What are the DMARC requirements for BIMI and how does pct affect the policies?

Summary

BIMI (Brand Indicators for Message Identification) requires a robust DMARC (Domain-based Message Authentication, Reporting & Conformance) policy for participation. This policy must be set to either 'quarantine' or 'reject' at the organizational domain level. If 'quarantine' is selected, the 'pct' (percentage) value must be 100. A subdomain with a DMARC policy of 'none' will only affect that subdomain's BIMI eligibility and not the rest of the organization. When the 'pct' value is specified as less than 100, the remaining percentage is applied to the next policy. The goal is to ensure that only authenticated emails display the brand's logo, enhancing email security and trust.

Key findings

  • DMARC Policy: BIMI requires a DMARC policy of either 'quarantine' or 'reject'.
  • pct Value: For 'quarantine' policies, the 'pct' value must be 100.
  • Subdomain Impact: A 'none' DMARC policy on a subdomain only affects that subdomain's BIMI capability.
  • Unspecified pct: When 'pct' is less than 100, the remaining percentage adopts the next specified policy.
  • Authentication: BIMI helps improve email sender authentication.

Key considerations

  • Implementation: Carefully implement DMARC to meet the specified BIMI requirements.
  • Subdomain Policies: Understand the implications of using a subdomain with 'none' DMARC policy.
  • Monitoring: Continuously monitor DMARC performance and adjust policies as needed.
  • Security: BIMI is a good addition to a strong sender authentication configuration to enhance overall email security.

What email marketers say
11Marketer opinions

BIMI (Brand Indicators for Message Identification) requires a strong DMARC (Domain-based Message Authentication, Reporting & Conformance) policy for participation. Specifically, the DMARC policy must be set to either 'quarantine' or 'reject' for both the organizational domain and the RFC5322.From domain. If a 'quarantine' policy is used, the 'pct' value must be 100. If a subdomain has a 'none' DMARC policy, it only affects that subdomain and not the overall organizational domain. When 'pct' is specified and not 100, the remaining percentage defaults to the next policy (e.g., 'reject pct=70' means 70% reject and 30% quarantine). This ensures only authenticated emails display the brand's logo.

Key opinions

  • DMARC Requirement: BIMI requires DMARC with a policy of either 'quarantine' or 'reject'.
  • pct Value: If using 'quarantine', the 'pct' value must be 100.
  • Subdomain Policy: A 'none' DMARC policy on a subdomain only affects that subdomain's BIMI eligibility.
  • pct Implications: If 'pct' is less than 100, the remaining percentage defaults to the next policy.

Key considerations

  • Policy Enforcement: Ensure DMARC policy is strictly enforced to meet BIMI requirements.
  • Subdomain Impact: Understand the impact of subdomain DMARC policies on BIMI eligibility.
  • Aggregate Reports: DMARC aggregate reports can help monitor and adjust policies to meet requirements.
  • Testing: Thoroughly test DMARC and BIMI implementation to avoid unintended consequences.
Marketer view

Email marketer from EmailToolTester.com explains that to use BIMI, your domain must have DMARC set up with a policy of either 'quarantine' or 'reject'.

May 2022 - EmailToolTester.com
Marketer view

Email marketer from Reddit comments that BIMI implementations require DMARC to be enforced with a policy of either quarantine or reject, and specifies that pct must be set to 100 if using quarantine to be compliant with BIMI.

November 2021 - Reddit
Marketer view

Email marketer from Proofpoint.com shares that BIMI requires a DMARC policy at either quarantine or reject. This ensures that only authenticated emails are eligible to display the brand's logo.

February 2022 - Proofpoint.com
Marketer view

Marketer from Email Geeks explains that to participate in BIMI, Domain Owners MUST have a strong DMARC policy (quarantine or reject) on both the Organizational Domain, and the RFC5322.From Domain of the message. Quarantine policies MUST NOT have a pct less than pct=100.

August 2023 - Email Geeks
Marketer view

Marketer from Email Geeks clarifies that when 'pct' is specified for a DMARC policy and is not 100, the remaining percentage applies to the next policy. For example, 'p=reject pct=70' means 70% are rejected and the remaining 30% are quarantined, which is sufficient for BIMI as no emails are treated as 'p=none'.

March 2022 - Email Geeks
Marketer view

Marketer from Email Geeks suggests the new DMARC aggregate definition will not break existing things if the processor is written reasonably well.

August 2024 - Email Geeks
Marketer view

Marketer from Email Geeks explains that if a subdomain has a DMARC policy of 'none,' it only affects that specific subdomain's BIMI capability, not the organizational domain or other subdomains.

September 2024 - Email Geeks
Marketer view

Email marketer from ZeroBounce.net says BIMI relies on DMARC to verify the authenticity of email senders. To use BIMI, you must have DMARC set up with a policy of quarantine or reject. These policies tell mailbox providers what to do with emails that fail DMARC authentication.

December 2023 - ZeroBounce.net
Marketer view

Email marketer from AuthSMTP.com shares to implement BIMI, you need a DMARC policy of either quarantine or reject. These policies instruct mailbox providers on how to handle emails that fail DMARC checks.

October 2024 - AuthSMTP.com
Marketer view

Email marketer from Mailhardener.com specifies that BIMI depends on DMARC for email authentication. Your DMARC policy must be set to either quarantine or reject for BIMI to function correctly.

October 2024 - Mailhardener.com
Marketer view

Email marketer from SocketLabs.com says BIMI requires a DMARC policy set to either quarantine or reject. This ensures that only authenticated emails can display the associated brand logo.

September 2024 - SocketLabs.com

What the experts say
2Expert opinions

Experts agree that BIMI requires DMARC to be in place with a policy set to either quarantine or reject to verify the authenticity of email senders. It's recommended that BIMI is a good add-on to a robust sender authentication configuration.

Key opinions

  • DMARC Requirement: BIMI necessitates DMARC configuration.
  • Policy Options: DMARC policy must be set to either 'quarantine' or 'reject' for BIMI implementation.
  • Sender Authentication: BIMI helps verify email sender authenticity.
  • Authentication Addition: BIMI enhances strong sender authentication configurations.

Key considerations

  • DMARC setup: Make sure that DMARC is properly set up before implementing BIMI.
  • Policy choice: Make sure to choose either reject or quarantine, don't use none.
  • Authentication First: Ensure a solid sender authentication strategy exists before adding BIMI.
Expert view

Expert from Spamresource says BIMI depends on DMARC to verify the authenticity of email senders. To use BIMI, you must have DMARC set up with a policy of quarantine or reject.

June 2021 - Spamresource
Expert view

Expert from Word to the Wise notes that BIMI requires DMARC to be in place at either quarantine or reject. Recommends that BIMI is a nice addition to a strong sender authentication configuration.

December 2023 - Word to the Wise

What the documentation says
3Technical articles

Official documentation states that BIMI requires a strong DMARC policy set to either 'quarantine' or 'reject' for both the organizational and RFC5322.From domains. When using 'quarantine,' the 'pct' value must be 100. This ensures that only authenticated emails can display the sender's logo, enhancing trust and security.

Key findings

  • DMARC Requirement: BIMI mandates a robust DMARC policy.
  • Policy Options: DMARC must be set to 'quarantine' or 'reject'.
  • pct Value for Quarantine: If using 'quarantine', the 'pct' value must be 100.
  • Logo Display: Successful DMARC authentication enables the display of the sender's logo.

Key considerations

  • DMARC Configuration: Carefully configure DMARC to meet BIMI's specific requirements.
  • Policy Choice Impact: Understand the implications of choosing 'quarantine' vs. 'reject'.
  • Monitoring and Enforcement: Continuously monitor DMARC performance and enforce policies effectively.
  • Legitimate Senders: Ensuring legitimate senders are properly authenticated to leverage BIMI's logo display.
Technical article

Documentation from BIMIGroup.org explains that to participate in BIMI, a strong DMARC policy (quarantine or reject) must be in place for both the Organizational Domain and the RFC5322.From Domain. Quarantine policies must have a 'pct' value of 100.

February 2024 - BIMIGroup.org
Technical article

Documentation from Valimail.com highlights that BIMI requires DMARC authentication and enforcement, ensuring that only legitimate senders can display their logos. They also state BIMI builds on DMARC, requiring a policy of either quarantine or reject.

March 2022 - Valimail.com
Technical article

Documentation from datatracker.ietf.org specifies that for BIMI, the domain owner must have a strong DMARC policy (quarantine or reject) on both the organizational domain and the RFC5322.From domain of the message. Quarantine policies must not have a 'pct' less than pct=100.

February 2024 - datatracker.ietf.org