top of page
Search

Become “DMARC OK” for BIMI


A complete, practical guide to SPF, DKIM and DMARC — explained for non-technical teams



Email trust is not built overnight.

It is built through authentication, alignment, and enforcement.


BIMI — the standard that allows brands to display their verified logo in inboxes — is not a starting point.

It is a reward for doing email authentication correctly.


This guide explains, step by step, how to become DMARC-ready for BIMI, using plain language, real-world examples, and a safe rollout methodology that works for both marketing and IT teams.




What this guide will help you achieve



By the end of this guide, you will be able to:


  • Understand SPF, DKIM and DMARC without deep technical knowledge

  • Identify all the systems that send emails on behalf of your domain

  • Deploy DMARC safely, without breaking legitimate emails

  • Reach DMARC enforcement, the mandatory condition for BIMI

  • Prepare your domain for BIMI, VMC or CMC certificates



This guide is designed for:


  • marketing leaders with technical curiosity,

  • commercial profiles working with IT teams,

  • security and deliverability stakeholders,

  • organisations preparing for BIMI adoption.





1. The email authentication stack — explained simply



Before talking about BIMI, you must understand the three pillars that support it.



SPF — Who is allowed to send?



SPF (Sender Policy Framework) is a DNS record that lists which servers are authorised to send emails on behalf of your domain.


In simple terms, SPF answers this question:

“Is this server allowed to send emails pretending to be my domain?”


SPF protects against unauthorised senders but does not protect message content.




DKIM — Was the message signed and unchanged?



DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email.


When an email is sent:


  • the sending system signs the message with a private key,

  • the receiving server retrieves the public key from DNS,

  • the signature is verified.



If the message is modified after signing, DKIM fails.




DMARC — What do we do when things fail?



DMARC (Domain-based Message Authentication, Reporting & Conformance) sits on top of SPF and DKIM.


DMARC adds:


  • alignment (does authentication match the visible “From” domain?),

  • policy (monitor, quarantine or reject),

  • reporting (visibility into who sends emails on your behalf).



DMARC is the control layer that mailbox providers rely on.






2. What “DMARC-ready for BIMI” really means



To be eligible for BIMI, your domain must meet all of the following conditions:


  • SPF correctly configured

  • DKIM enabled and aligned

  • DMARC aligned with SPF or DKIM

  • DMARC policy set to quarantine or reject

  • DMARC enforcement applied consistently



A DMARC policy set to p=none is not sufficient for BIMI.


In practice, BIMI only activates once your domain actively protects itself against spoofing.




3. Why most DMARC projects fail: unknown senders



The most common reason DMARC deployments fail is simple:

companies do not know all their email senders.


Before touching DMARC enforcement, you must list every system that sends emails using your domain.


Typical sources include:


  • corporate email platforms (Google Workspace or Microsoft 365),

  • CRM platforms,

  • marketing automation tools,

  • customer support systems,

  • billing and payment platforms,

  • HR and internal tools,

  • monitoring and alerting systems.



If even one legitimate sender is forgotten, DMARC enforcement will block or quarantine its emails.




4. The safe rollout methodology (step by step)




Phase 1 — Monitoring (visibility first)



Start by publishing a DMARC record in monitoring mode:

_dmarc.example.com IN TXT

"v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; adkim=r; aspf=r"


This does not block emails.

It only collects reports that tell you:


  • who is sending,

  • who passes SPF/DKIM,

  • who fails alignment.



This phase is about learning, not enforcing.






Phase 2 — Fix authentication per sender




SPF hygiene



  • One SPF record per domain

  • Include only authorised senders

  • Avoid exceeding DNS lookup limits



Example:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all



DKIM activation


Each sending system must DKIM-sign messages.


  • In Google Workspace, DKIM is enabled via Admin Console after publishing a TXT record.

  • In Microsoft 365, DKIM relies on CNAME selectors published in DNS and enabled in the security portal.



The key point is alignment:

The domain that signs the email must match (or be aligned with) the visible “From” domain.







Phase 3 — Gradual enforcement



Once failing sources are fixed, move to quarantine:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@example.com


Increase pct progressively (25 → 50 → 75 → 100).


Finally, move to reject:

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@example.com


At this point, your domain is actively protected — and BIMI-eligible.




5. Understanding DMARC alignment (the critical concept)



DMARC does not just require SPF or DKIM to pass.

It requires them to align with the “From” domain.


  • SPF alignment checks the return-path domain

  • DKIM alignment checks the signing domain (d=)



Relaxed alignment is usually sufficient and safer.







6. Moving from DMARC to BIMI



Once DMARC enforcement is live, you can publish a BIMI record:

default._bimi.example.com IN TXT

"v=BIMI1; l=https://example.com/.well-known/bimi/logo.svg; a=https://example.com/.well-known/bimi/vmc.pem"


This record points to:


  • a BIMI-compliant SVG logo,

  • and a VMC or CMC certificate (depending on your strategy).







7. The practical checklist (for meetings and projects)



You are DMARC-ready for BIMI when:


  • all senders are identified,

  • SPF is clean and unique,

  • DKIM is enabled everywhere,

  • DMARC reports show alignment,

  • DMARC is enforced (quarantine or reject),

  • BIMI logo is SVG Tiny compliant,

  • certificate strategy is defined.



If one of these points is missing, BIMI will fail silently.




8. Why this matters beyond BIMI



Even without BIMI, DMARC enforcement delivers:


  • better deliverability,

  • fewer phishing attacks,

  • stronger domain reputation,

  • improved trust with mailbox providers.



BIMI simply makes this trust visible.




Conclusion: BIMI starts with discipline, not design



BIMI is often perceived as a branding feature.

In reality, it is the final step of a well-governed email authentication journey.


By mastering SPF, DKIM and DMARC, organisations do not just unlock logos in inboxes — they build long-term trust at scale.




Ready to become DMARC-ready for BIMI?



At Bimimi.io, we help organisations audit, fix and enforce SPF, DKIM and DMARC — and guide them all the way to BIMI, VMC and CMC deployment.

 
 
 

Comments

bottom of page