Suped

How to set up BIMI records for multiple subdomains while excluding the parent domain?

10 Marketer opinions1 Expert opinion5 Technical articles3 Resources

Summary

To set up BIMI records for multiple subdomains while excluding the parent domain, each subdomain requires its own unique BIMI record and a VMC that validates specifically for that subdomain. The organizational domain should be in the domain-set (SAN list) of the VMC. The parent domain's BIMI record cannot be directly applied to subdomains. Careful DNS configuration for each subdomain is essential, and DMARC should be implemented on both subdomains and the parent domain. Validation and testing are crucial to ensure correct setup and maximize brand visibility, customer trust, and email security.

Key findings

  • Individual BIMI Records Needed: Each subdomain must have its own BIMI record.
  • Specific VMC Validation: Each VMC needs to validate only its corresponding subdomain.
  • Parent Domain Isolation: The BIMI record of the parent domain does not apply to its subdomains unless explicitly configured and vice-versa.
  • Importance of SANs: Subdomains must be listed as Subject Alternative Names (SANs) in the VMC.
  • DMARC Implementation: DMARC needs to be set up for both the subdomains and the parent domain for BIMI to work.

Key considerations

  • Complex DNS Configuration: Careful DNS configuration for each subdomain is mandatory.
  • VMC Management Overhead: Managing separate VMCs for multiple subdomains adds complexity and cost.
  • Testing is Mandatory: Thorough testing is crucial to confirm the correct configuration and functionality of each BIMI record and VMC.
  • Compliance with Specifications: Adhering to BIMI specifications and best practices ensures compatibility and effectiveness.
  • Cost Considerations: Implementing multiple VMCs can be expensive; factor this into the overall strategy.

What email marketers say
10Marketer opinions

To set up BIMI records for multiple subdomains while excluding the parent domain, it's crucial to implement individual BIMI records for each subdomain and ensure the VMC validates each subdomain separately. The parent domain's BIMI record will not automatically apply, and careful DNS configuration is required. Setting up DMARC on both subdomains and the parent domain is also necessary. Testing with BIMI validators is key to ensure proper configuration and validation. Proper BIMI implementation can increase brand visibility, customer trust, and email security.

Key opinions

  • Individual BIMI Records: Each subdomain requiring BIMI needs its own unique BIMI record in DNS.
  • VMC Validation: The VMC (Verified Mark Certificate) must validate each subdomain separately.
  • Parent Domain Exclusion: The parent domain's BIMI record does not apply to subdomains unless explicitly configured.
  • DMARC Requirement: DMARC must be implemented on both the subdomains and the parent domain.
  • SANs in VMC: The VMC should include all subdomains as Subject Alternative Names (SANs).

Key considerations

  • DNS Configuration: Careful DNS configuration is essential for each subdomain.
  • VMC Scope: Ensure the VMC is correctly scoped to cover only the intended subdomains.
  • Testing: Thorough testing with BIMI validators is necessary to confirm proper setup.
  • Security: Implementing BIMI increases brand visibility, enhances customer trust, and improves email security, however, proper DMARC, DKIM, and SPF setup is required.
Marketer view

Email marketer from Reddit shares that setting up BIMI for subdomains while excluding the parent often requires careful DNS configuration and ensuring that the VMC covers all required subdomains separately.

February 2022 - Reddit
Marketer view

Email marketer from Email On Acid shares that testing is crucial and suggests using BIMI validators to ensure that each subdomain’s BIMI record is correctly configured and validated against the VMC.

March 2022 - Email On Acid

What the experts say
1Expert opinion

To successfully implement BIMI on subdomains while excluding the parent domain, each subdomain must have its own unique BIMI record. This record should point to a VMC that specifically validates only that subdomain. It's not possible to apply a single BIMI record from the parent domain to multiple subdomains while simultaneously excluding the parent.

Key opinions

  • Unique BIMI Records: Each subdomain needs its own distinct BIMI record.
  • Dedicated VMC: The VMC must validate only the specific subdomain it's associated with.
  • No Parent Domain Inheritance: A parent domain's BIMI record cannot be used to cover subdomains and exclude the parent itself.

Key considerations

  • Configuration Effort: Setting up BIMI this way requires configuring each subdomain individually, which can be time-consuming.
  • VMC Management: Managing multiple VMCs (one for each subdomain) can add complexity to the overall BIMI setup.
Expert view

Expert from Word to the Wise explains that to implement BIMI on subdomains while excluding the parent domain, ensure each subdomain has its own unique BIMI record pointing to a VMC that validates only that subdomain. You cannot apply a parent domain BIMI record to subdomains and exclude the parent.

March 2021 - Word to the Wise

What the documentation says
5Technical articles

To implement BIMI on subdomains independent of the parent domain, each subdomain needs its own BIMI record. These records point to a VMC (Verified Mark Certificate), where the domain in the BIMI record must match a Subject Alternative Name (SAN) listed. This means each subdomain should be explicitly included as a SAN in its VMC. The BIMI DNS TXT record is discovered at a specific location for each domain/subdomain, necessitating individual setup and management. Ensure the VMC is linked correctly to the corresponding BIMI record for each subdomain.

Key findings

  • Independent Subdomain Implementation: BIMI can be implemented on subdomains separately from the parent domain.
  • Individual BIMI Records: Each subdomain requires its own BIMI record in the DNS TXT format.
  • SAN Requirement: The domain within the BIMI record must match a SAN in the VMC.
  • VMC Linkage: The VMC must be correctly linked to the BIMI record for each subdomain.

Key considerations

  • Scalability: Managing individual BIMI records and VMCs for many subdomains can be complex.
  • VMC Costs: Each VMC incurs its own cost, so budget accordingly if implementing across multiple subdomains.
  • DNS Management: Accurate DNS configuration is critical to ensure BIMI validation and display.
Technical article

Documentation from IETF explains in the BIMI draft specification that the BIMI record is discovered at a specific location for each domain/subdomain. If you want a different logo for a subdomain, it needs its own record.

January 2025 - datatracker.ietf.org
Technical article

Documentation from DigiCert.com explains that when using a VMC, the domain in the BIMI record must match a Subject Alternative Name (SAN) in the VMC. For subdomains, the SAN should specifically include the subdomain.

April 2024 - DigiCert.com

Related resources
3Resources

How DMARC works with subdomains and the sp tag - Valimail
How DMARC works with subdomains and the sp tag - Valimail

Learn how DMARC works with your subdomains and the sp tag to bring DMARC to enforcement and protect your business from impersonation.

Valimail -
What is the DMARC 'sp' Tag for Subdomains? - DuoCircle
What is the DMARC 'sp' Tag for Subdomains? - DuoCircle

Domain owners with multiple subdomains expose their businesses to phishing and spoofing attacks, which underscores the importance of protecting them with

DuoCircle
A Guide to Choosing the Right SPF Flattening Tool for Your ...
A Guide to Choosing the Right SPF Flattening Tool for Your ...

With organizations with complex email infrastructure, implementing SPF (Sender Policy Framework) is no easy feat! If you’ve ever encountered the “SPF

AutoSPF

Related questions