What are the DMARC requirements for BIMI and how does pct affect the policies?

Summary

BIMI (Brand Indicators for Message Identification) requires a robust DMARC (Domain-based Message Authentication, Reporting & Conformance) policy for participation. This policy must be set to either 'quarantine' or 'reject' at the organizational domain level. If 'quarantine' is selected, the 'pct' (percentage) value must be 100. A subdomain with a DMARC policy of 'none' will only affect that subdomain's BIMI eligibility and not the rest of the organization. When the 'pct' value is specified as less than 100, the remaining percentage is applied to the next policy. The goal is to ensure that only authenticated emails display the brand's logo, enhancing email security and trust.

Key findings

  • DMARC Policy: BIMI requires a DMARC policy of either 'quarantine' or 'reject'.
  • pct Value: For 'quarantine' policies, the 'pct' value must be 100.
  • Subdomain Impact: A 'none' DMARC policy on a subdomain only affects that subdomain's BIMI capability.
  • Unspecified pct: When 'pct' is less than 100, the remaining percentage adopts the next specified policy.
  • Authentication: BIMI helps improve email sender authentication.

Key considerations

  • Implementation: Carefully implement DMARC to meet the specified BIMI requirements.
  • Subdomain Policies: Understand the implications of using a subdomain with 'none' DMARC policy.
  • Monitoring: Continuously monitor DMARC performance and adjust policies as needed.
  • Security: BIMI is a good addition to a strong sender authentication configuration to enhance overall email security.

What email marketers say
11Marketer opinions

BIMI (Brand Indicators for Message Identification) requires a strong DMARC (Domain-based Message Authentication, Reporting & Conformance) policy for participation. Specifically, the DMARC policy must be set to either 'quarantine' or 'reject' for both the organizational domain and the RFC5322.From domain. If a 'quarantine' policy is used, the 'pct' value must be 100. If a subdomain has a 'none' DMARC policy, it only affects that subdomain and not the overall organizational domain. When 'pct' is specified and not 100, the remaining percentage defaults to the next policy (e.g., 'reject pct=70' means 70% reject and 30% quarantine). This ensures only authenticated emails display the brand's logo.

Key opinions

  • DMARC Requirement: BIMI requires DMARC with a policy of either 'quarantine' or 'reject'.
  • pct Value: If using 'quarantine', the 'pct' value must be 100.
  • Subdomain Policy: A 'none' DMARC policy on a subdomain only affects that subdomain's BIMI eligibility.
  • pct Implications: If 'pct' is less than 100, the remaining percentage defaults to the next policy.

Key considerations

  • Policy Enforcement: Ensure DMARC policy is strictly enforced to meet BIMI requirements.
  • Subdomain Impact: Understand the impact of subdomain DMARC policies on BIMI eligibility.
  • Aggregate Reports: DMARC aggregate reports can help monitor and adjust policies to meet requirements.
  • Testing: Thoroughly test DMARC and BIMI implementation to avoid unintended consequences.
Marketer view

Email marketer from EmailToolTester.com explains that to use BIMI, your domain must have DMARC set up with a policy of either 'quarantine' or 'reject'.

May 2022 - EmailToolTester.com
Marketer view

Email marketer from Reddit comments that BIMI implementations require DMARC to be enforced with a policy of either quarantine or reject, and specifies that pct must be set to 100 if using quarantine to be compliant with BIMI.

November 2021 - Reddit

What the experts say
2Expert opinions

Experts agree that BIMI requires DMARC to be in place with a policy set to either quarantine or reject to verify the authenticity of email senders. It's recommended that BIMI is a good add-on to a robust sender authentication configuration.

Key opinions

  • DMARC Requirement: BIMI necessitates DMARC configuration.
  • Policy Options: DMARC policy must be set to either 'quarantine' or 'reject' for BIMI implementation.
  • Sender Authentication: BIMI helps verify email sender authenticity.
  • Authentication Addition: BIMI enhances strong sender authentication configurations.

Key considerations

  • DMARC setup: Make sure that DMARC is properly set up before implementing BIMI.
  • Policy choice: Make sure to choose either reject or quarantine, don't use none.
  • Authentication First: Ensure a solid sender authentication strategy exists before adding BIMI.
Expert view

Expert from Spamresource says BIMI depends on DMARC to verify the authenticity of email senders. To use BIMI, you must have DMARC set up with a policy of quarantine or reject.

June 2021 - Spamresource
Expert view

Expert from Word to the Wise notes that BIMI requires DMARC to be in place at either quarantine or reject. Recommends that BIMI is a nice addition to a strong sender authentication configuration.

December 2023 - Word to the Wise

What the documentation says
3Technical articles

Official documentation states that BIMI requires a strong DMARC policy set to either 'quarantine' or 'reject' for both the organizational and RFC5322.From domains. When using 'quarantine,' the 'pct' value must be 100. This ensures that only authenticated emails can display the sender's logo, enhancing trust and security.

Key findings

  • DMARC Requirement: BIMI mandates a robust DMARC policy.
  • Policy Options: DMARC must be set to 'quarantine' or 'reject'.
  • pct Value for Quarantine: If using 'quarantine', the 'pct' value must be 100.
  • Logo Display: Successful DMARC authentication enables the display of the sender's logo.

Key considerations

  • DMARC Configuration: Carefully configure DMARC to meet BIMI's specific requirements.
  • Policy Choice Impact: Understand the implications of choosing 'quarantine' vs. 'reject'.
  • Monitoring and Enforcement: Continuously monitor DMARC performance and enforce policies effectively.
  • Legitimate Senders: Ensuring legitimate senders are properly authenticated to leverage BIMI's logo display.
Technical article

Documentation from BIMIGroup.org explains that to participate in BIMI, a strong DMARC policy (quarantine or reject) must be in place for both the Organizational Domain and the RFC5322.From Domain. Quarantine policies must have a 'pct' value of 100.

February 2024 - BIMIGroup.org
Technical article

Documentation from Valimail.com highlights that BIMI requires DMARC authentication and enforcement, ensuring that only legitimate senders can display their logos. They also state BIMI builds on DMARC, requiring a policy of either quarantine or reject.

March 2022 - Valimail.com