Your BIMI Record Is Perfect. So Why Is It Failing?
A postmortem on why a valid BIMI record gets ignored, tracing the cause back to a weak DMARC policy on the organizational domain.

You did everything right. The marketing team finally approved the perfect square-ratio SVG. You navigated the byzantine process of acquiring a Verified Mark Certificate (VMC). You crafted a flawless `default._bimi` TXT record, triple-checking every character. You send the test email to your Gmail account, pull-to-refresh, and... nothing. Just the default, gray, single-letter avatar.
This isn't a typo in your DNS. It's not a CDN issue with your logo file. The reason your logo isn't showing up is almost certainly buried one level deeper in your DNS, in a record you might have set to `p=none` years ago and forgotten about: your DMARC policy.
BIMI isn't a standalone feature you enable. It's a reward, a visual dividend paid out by mail providers for achieving a state of verifiable, enforceable email authentication. Without that enforcement, your BIMI record is just a suggestion that receiving servers are free—and, in fact, encouraged—to ignore.
The Anatomy of a 'Perfect' but Ineffective Record
Let's start with the scene of the crime. You've published a BIMI record that, by all syntactic measures, is flawless. It lives at the correct selector, `default._bimi`, and it specifies the version, the location of your logo, and even the location of your VMC, which is required by providers like Google.
default._bimi.example.com. 3600 IN TXT "v=BIMI1; l=https://media.example.com/bimi/logo.svg; a=https://media.example.com/bimi/vmc.pem;"
Every BIMI validator tool you can find gives you a green checkmark. The SVG renders correctly. The PEM file is accessible and hasn't expired. Yet, no logo appears in the inbox. The frustration is understandable. You've held up your end of the bargain specified in RFC 8674, so why aren't mailbox providers holding up theirs?
Because BIMI has an unwritten prerequisite that is far more important than the record itself: DMARC enforcement. The entire system is predicated on the domain owner making a strong, computationally verifiable assertion about what constitutes legitimate mail. A DMARC policy of `p=none` is the opposite of that. It's a monitoring-only mode. You are telling the world's mail servers, "Here’s how you can identify my mail, but please don't do anything about forgeries. Just send me a report about it."
Mailbox providers see this `p=none` policy and draw a simple conclusion: If the domain owner doesn't have enough confidence in their own authentication configuration to block or quarantine spoofed messages, why should we trust it enough to display a verified brand logo? They won't. Enforcement is the price of admission for BIMI.
DNS Forensics: Tracing the Policy from Subdomain to Root
The failure often becomes clear when you trace the DMARC lookup process exactly as a receiving mail server would. It's a hierarchical process, and the nuance is where things fall apart. Imagine an email sent from `newsletter@updates.example.com`.
The Initial Subdomain Check
When a server at Google or Apple receives this message, it performs a series of checks defined in RFC 7489. First, it authenticates the message using SPF and DKIM. Let's assume it passes DKIM with the `d=updates.example.com` signature. Now, for DMARC, the receiver constructs a query.
It looks for a TXT record at `_dmarc.updates.example.com`. In many organizations, especially those with numerous subdomains for different services, this record won't exist. This is not a failure. DMARC was designed for this.
The Climb to the Organizational Domain
When the specific subdomain DMARC query returns `NXDOMAIN` (non-existent domain), the receiver doesn't give up. It strips the leftmost label (`updates`) and queries again for the organizational domain. This is a critical step. The server now looks for a TXT record at `_dmarc.example.com`.
And there, it finds your policy: `v=DMARC1; p=none; rua=mailto:agg-reports@example.com;`. This is the policy that applies to the message. Even though the email is from a subdomain, the organizational policy is inherited. The `p=none` verdict tells the receiver that the message is DMARC 'pass' in an impotent, monitoring-only sense. It is this inherited, non-enforcing policy that disqualifies the email from displaying a BIMI logo.
The operational stake here is massive. Your perfectly configured BIMI record on `default._bimi.updates.example.com` is rendered useless by a completely different record, one level up at `_dmarc.example.com`. The chain of trust is broken not at the end, but in the middle.
The Playbook: Graduating to Enforcement
Simply flipping your organizational DMARC policy from `p=none` to `p=quarantine` or `p=reject` without preparation is a recipe for disaster. You will inevitably break some critical, forgotten mail flow—maybe your HR platform, a third-party marketing service, or even forwarded calendar invites from a key vendor's mail exchange server. The path to enforcement must be deliberate.
Step 1: Aggregate and Analyze Your Reports
That `rua` tag in your DMARC record? It's your best friend. For weeks or months, you must collect and parse these XML reports. They contain a complete census of every IP address sending mail claiming to be from your domain. Your job is to identify every legitimate source that is currently failing SPF or DKIM alignment.
You will find surprising things. A sales tool that sends from its own servers but spoofs your domain. An accounting service that doesn't support DKIM. These are the sources that an enforcement policy would block, potentially disrupting your business. You must find them before you flip the switch.
Step 2: Remediate Failing Sources
For each legitimate but failing source, you need a plan. If a vendor is failing SPF, you might need to add their `include:` mechanism to your own SPF record (e.g., `include:spf.vendor.com`). Be careful not to exceed the 10 DNS lookup limit in SPF (RFC 7208). If a service fails DKIM, contact their support and demand they enable DKIM signing for your domain. This isn't just for BIMI; this is basic email hygiene to prevent your domain from being used in phishing campaigns. Some modern platforms may even use ARC (Authenticated Received Chain, RFC 8617) to preserve authentication results across hops, which helps with indirect mail flows like mailing lists, but you can't rely on it. Your own direct mail flow must be solid.
Step 3: An Incremental Rollout
Once your reports look clean—meaning all known-good mail sources are passing DMARC alignment—you can begin the upgrade. Don't jump straight to `p=reject`. Start with `p=quarantine` and apply it to a small percentage of your mail. Your record might look like this: `v=DMARC1; p=quarantine; pct=10; rua=...`.
This tells receivers to send 10% of failing messages to spam and let the other 90% through. Watch your `rua` reports and your helpdesk tickets. If nothing screams, increase the percentage weekly: 25%, 50%, and then 100%. After a stable period at `p=quarantine; pct=100;`, you can consider moving to `p=reject`, which instructs receivers to block failing messages outright.
Confirming the Full Chain of Trust
After you've successfully migrated your organizational DMARC policy to `p=quarantine` or `p=reject`, it's time to re-validate the entire BIMI apparatus. The mistake many make is only checking the BIMI record itself. You need a tool that simulates the full decision process of a mail server.
A proper BIMI checker will perform a series of validations in sequence:
DMARC Policy Check -> DMARC Enforcement Level Check -> BIMI Record Discovery -> SVG and VMC Validation
The tool should first find your DMARC record, crawling up from subdomain to organizational domain if necessary. It must then verify that the policy is `p=quarantine` or `p=reject`. A policy of `p=none` should result in an immediate failure for the BIMI check, regardless of how perfect the rest of the setup is. Some tools may also check for the `sp` and `pct` tags, as a `sp=none` tag on a `p=reject` organizational policy would also break BIMI for subdomains.
Only after confirming DMARC enforcement will the tool proceed to look up the `default._bimi` record, fetch the SVG, and validate the VMC. When this entire chain passes, you can send your test email with confidence. When the logo finally appears, it's not just a branding win. It's a visible confirmation that you've secured your domain's email identity at a fundamental level.
The takeaway
BIMI is the capstone, not the foundation. Its value comes directly from the trust you build with an enforced DMARC policy. The logo is the artifact; the protection against spoofing and phishing is the real prize. Chasing the logo forces organizations to finally do the necessary but often-delayed work of cleaning up their email authentication, a project that provides immense security benefits far beyond brand visibility.
Getting there requires patient analysis of DMARC aggregate reports, which can be notoriously noisy and complex. Whether you parse them with custom scripts or use a platform to make sense of the data, the goal is the same: achieve a state where you are confident that `p=reject` will block only malicious mail. That's the entire game.
We dissect phishing campaigns and email infrastructure so you don't have to.


