What DMARC policy settings are required for BIMI and how do I determine the best setting for sp=?
Summary
What email marketers say11Marketer opinions
Email marketer from Email Marketing Forum shares that BIMI is only possible if you have a DMARC policy in place set to either quarantine or reject. Implementing gradually is important to avoid deliverability issues.
Marketer from Email Geeks explains that the required DMARC policy for BIMI for both p= and sp= is either quarantine or reject. The correct DMARC policy for your domain depends on your current authentication practices and how sure you are that they're complete.
Email marketer from Mailjet Blog states that BIMI requires a DMARC policy of either quarantine or reject (p=quarantine or p=reject) to ensure email senders are properly authenticated. The subdomain policy sp= should also match this.
Email marketer from Word to the Wise shares that BIMI requires a DMARC policy at either quarantine or reject. They suggest starting with a policy of quarantine and monitoring your email delivery before moving to reject.
Email marketer from OnlyDMARC shares that if you want to use BIMI, your subdomain policy (`sp=`) must also be set to either `quarantine` or `reject`, similar to the main domain policy (`p=`). Evaluate your subdomain sending practices before setting this policy.
Email marketer from Reddit explains that for BIMI to work, your DMARC policy needs to be strict, meaning either `p=quarantine` or `p=reject`. They recommend starting with `p=quarantine` to observe any impact on deliverability before fully enforcing with `p=reject`.
Email marketer from Reddit advises that setting `p=quarantine` allows you to monitor the impact of DMARC without rejecting legitimate emails. If you are confident, then you can switch to `p=reject` for full enforcement.
Email marketer from DMARC Forum explains if you have a subdomain that does not send any mail, setting the `sp` policy to `reject` is a good practice to protect against spoofing. If the subdomain does send mail, make sure it is properly authenticated.
Email marketer from StackOverflow explains setting `sp=reject` will instruct receiving mail servers to reject messages from subdomains that fail DMARC authentication. You should verify the subdomains are sending legitimate email.
Email marketer from EmailOnAcid.com responds that BIMI requires a DMARC policy enforcement of either quarantine or reject. Starting with quarantine and monitoring results is advised before moving to a reject policy.
Email marketer from Sendgrid answers question about BIMI states for BIMI to work the domain's DMARC record must be set to either `p=quarantine` or `p=reject`. These policies tell mail servers how to handle emails that fail authentication checks.
What the experts say2Expert opinions
Expert from Word to the Wise explains that a DMARC policy of either quarantine or reject is required for BIMI. They advise starting with `p=quarantine` and monitoring reports before moving to `p=reject`.
Expert from Email Geeks shares that before changing `sp=`, ask your devs or IT to give you some idea of what subdomains send mail and are set up in DNS to avoid issues. You likely want to get to sp=reject to match your p=reject, but you have the usual DMARC concern of "hey I need to make sure all email authenticates before I do that"
What the documentation says4Technical articles
Documentation from dmarc.org specifies that BIMI requires a DMARC policy with `p=quarantine` or `p=reject`. The subdomain policy `sp=` must also be either `quarantine` or `reject` to meet BIMI's requirements.
Documentation from Valimail.com explains that to display your logo using BIMI, your domain must have a DMARC policy of 'quarantine' or 'reject' (p=quarantine or p=reject). The sp= setting should also be set to 'quarantine' or 'reject'.
Documentation from Fastmail explains that to use BIMI, your domain must have a DMARC record with a policy set to either `p=quarantine` or `p=reject`. They recommend monitoring reports when first implementing DMARC policies.
Documentation from Proofpoint.com states that a DMARC policy of quarantine or reject is a prerequisite for BIMI. Your organization needs to implement either `p=quarantine` or `p=reject` in its DMARC record to be eligible for BIMI.