMI. Also, BIMI allows displaying your brand logo in supporting inboxes, but requires strict DMARC policies (reject or quarantine) with correct authentication. Note that not all email programs support it yet.

Key opinions

  • SPF and DKIM Alignment: SPF and DKIM must align with the From address for successful DMARC implementation.
  • Iterative DMARC Deployment: Start with a 'p=none' DMARC policy and gradually escalate to stricter policies after monitoring.
  • Strict DMARC Requirements: BIMI requires strict DMARC policies (reject or quarantine) for functionality.
  • BIMI Supports Brand Logo: BIMI allows for the display of brand logos in supporting email inboxes.
  • Support Variation: Not all email programs currently support BIMI.

Key considerations

  • Mail Stream Coverage: Ensure SPF and DKIM are deployed on all mail streams.
  • Feedback Report Monitoring: Monitor feedback reports to identify and address missed mail streams.
  • Authentication Accuracy: Correct authentication is critical for DMARC and BIMI to function properly.
  • Timeline for Implementation: Allow at least three months for DMARC monitoring and adjustment before escalating to enforcing policies.
  • Email Program Support: Consider that not all email programs support BIMI, limiting its reach.
Expert view

Expert from Word to the Wise, Laura Atkins, shares that BIMI provides a way to display your brand logo in supporting inboxes, but also emphasizes that the requirements for DMARC are quite strict (reject or quarantine) and that getting authentication correct is critical. Not all email programs support it yet.

November 2022 - Word to the Wise
Expert view

Expert from Email Geeks shares the process for setting up DMARC for BIMI. The process includes deploying SPF and DKIM, ensuring they align with the From address, deploying on all mail streams, and deploying DMARC in p=none mode. Steve recommends monitoring feedback reports to identify missed mail streams and deploying aligned SPF and DKIM on those, repeating the process for at least three months, before escalating to enforcing policies and ultimately BIMI.

November 2021 - Email Geeks

What the documentation says
4Technical articles

Setting up DMARC for BIMI requires the sending domain to be authenticated with DMARC at a policy of 'quarantine' or 'reject', and a Validated Mark Certificate (VMC) to prove logo ownership. Initial DMARC deployment steps involve assessing mail streams, setting up SPF and DKIM, and using a 'p=none' policy for data collection before moving to stricter policies. BIMI requires a DMARC policy to be in place for proper function. DMARC policy options include 'none' for monitoring, 'quarantine' to send unauthenticated emails to spam, and 'reject' to block them.

Key findings

  • DMARC Policy: BIMI requires a DMARC policy of 'quarantine' or 'reject'.
  • VMC Requirement: A Validated Mark Certificate (VMC) is needed for BIMI logo display.
  • DMARC Initial Steps: DMARC deployment starts with assessing mail streams, setting up SPF and DKIM, and using 'p=none'.
  • Policy Options: DMARC policy options are 'none', 'quarantine', and 'reject'.

Key considerations

  • Authentication: Ensure the sending domain is authenticated with DMARC.
  • VMC Acquisition: Obtain a Validated Mark Certificate (VMC) for your logo.
  • Mail Stream Assessment: Assess your mail streams before implementing DMARC.
  • Policy Progression: Start with a 'p=none' policy for monitoring before stricter enforcement.
Technical article

Documentation from BIMI Group explains that to display a BIMI logo, the sending domain must be authenticated with DMARC at a policy of 'quarantine' or 'reject'. A Validated Mark Certificate (VMC) is also required to prove logo ownership.

December 2021 - BIMI Group
Technical article

Documentation from DMARC.org explains the initial steps for DMARC deployment: assess your mail streams, set up SPF and DKIM, then set a DMARC policy of p=none to start collecting data and understanding your email ecosystem before moving to stricter policies.

February 2022 - DMARC.org
Technical article

Documentation from Global Cyber Alliance explains the DMARC policy options: none, quarantine, and reject. 'None' allows monitoring, 'quarantine' sends unauthenticated emails to spam, and 'reject' blocks them entirely.

May 2023 - Global Cyber Alliance
Technical article

Documentation from AuthSMTP details that BIMI requires a DMARC policy to be in place. This policy should be set to either 'quarantine' or 'reject' for BIMI to function correctly, ensuring only authenticated emails display the logo.

January 2022 - AuthSMTP