BIMI vs DMARC (and SPF/DKIM)

BIMI doesn’t authenticate mail. It depends on SPF, DKIM, and an enforced DMARC policy. Think of BIMI as “branding on top of strong authentication.”

Eligibility shortcut: if your DMARC policy is p=none, you’re typically not eligible for BIMI display. You’ll need p=quarantine or p=reject.

Use the DMARC verifier to check your domain’s published policy.

SPF: who is allowed to send?

SPF is a DNS policy that lists sending IPs/hosts for a domain. It helps receivers decide whether a source is allowed to send mail for that domain.

DKIM: did the message get altered?

DKIM signs parts of the message. Receivers verify the signature using a public key published in DNS. This helps detect tampering and provides domain-level accountability.

DMARC: enforce alignment + policy

DMARC ties SPF/DKIM results to the visible From domain via alignment rules, then publishes a policy telling receivers what to do with failures.

p=none: monitor only (no enforcement)
p=quarantine: treat failures as suspicious
p=reject: reject failures

BIMI: show a verified brand logo (where supported)

BIMI publishes a DNS record that points to a validated SVG logo (and optionally a VMC). Some mailbox providers show the logo when authentication passes and policies are enforced.

Next: publish a BIMI DNS record and validate your SVG against BIMI logo requirements.