Will DMARC and BIMI become global defaults?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Short version: DMARC is effectively already required. BIMI is heading that way for brands that care about it.

DMARC crossed the tipping point in February 2024 when Gmail and Yahoo Mail made it mandatory for bulk senders (anyone sending more than 5,000 emails a day to their users). If you're sending at any serious volume without DMARC, you're already fighting headwinds. Expect more mailbox providers to follow with similar requirements over the next few years.

The catch: DMARC has three policy levels. Having a record at p=none technically satisfies the requirement, but it doesn't actually protect your domain. The real goal is reaching p=reject or at least p=quarantine. That's where enforcement happens.

BIMI (Brand Indicators for Message Identification) lets you display your brand logo next to emails in supported inboxes. It requires DMARC at enforcement (p=quarantine or p=reject) as a prerequisite, plus a Verified Mark Certificate from an approved authority. The cost and complexity of VMCs means BIMI will stay optional for most senders, but for brands where recognition in the inbox matters, it's becoming worth the investment.

If you're not sure where your DMARC record stands, you can check it now with our free DMARC parser.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Plan your authentication roadmap.

After reading about DMARC and BIMI becoming defaults, I want to plan our authentication roadmap. My current status: [describe your DMARC record policy level and whether BIMI is set up]. We send to describe audience size and regions. What should I prioritize first, getting DMARC to enforcement, or starting the BIMI process? And what's the realistic timeline and cost for each?

Edit the yellow boxes, then send to the AI of your choice.