The BIMI DMARC p=reject Requirement Explained
The BIMI DMARC p=reject Requirement Explained
Most failed BIMI deployments trace back to a single cause: an incorrect DMARC policy. Organizations focus on generating the SVG logo file and overlook the authentication requirement that governs whether the logo displays at all.
BIMI is a security protocol, not a branding feature. Mailbox providers display your logo only after they cryptographically verify that the message originated from your domain [1].
This article describes the DMARC prerequisite for BIMI, compares the three enforcement policies, and specifies how to prepare your domain.
What is DMARC?
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication standard that prevents unauthorized senders from using your domain in the From header.
DMARC builds on two underlying protocols:
- SPF (Sender Policy Framework): Verifies that the sending IP address is authorized by the domain owner.
- DKIM (DomainKeys Identified Mail): Applies a cryptographic signature to each message so the receiver can confirm the message was not modified in transit.
The DMARC record instructs receiving servers, such as Gmail and Yahoo, how to handle messages that fail both SPF and DKIM.
The Three DMARC Policies
You publish your DMARC record as a TXT record in your DNS zone. The p= tag defines the enforcement policy.
1. p=none (Monitoring Mode)
The receiving server delivers failing messages to the inbox and sends aggregate reports to the address you specify. Use this policy to identify legitimate sending sources before you move to enforcement.
BIMI Status: ❌ Rejected. Mailbox providers do not display BIMI logos for domains at p=none.
2. p=quarantine (Enforcement Mode)
The receiving server routes failing messages to the spam or junk folder.
BIMI Status: ✅ Accepted. This is the minimum policy that qualifies for BIMI. The policy must apply to 100% of messages. Either include pct=100 or omit the pct tag (the default is 100).
3. p=reject (Strict Enforcement Mode)
The receiving server drops failing messages. They are not delivered. BIMI Status: ✅ Accepted. This is the recommended policy for BIMI.
Why BIMI Requires Enforcement
The requirement exists to prevent visual spoofing. When a mailbox provider displays your logo next to a message, it is asserting to the recipient that the message is authentic [2].
If BIMI accepted p=none, an attacker could spoof your domain and cause the mailbox provider to display your logo next to a phishing message. Requiring p=quarantine or p=reject guarantees that the domain owner has blocked unauthenticated mail before the logo is granted.
Subdomain Considerations
Enterprises frequently use subdomains for distinct mail streams, such as marketing.company.com or receipts.company.com. BIMI requires the organizational domain to be at enforcement.
If your organizational domain publishes p=reject but overrides subdomains with sp=none, BIMI fails for mail sent from those subdomains. Enforcement must apply to both the organizational domain and its subdomains.
How to Audit Your Infrastructure
Confirm your DMARC status before you generate an SVG file or apply for a Verified Mark Certificate (VMC).
Use makeBIMI to audit your domain. The tool queries your DNS records, evaluates your SPF and DMARC configuration, and reports whether your domain meets the enforcement requirement for BIMI.
After your domain passes the audit, generate your compliant SVG file and engage a CA brokerage such as veriBIMI to obtain your certificate.
References
[1] M. Blank, et al. "Brand Indicators for Message Identification (BIMI)." IETF Datatracker, RFC 9091, https://datatracker.ietf.org/doc/html/rfc9091 [2] DMARC.org. "Overview." DMARC, https://dmarc.org/overview/