Email Security and Authentication

How do I implement DMARC and enable BIMI?

minute read

Post Image

There are no shortcuts in email authentication and getting it wrong is remarkably easy, so you should always find an experienced consultant or expert to help you along the way. As Brand Indicators for Message Identification (BIMI) becomes more widespread with greater adoption by mailbox providers (MBPs), many marketers are looking for the DMARC set-up A-to-Z, as they are eager to get their logos in the BIMI program at Yahoo and be prepared for Google’s announced support in 2020. Unfortunately, it’s not as simple as 1-2-3.

There are a number of factors that make BIMI hard, and each domain or subdomain you include in the process adds an additional level of difficulty. For example, the DMARC set-up of a single corporate domain with no third-party vendors which only sends email from one host will be rather straightforward. You could likely accomplish a full reject policy in a very short period of time. A mid-level retailer with multiple vendors, however, might take a number of months to execute a full p=reject policy. A Fortune 500 with hundreds of domains and vendors managing the messaging platforms could take significantly longer and should be tackled one piece at a time in order to minimize risks to the business.Simply put, the more vendors your brand is working with, the more people you need to involve, and likely, the more modifications you need to make. Adjusting SPF records, ensuring DKIM support, and pushing for domain alignment as you work with your vendors will require a number of steps, from modifying or adding new subdomains to removing vendors not meeting your support requirements.

Though the process is anything but simple, if you’re looking for a basic checklist to review the overall process, look no further. But remember, some of these steps could take months to accomplish properly and they may not be easy to complete. Though all companies’ implementation plans will travel a similar path, each will experience different challenges and operate on independent timelines.

How to implement DMARC and BIMI for your domains:

  1. Run an inventory of all of your domains, even those not sending email.
    • This will give you an idea of the project scope.
    • If you know the active subdomains* used by your organization, record those as well; if not, we will find them later with the DMARC reporting.
      *Some providers may be publishing records without your knowledge, making it crucial for you to know and identify all your vendors.
  2. Inventory all vendors potentially sending emails on your behalf.
    • This might include your corporate email host, marketing cloud provider, support desk provider, travel partner, etc.
  3. 250ok DMARC users, be sure to start with a p=none record. Publish these records to your DNS to start collecting data for each of your domains.
    • A p=none record will have no negative impact to your email sending practices.
  4. Add each domain to the 250ok DMARC reporting tool for monitoring, then wait for data to populate in the tool.
    • DMARC reports are generally sent once every 24 hours, so the tool should report some data in 24–48 hours.
    • Subdomains missed in step one should be found in this data report, if they are sending email.
  5. Work with your consultant or expert (250ok has a whole team of them!) to review the data generated by your domain’s DMARC reports to figure out where you need to start making adjustments to your email infrastructure or practices. This step will likely take the most time for all brands looking to implement DMARC and BIMI properly.
    • For 250ok users, DMARC data will be separated into three classifications: Compliant, Non-Compliant, and Unauthenticated.
    • The degree of difficulty and the resources available to make adjustments will determine the time to move to any level of enforcement policy.
    • It is advisable to tackle the simple domains first to get a general feeling for the process of moving from no policy to a p=none, p=quarantine, then on to p=reject.
  6. Once you’ve adjusted your DMARC policy to be at enforcement-level, either p=quarantine or p=reject, you can start to benefit from BIMI (currently enabled only at Yahoo, both web and mobile).
    • 250ok users can lean on our BIMI wizard service to build your DNS records.
    • More information on BIMI’s requirements can be found at bimigroup.org.

At this point, you are done with the setup of DMARC and BIMI, but you’ll need to follow this process for any new domains your organization purchases or starts using. This will require internal processes to be defined and continued monitoring of your existing domains for DMARC compliance.

While this list seems like an easy set of tasks to complete, our experience with clients has shown a total implementation of DMARC and BIMI is achievable, but can take dedication and be complicated to attempt without a thorough understanding of all the moving parts to your email program and IT infrastructure.

As always, if you need help, we’re at the ready.