What DMARC policy settings are required for BIMI and how do I determine the best setting for sp=?

Summary

To successfully implement BIMI and display your brand logo in email inboxes, a DMARC policy of either 'quarantine' or 'reject' (p=quarantine or p=reject) is mandatory for both the main domain and any subdomains (sp=quarantine or sp=reject). Experts recommend a phased approach, beginning with 'p=quarantine' to observe potential impacts on email deliverability and authentication reporting. Before enforcing a stricter 'reject' policy, it's crucial to thoroughly assess subdomain sending practices and ensure that legitimate email is properly authenticated. For subdomains not actively sending email, implementing 'sp=reject' can provide an additional layer of security against spoofing attempts.

Key findings

  • BIMI DMARC Requirement: BIMI requires a DMARC policy set to either 'quarantine' or 'reject' (p=quarantine or p=reject).
  • Subdomain Policy Alignment: For BIMI to function correctly, the subdomain policy (sp=) must also be set to either 'quarantine' or 'reject'.
  • Importance of Gradual Rollout: A gradual implementation strategy, starting with 'p=quarantine' and monitoring reports, is highly recommended to minimize deliverability issues.
  • Subdomain Assessment: Before changing the subdomain policy, assess which subdomains send email and confirm their authentication configurations.
  • Enhanced Security for Non-Sending Subdomains: Setting 'sp=reject' on subdomains that do not send email provides an added layer of security against potential spoofing.

Key considerations

  • Impact on Deliverability: Enforcing a 'reject' policy prematurely can negatively impact email deliverability if legitimate emails fail authentication checks.
  • Authentication Accuracy: Verify proper SPF and DKIM configuration for all sending domains and subdomains to avoid false positives and deliverability problems.
  • DMARC Report Analysis: Regularly monitor and analyze DMARC reports to identify and resolve authentication failures proactively.
  • Phased Implementation: Adopt a phased approach when implementing DMARC and BIMI to identify and address potential issues before full enforcement.
  • Subdomain Specific Considerations: Consider the specific sending practices of each subdomain before applying a global 'sp=' policy, ensuring legitimate email flow is maintained.

What email marketers say
11Marketer opinions

For BIMI to function correctly, a DMARC policy with either 'quarantine' or 'reject' is required for both the primary domain (`p=`) and subdomains (`sp=`). It is widely recommended to start with a 'quarantine' policy and closely monitor email deliverability and authentication reports before transitioning to a 'reject' policy to avoid unintended deliverability issues. The 'sp=' setting should align with the 'p=' setting, but it is critical to assess subdomain sending practices to ensure legitimate email is properly authenticated before enforcing a stricter 'reject' policy. For subdomains that do not send email, using 'sp=reject' can enhance security.

Key opinions

  • DMARC Requirement: BIMI mandates a DMARC policy of either 'quarantine' or 'reject' (p=quarantine or p=reject).
  • Subdomain Policy: The subdomain policy ('sp=') should also be set to either 'quarantine' or 'reject' for BIMI compliance.
  • Gradual Implementation: It is recommended to start with 'p=quarantine' to monitor the impact on deliverability before switching to 'p=reject'.
  • Subdomain Assessment: Evaluate subdomain sending practices to ensure legitimate email is authenticated before setting 'sp=reject'.
  • Security for Non-Sending Subdomains: For subdomains that do not send email, 'sp=reject' is a good security practice to prevent spoofing.

Key considerations

  • Authentication Practices: Ensure proper SPF and DKIM setup for all sending domains and subdomains to avoid deliverability issues when enforcing DMARC policies.
  • Monitoring: Closely monitor DMARC reports to identify and address any authentication failures before implementing a 'reject' policy.
  • Impact on Deliverability: Be aware that a 'reject' policy can impact deliverability if legitimate emails fail authentication checks. Start with 'quarantine' to minimize potential disruptions.
  • Subdomain Specifics: Understand which subdomains send email and ensure their authentication is configured correctly before applying a global subdomain policy.
  • Gradual Enforcement: Implement DMARC and BIMI policies gradually to avoid deliverability problems and allow time to address any issues.
Marketer view

Email marketer from Email Marketing Forum shares that BIMI is only possible if you have a DMARC policy in place set to either quarantine or reject. Implementing gradually is important to avoid deliverability issues.

March 2024 - Email Marketing Forum
Marketer view

Marketer from Email Geeks explains that the required DMARC policy for BIMI for both p= and sp= is either quarantine or reject. The correct DMARC policy for your domain depends on your current authentication practices and how sure you are that they're complete.

July 2022 - Email Geeks
Marketer view

Email marketer from Mailjet Blog states that BIMI requires a DMARC policy of either quarantine or reject (p=quarantine or p=reject) to ensure email senders are properly authenticated. The subdomain policy sp= should also match this.

February 2022 - Mailjet
Marketer view

Email marketer from Word to the Wise shares that BIMI requires a DMARC policy at either quarantine or reject. They suggest starting with a policy of quarantine and monitoring your email delivery before moving to reject.

April 2022 - Word to the Wise
Marketer view

Email marketer from OnlyDMARC shares that if you want to use BIMI, your subdomain policy (`sp=`) must also be set to either `quarantine` or `reject`, similar to the main domain policy (`p=`). Evaluate your subdomain sending practices before setting this policy.

December 2024 - OnlyDMARC.com
Marketer view

Email marketer from Reddit explains that for BIMI to work, your DMARC policy needs to be strict, meaning either `p=quarantine` or `p=reject`. They recommend starting with `p=quarantine` to observe any impact on deliverability before fully enforcing with `p=reject`.

May 2023 - Reddit
Marketer view

Email marketer from Reddit advises that setting `p=quarantine` allows you to monitor the impact of DMARC without rejecting legitimate emails. If you are confident, then you can switch to `p=reject` for full enforcement.

September 2024 - Reddit
Marketer view

Email marketer from DMARC Forum explains if you have a subdomain that does not send any mail, setting the `sp` policy to `reject` is a good practice to protect against spoofing. If the subdomain does send mail, make sure it is properly authenticated.

October 2022 - DMARC Forum
Marketer view

Email marketer from StackOverflow explains setting `sp=reject` will instruct receiving mail servers to reject messages from subdomains that fail DMARC authentication. You should verify the subdomains are sending legitimate email.

October 2021 - StackOverflow
Marketer view

Email marketer from EmailOnAcid.com responds that BIMI requires a DMARC policy enforcement of either quarantine or reject. Starting with quarantine and monitoring results is advised before moving to a reject policy.

May 2024 - EmailOnAcid.com
Marketer view

Email marketer from Sendgrid answers question about BIMI states for BIMI to work the domain's DMARC record must be set to either `p=quarantine` or `p=reject`. These policies tell mail servers how to handle emails that fail authentication checks.

April 2023 - Sendgrid

What the experts say
2Expert opinions

For BIMI implementation, a DMARC policy of either 'quarantine' or 'reject' is necessary. Experts recommend a cautious approach, starting with 'p=quarantine' and monitoring DMARC reports before moving to 'p=reject'. Before adjusting the 'sp=' setting, particularly towards 'reject', it's essential to identify which subdomains send mail and ensure they are correctly configured to avoid disrupting legitimate email flow.

Key opinions

  • DMARC Requirement: BIMI requires a DMARC policy of either 'quarantine' or 'reject'.
  • Monitoring is Key: Monitoring DMARC reports is crucial before enforcing a stricter 'reject' policy.
  • Subdomain Identification: Identify sending subdomains and their DNS setup before changing the 'sp=' policy.

Key considerations

  • Gradual Enforcement: Implement DMARC and BIMI gradually to prevent deliverability issues.
  • Subdomain Authentication: Ensure all sending subdomains are properly authenticated before enforcing 'sp=reject'.
  • Risk Mitigation: Assess the risk of disrupting legitimate email flow when moving to a 'reject' policy.
Expert view

Expert from Word to the Wise explains that a DMARC policy of either quarantine or reject is required for BIMI. They advise starting with `p=quarantine` and monitoring reports before moving to `p=reject`.

September 2023 - Word to the Wise
Expert view

Expert from Email Geeks shares that before changing `sp=`, ask your devs or IT to give you some idea of what subdomains send mail and are set up in DNS to avoid issues. You likely want to get to sp=reject to match your p=reject, but you have the usual DMARC concern of "hey I need to make sure all email authenticates before I do that"

January 2024 - Email Geeks

What the documentation says
4Technical articles

BIMI (Brand Indicators for Message Identification) requires a DMARC policy of either 'quarantine' or 'reject' (p=quarantine or p=reject) to display your logo. The subdomain policy (sp=) should also be set to 'quarantine' or 'reject' to meet BIMI's requirements. Monitoring reports when first implementing DMARC policies is also recommended.

Key findings

  • DMARC Requirement: BIMI mandates a DMARC policy of either 'quarantine' or 'reject' (p=quarantine or p=reject).
  • Subdomain Policy: The subdomain policy (sp=) should also be set to 'quarantine' or 'reject'.
  • Monitoring: Monitoring reports when implementing DMARC policies is recommended.

Key considerations

  • Impact on Deliverability: Incorrect DMARC settings can impact deliverability. Monitor DMARC reports carefully when first implementing DMARC policies.
  • Authentication Practices: Ensure proper SPF and DKIM setup for all sending domains and subdomains to avoid deliverability issues when enforcing DMARC policies.
Technical article

Documentation from dmarc.org specifies that BIMI requires a DMARC policy with `p=quarantine` or `p=reject`. The subdomain policy `sp=` must also be either `quarantine` or `reject` to meet BIMI's requirements.

October 2024 - dmarc.org
Technical article

Documentation from Valimail.com explains that to display your logo using BIMI, your domain must have a DMARC policy of 'quarantine' or 'reject' (p=quarantine or p=reject). The sp= setting should also be set to 'quarantine' or 'reject'.

November 2021 - Valimail.com
Technical article

Documentation from Fastmail explains that to use BIMI, your domain must have a DMARC record with a policy set to either `p=quarantine` or `p=reject`. They recommend monitoring reports when first implementing DMARC policies.

February 2024 - Fastmail.com
Technical article

Documentation from Proofpoint.com states that a DMARC policy of quarantine or reject is a prerequisite for BIMI. Your organization needs to implement either `p=quarantine` or `p=reject` in its DMARC record to be eligible for BIMI.

February 2022 - Proofpoint.com