How to set up BIMI records for multiple subdomains while excluding the parent domain?

10 Marketer opinions 1 Expert opinion 5 Technical articles 3 Resources

Summary

To set up BIMI records for multiple subdomains while excluding the parent domain, each subdomain requires its own unique BIMI record and a VMC that validates specifically for that subdomain. The organizational domain should be in the domain-set (SAN list) of the VMC. The parent domain's BIMI record cannot be directly applied to subdomains. Careful DNS configuration for each subdomain is essential, and DMARC should be implemented on both subdomains and the parent domain. Validation and testing are crucial to ensure correct setup and maximize brand visibility, customer trust, and email security.

Key findings

Individual BIMI Records Needed: Each subdomain must have its own BIMI record.
Specific VMC Validation: Each VMC needs to validate only its corresponding subdomain.
Parent Domain Isolation: The BIMI record of the parent domain does not apply to its subdomains unless explicitly configured and vice-versa.
Importance of SANs: Subdomains must be listed as Subject Alternative Names (SANs) in the VMC.
DMARC Implementation: DMARC needs to be set up for both the subdomains and the parent domain for BIMI to work.

Key considerations

Complex DNS Configuration: Careful DNS configuration for each subdomain is mandatory.
VMC Management Overhead: Managing separate VMCs for multiple subdomains adds complexity and cost.
Testing is Mandatory: Thorough testing is crucial to confirm the correct configuration and functionality of each BIMI record and VMC.
Compliance with Specifications: Adhering to BIMI specifications and best practices ensures compatibility and effectiveness.
Cost Considerations: Implementing multiple VMCs can be expensive; factor this into the overall strategy.

What email marketers say
10Marketer opinions

To set up BIMI records for multiple subdomains while excluding the parent domain, it's crucial to implement individual BIMI records for each subdomain and ensure the VMC validates each subdomain separately. The parent domain's BIMI record will not automatically apply, and careful DNS configuration is required. Setting up DMARC on both subdomains and the parent domain is also necessary. Testing with BIMI validators is key to ensure proper configuration and validation. Proper BIMI implementation can increase brand visibility, customer trust, and email security.

Key opinions

Individual BIMI Records: Each subdomain requiring BIMI needs its own unique BIMI record in DNS.
VMC Validation: The VMC (Verified Mark Certificate) must validate each subdomain separately.
Parent Domain Exclusion: The parent domain's BIMI record does not apply to subdomains unless explicitly configured.
DMARC Requirement: DMARC must be implemented on both the subdomains and the parent domain.
SANs in VMC: The VMC should include all subdomains as Subject Alternative Names (SANs).

Key considerations

DNS Configuration: Careful DNS configuration is essential for each subdomain.
VMC Scope: Ensure the VMC is correctly scoped to cover only the intended subdomains.
Testing: Thorough testing with BIMI validators is necessary to confirm proper setup.
Security: Implementing BIMI increases brand visibility, enhances customer trust, and improves email security, however, proper DMARC, DKIM, and SPF setup is required.

Marketer view

Email marketer from Reddit shares that setting up BIMI for subdomains while excluding the parent often requires careful DNS configuration and ensuring that the VMC covers all required subdomains separately.

February 2022 - Reddit

Marketer view

Email marketer from Email On Acid shares that testing is crucial and suggests using BIMI validators to ensure that each subdomain’s BIMI record is correctly configured and validated against the VMC.

March 2022 - Email On Acid

Marketer view

Email marketer from StackOverflow responds that each subdomain intended to use BIMI requires a distinct BIMI DNS record. The parent domain's BIMI record, if it exists, will not apply to subdomains unless explicitly configured.

November 2024 - StackOverflow

Marketer view

Email marketer from Word to the Wise shares that you need to ensure each subdomain that requires BIMI has its own DNS record configured correctly. This includes both the BIMI record and the associated VMC.

March 2024 - Word to the Wise

Marketer view

Marketer from Email Geeks explains that you can include the parent domain in the VMC and publish your BIMI records at the subdomain level.

December 2021 - Email Geeks

Marketer view

Email marketer from Email Geeks Forum answers that the VMC should include all subdomains as Subject Alternative Names (SANs). This ensures that the certificate validates correctly for each subdomain's BIMI record.

June 2023 - Email Geeks Forum

Marketer view

Email marketer from Dmarcian.com advises that to setup BIMI, that you should implement DMARC on your subdomains, and also implement DMARC on your parent domain.

August 2023 - Dmarcian.com

Marketer view

Email marketer from Mailhardener.com states that you must create a BIMI record for each subdomain you want to use with BIMI. The VMC must also be valid for that subdomain.

November 2022 - Mailhardener.com

Marketer view

Email marketer from ZeroBounce.net explains that after setting up your BIMI records, it will increase brand visibility, improve customer trust, and enhance email security.

July 2022 - ZeroBounce.net

Marketer view

Marketer from Email Geeks shares current draft BIMI specs that the organizational domain being in the domain-set (the SAN list in the VMC) is enough to make it work, providing links to the spec.

July 2024 - Email Geeks

What the experts say
1Expert opinion

To successfully implement BIMI on subdomains while excluding the parent domain, each subdomain must have its own unique BIMI record. This record should point to a VMC that specifically validates only that subdomain. It's not possible to apply a single BIMI record from the parent domain to multiple subdomains while simultaneously excluding the parent.

Key opinions

Unique BIMI Records: Each subdomain needs its own distinct BIMI record.
Dedicated VMC: The VMC must validate only the specific subdomain it's associated with.
No Parent Domain Inheritance: A parent domain's BIMI record cannot be used to cover subdomains and exclude the parent itself.

Key considerations

Configuration Effort: Setting up BIMI this way requires configuring each subdomain individually, which can be time-consuming.
VMC Management: Managing multiple VMCs (one for each subdomain) can add complexity to the overall BIMI setup.

Expert view

Expert from Word to the Wise explains that to implement BIMI on subdomains while excluding the parent domain, ensure each subdomain has its own unique BIMI record pointing to a VMC that validates only that subdomain. You cannot apply a parent domain BIMI record to subdomains and exclude the parent.

March 2021 - Word to the Wise

What the documentation says
5Technical articles

To implement BIMI on subdomains independent of the parent domain, each subdomain needs its own BIMI record. These records point to a VMC (Verified Mark Certificate), where the domain in the BIMI record must match a Subject Alternative Name (SAN) listed. This means each subdomain should be explicitly included as a SAN in its VMC. The BIMI DNS TXT record is discovered at a specific location for each domain/subdomain, necessitating individual setup and management. Ensure the VMC is linked correctly to the corresponding BIMI record for each subdomain.

Key findings

Independent Subdomain Implementation: BIMI can be implemented on subdomains separately from the parent domain.
Individual BIMI Records: Each subdomain requires its own BIMI record in the DNS TXT format.
SAN Requirement: The domain within the BIMI record must match a SAN in the VMC.
VMC Linkage: The VMC must be correctly linked to the BIMI record for each subdomain.

Key considerations

Scalability: Managing individual BIMI records and VMCs for many subdomains can be complex.
VMC Costs: Each VMC incurs its own cost, so budget accordingly if implementing across multiple subdomains.
DNS Management: Accurate DNS configuration is critical to ensure BIMI validation and display.

Technical article

Documentation from IETF explains in the BIMI draft specification that the BIMI record is discovered at a specific location for each domain/subdomain. If you want a different logo for a subdomain, it needs its own record.

January 2025 - datatracker.ietf.org

Technical article

Documentation from DigiCert.com explains that when using a VMC, the domain in the BIMI record must match a Subject Alternative Name (SAN) in the VMC. For subdomains, the SAN should specifically include the subdomain.

April 2024 - DigiCert.com

Technical article

Documentation from BIMI Group states that the BIMI DNS TXT record must be set up on each subdomain where you want the BIMI logo to appear, pointing to the correct logo and VMC.

May 2022 - BIMI Group

Technical article

Documentation from Entrust.com shares that the VMC is linked to your BIMI record so when creating a VMC, ensure that it has all the subject alternative names for your subdomains.

December 2021 - Entrust.com

Technical article

Documentation from Valimail.com states that BIMI can be implemented on subdomains independently of the parent domain. Each subdomain needs its own BIMI record, pointing to the VMC.

September 2024 - Valimail.com

How DMARC works with subdomains and the sp tag - Valimail

Learn how DMARC works with your subdomains and the sp tag to bring DMARC to enforcement and protect your business from impersonation.

Valimail -

What is the DMARC 'sp' Tag for Subdomains? - DuoCircle

Domain owners with multiple subdomains expose their businesses to phishing and spoofing attacks, which underscores the importance of protecting them with

DuoCircle