Why does BIMI require DMARC at p=quarantine or reject?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Picture this: someone spoofs your domain and sends a phishing email with your logo displayed in the inbox. That's why BIMI has a non-negotiable requirement. It only works at DMARC p=quarantine or p=reject. No exceptions.
But Here's what's actually happening. DMARC has three policy levels. At p=none, you're running in monitoring mode, learning what's happening to your mail but not blocking anything. An attacker could still send as your domain and pass DMARC (if they're forging it correctly). At that point, BIMI would hand them your logo on a platter. At p=quarantine or p=reject, you're actively protecting your domain. DMARC kills spoofed mail. That's the real requirement.
Why the hard line? BIMI is a brand trust signal. It tells recipients "this logo came from the legitimate sender." If that signal could be faked, it's worthless. Mailbox providers like Gmail won't give you BIMI unless you're actively defending your domain. They're not rewarding you for having a logo. They're rewarding you for taking full responsibility through DMARC enforcement.
The practical impact: if you're at p=none right now, your path to BIMI means moving to p=quarantine or p=reject first. That's the bigger work. DMARC enforcement also improves deliverability directly, so it's not just a BIMI requirement. It's a foundation for your entire sender reputation.
Next step: Use the DMARC Generator to move from p=none to enforcement safely, testing as you go.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.