Why does BIMI require DMARC at p=quarantine or reject?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Picture this: someone spoofs your domain and sends a phishing email with your logo displayed in the inbox. That's why BIMI has a non-negotiable requirement. It only works at DMARC p=quarantine or p=reject. No exceptions.

But Here's what's actually happening. DMARC has three policy levels. At p=none, you're running in monitoring mode, learning what's happening to your mail but not blocking anything. An attacker could still send as your domain and pass DMARC (if they're forging it correctly). At that point, BIMI would hand them your logo on a platter. At p=quarantine or p=reject, you're actively protecting your domain. DMARC kills spoofed mail. That's the real requirement.

Why the hard line? BIMI is a brand trust signal. It tells recipients "this logo came from the legitimate sender." If that signal could be faked, it's worthless. Mailbox providers like Gmail won't give you BIMI unless you're actively defending your domain. They're not rewarding you for having a logo. They're rewarding you for taking full responsibility through DMARC enforcement.

The practical impact: if you're at p=none right now, your path to BIMI means moving to p=quarantine or p=reject first. That's the bigger work. DMARC enforcement also improves deliverability directly, so it's not just a BIMI requirement. It's a foundation for your entire sender reputation.

Next step: Use the DMARC Generator to move from p=none to enforcement safely, testing as you go.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get step-by-step guidance on moving to DMARC enforcement safely.

I read that BIMI only works when DMARC is set to p=quarantine or p=reject. At p=none, DMARC is monitoring but not enforcing, and that opens the door to spoofing attacks that could misuse my logo. Help me understand the risks and the path forward: 1. What specifically breaks if I try to implement BIMI at p=none? 2. What's the safest way to move from p=none to p=quarantine without breaking legitimate email? 3. How long does this usually take? 4. What could go wrong during the transition? --- My details (fill in what applies): - Email platform/ESP: e.g., SendGrid, Mailchimp, Postmark, HubSpot - Domain(s): your sending domain(s) - Sending volume: e.g., 5,000/month or 500/day - Current DMARC policy: none / quarantine / reject - Multiple sending services?: list all ESP, CRM, transactional, etc. - Current DMARC alignment failures: describe any % of failures you're seeing - Subdomains: e.g., em.example.com, mail.example.com

Edit the yellow boxes, then send to the AI of your choice.